On Thursday the Senate held their cloture vote on moving forward with the debate on S 3414, the Cybersecurity Act of 2012. The cloture motion was approved on a vote of 84 – 11. To make sure that everyone realized that a vote in favor of cloture would not necessarily mean a vote for S 3414, Sen. McCaskill (D,MO) spoke on the floor of the Senate immediately after the cloture vote, detailing what she viewed as the shortcomings of the legislation.
Summary of Amendments
On Monday afternoon the Senate will formally vote to adopt the motion to proceed to S 3414. According to the HilliconValley blog, in order to get the early and favorable cloture vote, Sen. Reid agreed to an open amendment process during the floor debate. Thursday’s Congressional record reflects this with 39 newly proposed amendments to the bill. Three of the new amendments were completely unrelated to cybersecurity:
SA 2609 – Add Section – Limitation on Foreign Assistance to Pakistan – S 5568;
SA 2616 – Add Title - Energy Savings And Industrial Competitiveness – S 5615; and
SA 2619 – Add Section – Right to Work - S5622
Eight of the 39 amendments are full, or nearly full, substitute language amendments providing variations on the SECURE IT legislation (S 2151 and S 3342) previously offered by Sen. McCain (R,AZ). A brief look at the table of contents for the amendments doesn’t provide any indication that any will address control system security issues, so I haven’t attempted to determine the differences between the eight alternatives.
Of the remaining 28 cybersecurity related amendments that try to modify provisions of the current bill 18 deal with the public-private partnership provisions of Title I (many of which I have already reviewed) and four deal with the information sharing provisions of Title VII. These amendments are the ones that will probably be of the most interest to the industrial control system community.
Further Limiting Government Authority
Anyone that has been following the debate about cybersecurity legislation will be unsurprised to hear that most of the amendments are formulated to restrict what little authority that would be given to the Federal government to regulate cybersecurity in the private sector. The widest erasure would be effected by SA 2597 which would completely delete Title 1, the portion of the bill that establishes the public-private partnership that would allow the minimal regulation of private sector cybersecurity.
Another amendment (SA 2590) would add a requirement to conduct a cost-benefit analysis prior to adopting a cybersecurity practice as proposed under §103(b). A similar requirement would be added by SA 2599 in mandating that a report to Congress on the adoption of any suggested cybersecurity measure by a Federal agency would include the results of a detailed cost-benefit analysis. Oh, and that original requirement in §103(g) was for a report on any suggested cybersecurity measure that was not adopted by the regulating agency.
Two other amendments would limit the authority of regulatory agencies to require the use of the voluntary cybersecurity practices as part of their current authority. SA 2595 would change the current wording in § 103(g)(1)(A) that would authorize the agency to adopt cybersecurity measures as mandatory to specifically disallow that adoption. The substitute language for § 105(1) in SA 2601 removes the authorization for adopting such cybersecurity measures. An interesting situation could arise if only one of these two amendments were to be adopted; it would leave competing requirements in the bill.
Provisions already in the bill that prohibit government agencies from requiring private entities to provide information in support of the voluntary cybersecurity program would be further reinforced by SA 2596. That amendment would prohibit any agency that already had legal authority to compel the submission of security information from using that authority to collect information to support the voluntary cybersecurity program.
There were a couple of interesting holes in S 3414. In an earlier blog I noted that I thought that the liability protections provided in §104 of the bill were a little weasel worded and weak. That would be partially, if negatively addressed by SA 2587. This amendment would actually provide some liability protection to entities that do not choose to participate in the Voluntary Cybersecurity Program. This is probably necessary, but it certainly does not provide any incentive to join the program.
In my blog post about the identification of critical cyber infrastructure I noted that there was a 60-day window for Congress to act on the notification of the designation of a category of critical infrastructure as critical cyber infrastructure. I failed to note that there was nothing establishing what action Congress could take. Amendment SA 2594 partially corrects that by establishing that a ‘resolution of disapproval’ would result in the category being removed from the list and being kept off the list for at least 2 years.
Late Monday afternoon, after the Senate deals with a judicial nomination, it will begin dealing with S 3414 and its amendments. Given the reported open amendment deal we can be certain that more amendments will be offered. That and the fact that the Senate does not operate under the ‘5 minute’ rule used in the House means that this will take some time to complete, maybe longer than we have before the summer recess begins.
All bets are off, of course, if the opposition (more or less led by McCain and McCaskill the other cybersecurity odd-couple), comes to the conclusion that the bill is unbearable and can muster the 40 votes necessary to stop further consideration of the bill. Oh well, no one said it would be easy; or even likely.