What follows is a guest post from Chris Bronk, Information Technology Policy Fellow at Rice University’s Baker Institute for Public Policy. He’s a new member of USACM, but the post reflects only his thoughts on the Cybersecurity Act of 2012, and not necessarily those of USACM.
Digesting the New Senate Cybersecurity Legislation
by Chris Bronk
Senators Joe Lieberman, Susan Collins, Jay Rockefeller, and Diane Feinstein introduced another cybersecurity bill in the U.S. Senate on February 14. “The Cybersecurity Act of 2012,” or S.2105, is yet another attempt by the Senate to bring to a vote a major piece of bipartisan legislation on information and communications security. There have been several efforts to produce new law on this front, but debate has often mired on serious sticking points. The “Internet kill switch,” where the President would have the authority to close off the Internet, standing as perhaps the most rhetorically threatening of them. There is no kill switch in S.2105.
Within S.2105, a broad set of issues was considered of interest to the federal government, the IT industry, and the operators of critical infrastructure. The bill lays out some pragmatic planks for determining responsibilities beyond the federal government, further bulking up national cyber security capabilities, and offering a roadmap for regulation of cyber security responsibility.
Significantly, S.2105 emphasizes the Secretary of the Department of Homeland Security (DHS) as the lead official on cybersecurity matters, with the usual exceptions for agencies in the Department of Defense and Intelligence Community. DHS has gradually grown a capability in cybersecurity, and S.2105 would expand it, combining the functions of DHS’s National Cyber National Cyber Security Division, the Office of Emergency Communications, and the National Communications System into a single National Center for Cybersecurity and Communications. Presumably, this new center would operate in a manner similar to the Office of the Director of National Intelligence’s inter-agency function-specific centers, such as the National Counter Terrorism Center.
Beyond the national center, S.2105 addresses another issue of great importance, the vulnerability of critical infrastructure – in both the public and private sectors – to cyber attack. The legislation lays out a process for designating critical infrastructure, assessing risks to it and “promulgat[ing] regulations to enhance the security of covered critical infrastructure against cyber risks.” This component will no doubt attract scrutiny as it assigns responsibilities and assesses liability – and the limitations thereof – with regard to the cybersecurity of critical infrastructure. (S.2105 also lays out standards on criticality, having to do with loss of life, service interruption, and severe economic damage among others).
Other elements of the bill consider the expanded staffing needs and the peculiarities of clearing non-government employees to handle sensitive or classified information. It also considers cybersecurity information sharing issues, reform of the Federal Information Security Management Act (FISMA), and education and R&D initiatives.
This bill may be able to clear previous obstacles and deliver to the President and the Department of Homeland Security the necessary authorities to move beyond piecemeal efforts in cyber security remedy and coordination. The Senate Homeland Security and Governmental Affairs Committee has already held a hearing on the bill, so there is interest in getting this legislation to a Senate vote sooner rather than later.