Comprehensive Bill To Secure Fed And Critical Private Sector Cyber Systems
February 14, 2012
Essential Life Services At Stake
WASHINGTON – To guard against the nation’s increasing vulnerability to cyber attack, a group of Senate Committee leaders introduced bipartisan legislation Tuesday to secure the cyber systems of the essential services that keep our nation running.
The Senators were Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., Ranking Member Susan Collins, R-Maine, Commerce Committee Chairman Jay Rockefeller, D-W.Va., and Select Intelligence Committee Chairman Dianne Feinstein, D-Ca.
The Cybersecurity Act of 2012, S. 2105, and the product of three years worth of hearings, consultations, and negotiations, envisions a public-private partnership to secure those systems which if commandeered or destroyed by a cyber attack could cause mass deaths, evacuations, disruptions to life-sustaining services, or catastrophic damage to the economy or national security.
"This bill would begin to arm us for battle in a war against the cyber mayhem that is being waged against us by our nation’s enemies, organized criminal gangs, and terrorists who would use the Internet against us as surely as they turned airliners into guided missiles,” Lieberman said. “The nation responded after 9/11 to improve its security. Now we must respond to this challenge so that a cyber 9/11 attack on America never happens"
Rockefeller said: “I can’t think of a more urgent issue facing this country. Hackers are stealing information from Fortune 500 companies, breaking into the networks of our government and security agencies and toying with the networks that power our economy. The new frontier in the war against terrorists is being fought online and this bill will level the playing field. We can and will stop cyber criminals from getting the upper hand. This comprehensive legislation is an important step towards securing the Internet from cyber theft"
Collins said: “Our nation’s vulnerability has already been demonstrated by the daily attempts by nation-states, cyber criminals, and hackers to penetrate our systems. The threat is not just to our national security, but also to our economic well-being. A Norton study last year calculated the cost of global cybercrime at $114 billion annually. When combined with the value of time victims lost due to cybercrime, this figure grows to $388 billion globally, which Norton described as ‘significantly more’ than the global black market in marijuana, cocaine and heroin combined. Our bill is needed to achieve the goal of improving the security of critical cyber systems and protecting our national and economic security"
Feinstein said: “Alongside terrorism, cybersecurity is perhaps the number one threat facing our nation today, but many obstacles exist that prevent the cooperation and coordination needed to deter this growing threat. It’s past time that the government and the private sector join together to address the widespread and devastating effects that cyber intrusions are having on our country."
The legislation reflects recommendations from companies and trade associations representing the information technology, financial services, telecommunications, chemical, and energy sectors, among others. National security, privacy and civil liberties experts also provided essential counsel. Majority Leader Harry Reid’s support was instrumental.
The Senators stressed that the Cybersecurity Act of 2012 in no way resembles the Stop Online Piracy Act or the Protect Intellectual Property Act, which involved the piracy of copyrighted information on the internet. The Cybersecurity Act involves the security of systems that control the essential services that keep our nation running – for instance, power, water, and transportation.
To move the legislative process forward, the Senators have not included emergency authorities for the president, as previous bills did. The legislation also does not contain a special White House cybersecurity office.
Both the Homeland Security and Governmental Affairs and the Commerce Committees have held several hearings over the years on cybersecurity. In the 111th Congress, both Committees marked up and reported out cybersecurity legislation. In the 112th Congress, the two Committees merged their bills, refined and perfected them to produce new legislation.
The Cybersecurity Act of 2012 would require:
- The Department of Homeland Security to assess the risks and vulnerabilities of critical infrastructure systems - whose disruption from a cyber attack would cause mass death, evacuation, or major damage to the economy, national security, or daily life - to determine which should be required to meet a set of risk-based security standards.
- Owners/operators who think their systems were wrongly designated would have the right to appeal.
- DHS to work with the owners/operators of designated critical infrastructure to develop risk-based performance requirements, looking first to current standards or industry practices. If a sector is sufficiently secured, no new performance requirements would be developed or required to be met.
- The owners of a covered system to determine how best to meet the performance requirements and then verify that it was meeting them. A third-party assessor could also be used to verify compliance, or an owner could choose to self-certify compliance Current industry regulators to continue to oversee their industry sectors.
- Information-sharing between and among the private sector and the federal government to share threats, incidents, best practices, and fixes, while maintaining civil liberties and privacy.
- DHS to consolidate its cybersecurity programs into a unified office called the National Center for Cybersecurity and Communications.
- The government to improve the security of federal civilian cyber networks through reform of the Federal Information Security Management Act.