A group of senators has introduced a revised version of a bipartisan, but largely Democratic-backed cyber security bill that members hope will enable information sharing while quelling privacy concerns.
The earlier version of the Cyber Security Act of 2012, introduced in February, tasked the U.S. Department of Homeland Security with regulatory oversight to assess the risks and vulnerabilities of critical infrastructure, such as the electric and nuclear power grid, water systems, and telephone and data communications systems, where a successful attack could have a massive public impact.
The latest proposal, which supporters want passed before the August recess, wouldn't force organizations to meet cyber security standards, but instead incentivize them as part of a voluntary program under which they would have to prove they have met a series of security best practices. One of the co-sponsors, Sen. Joseph Lieberman, I-Conn., said the prior mark-up was stronger, but the new version will still lead to get strides in securing the nation's critical infrastructure.
“This compromise bill creates a public-private partnership to set cyber security standards for critical American infrastructure, and offers the reward of some immunity from liability to those who meet those standards," Lieberman said in a statement Thursday. "In other words, we are going to try carrots instead of sticks as we begin to improve our cyber defenses. This compromise bill will depend on incentives rather than mandatory regulations to strengthen America's cyber security."
The nonprofit Electronic Frontier Foundation (EFF), a staunch critic of the original version, said it was pleased with the privacy protections written into the current measure.
The EFF cited a number of concessions, including the proposal making data sharing with law enforcement only mandatory in specific and limited circumstances; preventing the possibility that information shared being used to prosecute crimes unrelated to computer offenses; and ensuring that information is shared with civilian government agencies, not entities like the National Security Agency.
But, the EFF said the measure in its current form contains broad language around the ability for companies to use security as a reason to partake in "nearly unlimited" data monitoring of users. The EFF said it wants the legislation to be more specific in certain areas.
In summary, the Cyber Security Act of 2012, which may be taken up as early as this week, would:
- Establish a multi-agency council National Cybersecurity Council -- chaired by the Secretary of Homeland Security -- to lead cybersecurity efforts, including assessing the risks and vulnerabilities of critical infrastructure systems.
- Allow private industry groups to develop and recommend to the council voluntary cyber security practices to mitigate identified cyber risks. The standards would be reviewed and approved, modified or supplemented as necessary by the council to address the risks.
- Allow owners of critical infrastructure to participate in a voluntary cyber security program. Owners could join the program by showing either through self-certification or a third-party assessment that they are meeting the voluntary cyber security practices. Owners who join the program would be eligible for benefits including liability protections, expedited security clearances, and priority assistance on cyber issues.
- Create no new regulators and provides no new authority for an agency to adopt standards that are not otherwise authorized by law. Current industry regulators would continue to oversee their industry sectors.
- Permit information-sharing among the private sector and the federal government to share threats, incidents, best practices, and fixes, while preserving the civil liberties and privacy of users.
- Require designated critical infrastructure -those systems which if attacked could cause catastrophic consequences -- to report significant cyber incidents.
- Require the government to improve the security of federal civilian cyber networks through reform of the Federal Information Security Management Act.
President Obama is encouraging Congress to pass the proposed bill, according to an op-ed that appeared in Friday's The Wall Street Journal.
"We need to make it easier for the government to share threat information so critical infrastructure companies are better prepared," Obama wrote. "We need to make it easier for these companies -- with reasonable liability protection -- to share data and information with government when they're attacked. And we need to make it easier for government, if asked, to help these companies prevent and recover from attacks."