Yes, yes, we’ve heard a lot about critical infrastructure protection, its importance to the nation’s security, and preventing a “Digital Pearl Harbor.” We need more information sharing between the public sector and the private sector, the analysts say. We also need more information sharing among private companies, hopefully without creating various kinds of liability—all for the sake of protecting our country’s critical infrastructure.
Sounds good, except for the fact that I first starting hearing a lot about the need for critical infrastructure protection ten years ago. And here we are in 2012, and we’re still saying how much we need better critical infrastructure protection. When will we finally have robust critical infrastructure protection legislation?
There is apparently some hope for legislation this year. A bipartisan group of senators introduced a new bill, S.2105, entitled the Cybersecurity Act of 2012, on February 14, 2012. I should actually say “tripartisan” given that the main sponsor is independent Senator Joseph Lieberman.
In any case, S.2015 recognizes the importance of protecting critical infrastructure. It would require the Department of Homeland Security (DHS) to conduct risk assessments to determine the greatest and most immediate threats to cybersecurity. DHS would consult various stakeholders in connection with these assessments.
In addition, and here’s the part that may affect large companies, the bill would authorize DHS to set security performance requirements. Businesses and entities covered would be those whose disruption could result a national security, economic, or safety disaster, i.e., entities that control critical infrastructure. The legislation purports to be flexible to permit covered entities to meet these performance requirements in the way that they see as appropriate.
Note: this legislation is not the same as federal breach notification legislation covering any entities holding personal information of various kinds. See my earlier post on breach notification legislation. I don’t think breach notification legislation is going anywhere this year. By contrast, this legislation covers only businesses and entities that control critical infrastructure, which will be a small subset of entities covered by general breach notification legislation.
Also, S.2015 seeks to amend the Federal Information Security Management Act (FISMA). The goal of the amendments would be to move agencies from simply trying to comply with FISMA, whether or not their efforts promoted real security, to a culture of security through continuous monitoring and risk assessment. OMB would develop security requirements and best practices for federal information technology contracts.
The bill further purports to establish a responsible framework for sharing information among federal agencies and the private sector in order to protect civil liberties. These provisions apparently address some of the criticism leveled at previous critical infrastructure protection bills. Other provisions would clarify the role of federal agencies in addressing cyber threats, change hiring and training practices, and coordinate cybersecurity research and development.
Even though we have heard a lot about critical infrastructure protection and proposed legislation over the years, 2012 may be the year in which the stars will align to actually permit the legislature to pass a bill acceptable to the administration. The steady drumbeat of stories covering international cyber espionage, the vulnerability of systems, and continuing security breaches is creating momentum for the legislation. If the election year does not prove to be too great a distraction, we may finally see enacted critical infrastructure protection this session.
Partner, Cooke Kobrick & Wu LLP