S 3414 Introduced – Replacement Cybersecurity Act of 2012

Yesterday Sen. Lieberman (I,CT) {and four influential colleagues, Carper (D,DE), Collins (R,ME), Feinstein (D,CA) and Rockefeller (D,WV)} introduced S 3414, the Cybersecurity Act of 2012. This bill is a re-write of S 2105, intended to overcome many of the objections to that earlier bill with regards to regulation of critical infrastructure systems and privacy issues. The GPO does not yet have a copy of this bill on their web site, but the Senate Homeland Security and Governmental Affairs Committee does have a draft posted (you have to click on the link to the ‘revised Cybersecurity Act of 2012’ within the article to download a copy, sorry but I don’t like to provide direct links to downloads).

I have not had a chance to do a line-by-line comparison of the new bill with the old, but according to the SHSGA web site article there are a number of provisions that will be important to critical infrastructure organizations (but it isn’t clear that they specifically apply to control systems) that include:

• Establish a multi-agency council National Cybersecurity Council - chaired by the Secretary of Homeland Security - to lead cybersecurity efforts, including assessing the risks and vulnerabilities of critical infrastructure systems.

• Allow private industry groups to develop and recommend to the council voluntary cybersecurity practices to mitigate identified cyber risks. The standards would be reviewed and approved, modified or supplemented as necessary by the council to address the risks.

• Allow owners of critical infrastructure to participate in a voluntary cybersecurity program. Owners could join the program by showing either through self-certification or a third-party assessment that they are meeting the voluntary cybersecurity practices. Owners who join the program would be eligible for benefits including liability protections, expedited security clearances, and priority assistance on cyber issues.

• Creates no new regulators and provides no new authority for an agency to adopt standards that are not otherwise authorized by law. Current industry regulators would continue to oversee their industry sectors.

• Permit information-sharing among the private sector and the federal government to share threats, incidents, best practices, and fixes, while preserving the civil liberties and privacy of users.

• Require designated critical infrastructure -those systems which if attacked could cause catastrophic consequences - to report significant cyber incidents.

The outline above provided by Lieberman’s staff looks pretty good; no new regulators (it doesn’t say ‘no new regulations’) with ‘voluntary cybersecurity practices’. As always the devil is in the details. I’ll be looking at this in detail over the next day or so. Also we have to remember that when this comes to the floor of the Senate (possibly next week) there will be a large number of amendments offered that may change the complexion of the bill completely.