After three years of hearings and negotiations, a group of Senate Committee leaders unveiled the Cybersecurity Act of 2012.
Under the new Cybersecurity Act, the Department of Homeland Security would assess the cyber-related risks and vulnerabilities of “critical infrastructure systems” to determine which should be required to meet a set of risk-based security standards. This would include those systems that, should they be disrupted, would cause mass death, evacuation or major damage to the economy and national security.
The Cybersecurity Act outlines several characteristics that stress it’s a public/private partnership, including:
- DHS would work with the owners/operators of designated critical infrastructure to develop risk-based performance requirements.
- The owners of a covered system would themselves determine how best to meet the performance requirements and then verify that they were compliant.
- The private sector and the federal government would actively share information surrounding threats, incidents, best practices and fixes, “while maintaining civil liberties and privacy.”
The senators were definitely not working in a vacuum — they made a conscious effort to curb criticism that plagued previous online security measures. The senators stressed that the Cybersecurity Act of 2012 “in no way” resembles the Stop Online Piracy Act (SOPA) or the Protect Intellectual Property Act (PIPA), and instead focuses on the “essential services that keep our nation running.” The Senators also omitted emergency authorities for the president, likely because of the backlash around the Internet “kill switch” proposed in an earlier version of the Cybersecurity Act.
But despite efforts to distance it from previous online security legislation, the new Cybersecurity Act is already facing criticism — some of it very familiar.
Opponents — including the Financial Services Roundtable and the U.S. Chamber of Commerce — have decried the act’s provisions and say it would create yet another burdensome, costly regulatory compliance mandate. Others are still concerned about the potential privacy implications the Cybersecurity Act could create — likely a hangover from the lengthy debate surrounding SOPA and PIPA from earlier this year.
So will the Cybersecurity Act of 2012 strike the right balance between protecting data and not hurt the companies it’s designed to help? The debate will begin in earnest tomorrow, when the Homeland Security & Governmental Affairs Committee will hold its first hearing on the Cybersecurity Act. The hearing is likely to address these questions and more, as it begins the latest chapter in the ongoing cybersecurity debate.