Crossroads Blog | CYBER SECURITY LAW AND POLICY

Legislation

Cybersecurity Legislation Roundup

On Feb. 13th, 2012, Gautham Nagesh wrote for The Hill on the Senate's cybersecurity bill.  That bill should be available tomorrow.  Under the bill, DHS would determine which sectors of the economy will be subject to cybersecurity regulation.  However, according to the article, the bill may allow firms to "appeal whether new security regulations should apply to their sector."  The private sector has generally opposed the idea of strict cybersecurity regulations, favoring an incentive-based approach instead.  Senate Democrats may have designed this provision to appeal to those private sector concerns.  A firm could get out the regulations by showing DHS a "demonstrated ability to secure their systems." 

The Hill article also explained that DHS will likely regulate water treatment plants, transportation providers, and utilities.  After determining that an entity is subject to regulation, DHS will collaborate with the private sector on "cybersecurity performance requirements."  Moreover, the regulations are only intended for critical infrastructure that have not been appropriately secured; the bill will not focus on properly protected entities.

The article noted that the question of penalties for non-compliance remains unresolved.  Critical infrastructure owners could face "financial penalties or criminal liability for failing to secure their systems."

You can find The Hill source article here.

***

In a blog post for Lawfare, Paul Rosenzweig wrote on the Senate's cybersecurity bill.  It looks like Mr. Rosenzweig got a hold of a bootleg copy of the bill.  In analyzing its language, Mr. Rosenzweig is concerned about what he calls "the great cybersecurity carve out."  First, the waiver provision mentioned above could take away from the bill's effectiveness.  Moreover, the bill doesn't define "a commerical information technology product, including hardware and software" as critical infrastructure.  Mr. Rosenzweig argues that this means the "entire architercture of the Internet is excluded from regulation."  In essence, he believes the regulatory burden of the bill will fall on the financial industry and utilties; ISPs may be unaffected.  

Leave a Reply