In August, we waved farewell to the Cybersecurity Act of 2012 (S.3414). Or, so we thought. The bill, which followed a tortured path of at least four major iterations since the introduction of its predecessor in 2010, finally hit the brick wall of Senate gridlock when a cloture vote failed to end debate. While this failure effectively killed the bill, proponents are moving forward with alternative methods to implement some of its measures, including entreaties from legislators for voluntary compliance with cybersecurity schemes, and an executive order currently being drafted by the Administration.
On a broad level, the Act was intended to create a mechanism for protecting “critical infrastructure,” loosely defined as entities for which damage or unauthorized accessed could result in “the interruption of life-sustaining services,” “catastrophic economic damage,” or “severe degradation of national security.” The Act would have created a new agency to direct an inventory of the most at-risk sectors, as well as identification of the categories and owners of critical infrastructure within each such sector.
Perhaps the most controversial portion of the Act would have authorized private entities to monitor their systems and share information with the government regarding perceived cyber threats. The Act also would have provided private entities with certain liability protections, including (1) immunity from suit arising in connection with the companies’ monitoring and information-sharing activities, and (2) protection from punitive damage claims arising out of cyber attacks occurring while an entity conformed to government-approved standards.
The Act attracted opposition from the left and the right. Some raised privacy concerns based on the information sharing provisions, while others worried that government-imposed standards would unnecessarily burden businesses. Last-minute amendments designed to alleviate or remove some of these concerns did not save the bill, despite garnering the approval of some watchdog groups.
The Administration apparently is no longer waiting on Congress. Homeland Security Secretary Janet Napolitano recently confirmed that a draft executive order is nearing completion. The draft is reported to contain many provisions similar to those in the Act, including the creation of a program through which companies operating key infrastructure could elect to meet government-developed standards. However, unlike the Act, an executive order would not be able to offer these companies protections from legal actions.
Congressional members are not sitting idle, either. Last week, Senator Jay Rockefeller, Chairman of the Senate Committee on Science, Technology and Transportation, took the unusual step of writing directly to the CEO’s of the nation’s 500 largest corporations. He told them that he “would like to hear more… about their views on cybersecurity, without the filter of Beltway lobbyists,” and he asked that they each answer a survey regarding their company’s cybersecurity practices and concerns (if any) with the Act’s proposed voluntary information-sharing programs.
Meanwhile, the need for some form of escalation in cybersecurity efforts is clearer than ever, as just last week sources confirmed that several major banks have been hit by some of the largest cyber attacks in history. For now, we must wait and see which avenue — legislation, executive order, senatorial supplications, or a combination — will bring this much-needed action.