There has been no shortage of cybersecurity bills introduced in Congress in 2011. The Obama Administration even issued a cybersecurity legislative proposal in May 2011 that would require the Department of Homeland Security (DHS) “to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators.” As we reported here, Senator Harry Reid (D-Nev.) announced his intention to bring comprehensive cybersecurity legislation to the floor when Congress returns in January of 2012.
The PRECISE Act is the newest edition. Two members of the House Homeland Security Committee—Rep. Dan Lungren (R-CA) and Rep. Peter King (R-NY)—introduced the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011 on December 15. A section-by-section summary can be found here. The PRECISE Act would amend the Homeland Security Act of 2002 by tasking DHS with creating market-based incentives to entice “critical infrastructure” operators to adopt voluntary cybersecurity standards. The term “critical infrastructure” is broadly defined to include any infrastructure that if destroyed or disabled would result in a significant number of deaths, cause mass evacuations, major disruptions of the economy, or significant disruption to national security. The industries that fall under this category would include utilities, financial services, and telecommunications. The PRECISE Act would also authorize the creation of a National Information Sharing Organization to serve as a central source for sharing cyber threat data (classified as Sensitive Security Information) with government agencies and the operators of critical infrastructure.
There have been news reports regarding the “undeclared global cyber war” and corporate espionage attacks, including a recent attack against the U.S. Chamber of Commerce. However, aside from an erroneous report of a Russian attack on an Illinois water pump, there have been no publicly reported accounts of cyberattacks crippling U.S. infrastructure. Although based on reports about the impact the Stuxnet worm had on Iranian SCADA systems (supervisory control and data acquisition management systems, used in large manufacturing and utility plants), the risk certainly exists. Moving into next year, there appears to be bipartisan consensus regarding the need for a federal cybersecurity law, and some of the similarities between the White House’s legislative proposal and the pending bills create the possibility for cybersecurity legislation to be enacted in 2012.