The Cybersecurity Act of 2012 (S. 3414) moved one step closer to possible passage on Thursday when the United States Senate voted 84 to 11 to allow an open amendment process when the bill is taken up for floor debate, as early as next week. The bill still faces an uphill battle to passage in its present form, in the face of opposition to government regulatory intrusion from business groups and key technology companies, as well as a lack of support within the Republican-controlled House of Representatives. The Obama Administration, which has strongly advocated for new laws to impose defined cybersecurity standards on private business, says it will support passage of even the watered-down "opt-in" version of the bill approved for floor action yesterday. But the White House has suggested tweaks and warned against amendments weakening privacy.
The bill, which has been proposed in various forms for more than two years, would restructure and formalize the federal response to cyber threats and transform the legal basis for public–private partnership in this area. The bill has coalesced after intense bipartisan negotiations and heavy lobbying from private industry, interest groups, and policy advocates. Senate Homeland Security and Governmental Affairs Committee chairman Joseph Lieberman (I-CT) and Homeland Security ranking member Susan Collins (R-ME) are the lead sponsors of the bill. It has gained the support of the President and Senate Majority Leader Harry Reid (D-NV). Passage is far from certain and further amendments are likely, but now that the Senate has signed off on floor action and an open amendment process the prospect of a version of the law passing the full Senate this year is far more likely.
The bill has three major provisions:
1. First, the law would establish the National Cybersecurity Council (NCC), a federal interagency body that would conduct risk assessments to identify industries that should be categorized as "critical cyber infrastructure."
The bill requires the NCC to work with owners and operators of infrastructure when making such determinations, and calls for an appeals procedure for industries that wish to challenge their designations as critical infrastructure. Critical infrastructure is defined broadly and encompasses industries where a cyber attack could cause major disruptions to life-sustaining services (which includes energy and transportation), "catastrophic economic damage," or degradation of national security. This definition could foreseeably include entire sectors of the economy from communications and banking to logistics and retail.
2. Second, the bill would obligate the each category of critical cyber infrastructure to develop industry-specific cybersecurity practices, which would then be voluntarily implemented.
The existing sector coordinating councils (18 private sector-led organizations representing categories of critical infrastructure) would develop consensus-based standards for their respective industries and submit those standards for approval by the NCC. The law would require that the standards be technology neutral and that they be reviewed and updated triennially. The NCC would have authority to amend the proposals, which would then be voluntary baselines for critical infrastructure owners and operators. Some critical infrastructure sectors have been engaged in a very similar practice in recent years, though this bill will formalize and expand the process to other sectors. Although these cyber standards would not be mandatory, the NCC would have authority to require critical infrastructure owners to report significant cyber incidents, which could come with substantial compliance costs and market risk.
3. And third, the bill would create the Voluntary Cybersecurity Program for Critical Infrastructure.
This program would allow critical infrastructure owners who had not been designated by the NCC as "critical cyber infrastructure" to participate in government security programs. As currently structured, businesses could opt-in to compliance with cybersecurity standards (compliance would be tested by either external audit or self-certification) in exchange for limitations on civil liability, access to classified cyber threat information, and prioritized technical assistance from government experts. Cost-benefit analysis will be an important tool for businesses that are otherwise outside this bill's regulations, yet face potentially huge legal liabilities for data breaches or service outages. At this point, the compromise bill that has emerged is almost entirely carrot and no stick, meaning businesses that opt-out of participating will suffer no penalty, but will be excluded from potentially cost-saving benefits.
With the open amendment rule attached to the bill yesterday, the way is also clear for senators to (variously) seek floor approval of the Republican alternative (called SECURE IT), stronger controls rejected at the committee level, and/or to add new provisions on related topics. For example, one key player, Senator Patrick Leahy (D-VT) immediately filed four amendments, addressing his longstanding interests in updating the electronic communications privacy laws and also to allow social media users to share video watching (as aggressively advocated by Netflix). Senator Al Franken (D-MN) plans to propose amendments adding new privacy law protections for online and mobile users, among others, consistent with various bills he has been advocating for the last few years.
In short, the shared sense of urgency for adoption of some form of legislation addressing cybersecurity of critical infrastructure in the energy, telecom, and other key sectors has served as the catalyst to bring a longer list of privacy and data security initiatives to the floor for debate for the first time. The House previously passed its own law, the Cyber Intelligence Sharing and Protection Act, or CISPA, which would have to be reconciled with any legislation approved by the Senate. Still, after years of legislative action largely being confined to the respective House and Senate committees, the upcoming Senate floor action on S. 3414, and any amendments thereto, represents an important milestone, as well as an opportunity for Senate Democrats and the White House to increase political pressure on the House of Representatives to act upon cybersecurity and privacy issues before the election.