The Cybersecurity Act of 2012 (the Act) was introduced on February 14, 2012, by Senators Joe Lieberman, Susan Collins, and Dianne Feinstein. The bill was the subject of a hearing on February 16th before the Senate Homeland Security and Governmental Affairs Committee.
The following is a summary of key elements of Title I of the Act, relating to critical infrastructure protection provisions. It may be of interest to owners and operators of such infrastructure who would be required to institute and certify cybersecurity measures in accordance with DHS regulations, and who may also be required to submit to government or third-party assessments.
“Covered” Critical Infrastructure
The Act would direct the Department of Homeland Security (DHS), working with other agencies and the private sector, to conduct sector-by-sector risk assessments of cybersecurity threats to critical infrastructure (as defined by the USA PATRIOT Act, 42 U.S.C. 5195c(e)). The Secretary of Homeland Security (Secretary) must then determine which critical infrastructure will be covered by the Act. As the Act is currently drafted, a critical infrastructure system or asset may be deemed “covered” only if damage or unauthorized access to the infrastructure could lead to:
- The interruption of life-sustaining services (e.g. food, energy, or emergency services) sufficient to cause a mass casualty event or mass evacuations;
- Catastrophic economic damage to the United States, including failure or disruption of a US financial market or sustained disruption of a transportation system; or
- Severe degradation of national security capabilities.
An owner of infrastructure designated as critical may appeal the Secretary’s designation by petitioning the US District Court for the District of Columbia.
Covered Critical Infrastructure Subject to Risk-Based Cybersecurity Performance Requirements and Security Measures
Under the Act, the Secretary will develop risk-based cybersecurity performance requirements. Owners of covered critical infrastructure will be required to remediate or mitigate the identified cyber risks and their associated consequences.
Additionally, within one-year of enactment, the Secretary must promulgate regulations to enhance security against cyber risks. These regulations shall establish procedures for regularly informing covered infrastructure owners of cyber risk assessments, security threats, and performance requirements appropriate to the owner’s business sector. The regulations will also create procedures for owners to select and implement those cybersecurity measures that they determine are best-suited to (i) satisfy the new performance requirements, (ii) develop continuity of operations and incident response plans and (iii) report significant cyber incidents affecting critical infrastructure.
Owners will be obliged to annually certify their compliance with the performance requirements, or to submit to third-party assessments, unless an owner demonstrates (through a process to be developed by DHS) that the covered infrastructure is sufficiently secured, or that compliance with the Secretary’s performance requirements would not substantially improve the security of the infrastructure. Owners that fail to comply with the certification or assessment, or that fail to remediate violations, will be subject to civil penalties to be set forth by rule.
Of final note, the Secretary will have to establish procedures by which DHS, in consultation with relevant agencies, may perform cybersecurity assessments of selected covered critical infrastructure. Such assessments may be based on the cyber risks affecting the information infrastructure of the specific network, the reliable intelligence indicating a risk to the infrastructure, the actual knowledge or reasonable suspicion that an owner is not in compliance with the performance requirements, or other risk-based factors as the Secretary may be identify in the regulation. Owners will be entitled to a copy of any federal assessment.
Sectors Subject to Existing Regulation
The Act includes exemptions for sectors already adequately regulated under existing law. If covered critical infrastructure is currently subject to risk regulations, the Secretary may only promulgate new performance requirements if the Secretary determines that the existing regulations are inadequate. In addition, the President may exempt critical infrastructure from the new Title I requirements if the President determines that a sector-specific agency has sufficient requirements and enforcement mechanisms in place to effectively mitigate cyber risk.
Information Technology Products
The Act prohibits the Secretary from designating a commercial information technology product, including hardware or software, as “covered” under the Act. It also prohibits the Secretary from designating any information technology product or service as covered based solely on a finding that the product or service is being used in covered critical infrastructure.
The Act further provides that the “performance requirements” do not authorize any federal entity to regulate commercial information technology products or their design, development, or manufacture. Moreover, the performance standards may not require the use or non-use of any commercial information technology products in covered critical infrastructure.
Trade Secret Protection
The bill includes measures aimed at protecting privileged or confidential trade secrets or commercial or financial transactions, provided they are appropriately identified by the owner or operator. Such information shall be treated as voluntarily shared critical infrastructure information under section 214 of the Homeland Security Act (6 U.S.C. 133), notwithstanding that the owner or operator may not meet that section’s standards for a “voluntary” submission. Moreover, the Secretary will be required to develop guidelines for sharing that information as necessary among governmental and nongovernmental entities.
The Act protects the identity of individuals who report security threats, risks, and incidents affecting critical infrastructure to the Secretary.
Punitive Damages Safe Harbor
The Act provides a degree of civil liability protection to those subject to its provisions. An owner or operator that satisfies the performance requirements, successfully completes the annual certification and third-party assessments, and is in substantial compliance with the performance requirements at the time of an incident relating to cyber risk will be shielded from punitive damages in any civil action relating to the incident (unless additional or intervening acts or omissions by the owner or operator cause additional damages, which would then be subject to potential punitive liability).
State Law Preempted
The Act would supersede state law that expressly requires comparable cybersecurity practices to protect covered critical infrastructure.