Ok, quick recap: yesterday Sens. Rockefeller, Lieberman, Collins, and Feinstein introduced the Cybersecurity Act of 2012 (CSA). That is the Senate Democrat's version of cybersecurity legislation. Thomas just posted the prepublication of the bill here (in PDF): Download CYBER The Cybersecurity Act of 2012 final.
Take a look at this Crossroads blog post for a quick summary of the CSA. In general, the CSA puts cybersecurity responsibility in DHS' hands and tasks DHS with determining which companies fall into the "critical infrastructure" category. Once in that category, DHS will formulate cybersecurity regulations for those companies.
***
On Feb. 15th, 2012, Brendan Sasso reported for The Hill that Senate Majority Leader Harry Reid planned to bring the CSA straight to the Senate floor, "skipping any committee markups."
Well, on Feb. 16th, Jennifer Martinez reported for Politico that Senate Republicans (including the Minority Leader Mitch McConnell) want to slow down the CSA. According to the article, Senate Republicans feel that the CSA is being rushed, and want to see the bill proceed through the normal course of committee hearings and markups. Moreover, Senate Republicans are now reportedly writing their own cybersecurity bill.
I doubt we'll see quick passage.
***
The Senate held hearings on the CSA today (2/16).
At the hearings, cyber-experts testified that the CSA should be stronger.
According to a Washington Post article, cyber-experts believe that the CSA has loopholes that would prevent the government from "forc[ing] critical industries to make their computer networks more secure." In fact, companies could potentially stretch out the regulatory process by eight years or even avoid cybersecurity regulation entirely.
The CSA premises regulation upon a determination that a particular industry is critical infrastructure. That determination depends upon whether a cyberattack on that industry could cause "an extraordinary number of fatalities" or a “severe degradation” of national security.
The WashPo article quoted Stewart Baker, author of Skating on Stilts, on the CSA: “So an individual infrastructure owner, such as a rural electricity provider, has no responsibility under this title if it can show that an undefended cyberattack would only cause an ordinary number of fatalities? How many dead Americans is that, exactly?”
***
Another one of the CSA's controversies is its "carve out" provisions. The relevant language from the proposal:
“The following commercial items shall not be designated as covered critical infrastructure:
(a) a commercial information technology product, including hardware and software; and
(b) any service provided in support of a product specified in subparagraph (a), including installation services, maintenance services, repair services, training services, and any other services provided in support of the product. "
Paul Roseznzweig wrote a blog post for Lawfare on this carve out provision. Returning to the issue in another Lawfare blog post, Mr. Rosenzweig asked several senior democratic aides questions about the CSA.
According to those aides, the CSA doesn't necessarily "exclude" commercial information technology products. Mr. Rosenzweig explained that the government does not want to regulate software and hardware; rather, the government wants to "set performance security standards" for companies like Microsoft and "then let industry and the market place figure out the best way to meet those standards."
Moreover, the CSA does NOT carve out an exception for back-bone ISPs like Verizon, Comcast, and Sprint.
Mr. Rosenzweig had another post for Lawfare, quoting a senior democratic aide who explained the relationship between the CSA and the backbone of the internet.
***
Jon Oltsik writes for NetworkWorld on why Congress should pass a cybersecurity bill now, politics be damned.
Leave a Reply