Yesterday, Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (ID-Conn.), Ranking Member Susan Collins (R-Maine), Commerce Committee Chairman Jay Rockefeller (D-W.Va.), and Select Intelligence Committee Chairman Dianne Feinstein, D-Ca. introduced The Cybersecurity Act of 2012. The press release can be found here.
We are seeing an increasing number of attacks targeting government secrets, trade secrets, and other intellectual property rather than the traditional personal information used to fraudulently open credit card accounts. Law firms, for example, are a prime target for an attacker to obtain the intellectual property of the firm’s clients in an effort to compete against them or enter into business deals with the leverage the criminals would not otherwise possess. And, these attackers oftentimes have plans in place to effectively shutdown the victim of the attack if they are discovered. The issues trying to be addressed by this proposed legislation are real.
This is not a federal data breach statute, but rather an attempt to prepare our defense against cyber attacks that could cripple our ability to function. The Act uses the term “critical infrastructure” which relates to services like utilities, telecommunications, transportation, public health services, agriculture, banking, and security services. The proposed legislation speaks more in general terms of the private sector “providing input” and gaining participation of private entities in public-private partnerships. What will be key is how the baseline for compliance is defined. If the government is too aggressive initially, there will be a lack of buy-in from private companies. The government is going to need to work to gain the cooperation they are probably looking for from the private sector, and one of the ways to do that is to provide real incentives to those companies. What is being proposed offers certain immunity from punitive damages in lawsuits; however, perhaps it could go further in that regard and provide even more incentives and broader immunity from civil liability.
There will be concern about the extent to which a private company, or the government, will be able to monitor cybersecurity threats. However, there are many limitations in place under the current laws regarding a company’s ability to monitor its own information systems. Indeed, that is one of the challenges we face when responding to a data security incident which implicates employee personal information and personal email accounts—even when that information is on a network or computer owned by a company. Section 701 in the proposed legislation, however, is clear about requiring authorization from a third party a private entity may be monitoring. And, any of this monitoring must be in the name of detecting “cybersecurity threats”. “Cyber risk “ is defined in Section 101, and if a “cybersecurity threat” is a “cyber risk”, it means “any risk to information infrastructure . . . that, if exploited or not mitigated, could pose a significant risk of disruption to the operation of information infrastructure essential to the reliable operation of covered critical infrastructure”. Although the authority to monitor may seem broad, there must still be a significant risk of disruption posed to an essential component of the operations of systems we depend on to function—power, water, and transportation. That could still pose a burden on the company doing the monitoring to ensure that our privacy laws are not abrogated by this proposed legislation.
The Act as proposed does include an exemption to the Freedom of Information Act (FOIA) rules and I think you need that. Otherwise, no company is going to share the type of information being sought by the government to defend against these types of cybersecurity threats. The question remains how a private citizen is going to find out that the information being monitored went beyond an attempt to detect a cybersecurity threat—however, that challenge exists today under current laws because a company’s monitoring activities often go undetected.
Another concern that will likely be raised is that the government will able to require compliance by a company by designating an entity as a covered critical infrastructure. However, there are significant protections under the proposed legislation to limit the government’s ability to make such a designation. The unanswered question is how much the civil penalties are going to be for non-compliance once designated, and how tough the government will be when it comes to defining the level of security that needs to be in place to address a vulnerability. The government will still need to balance the cost to the covered entity to implement those security measures with the cost being passed along to consumers. In fact – with much of the country’s critical infrastructure privately owned – the government depends on the privately owned infrastructure to support its day-to-day operations. This would not be different during a cyber threat. The intent here seems to be, and should be, fine tuning federal government and private entity coordination in preventing and responding to threats.
The proposed law should not present significant changes to companies that own infrastructure assets. By way of a presidential directive, policies and procedures have been in place since 1998–and updated in 2003–for preparedness and response to serious incidents that may affect the critical infrastructure here in the US. In fact, the federal government requires companies with infrastructure assets to: assess its vulnerabilities, plan to eliminate such vulnerabilities, develop systems to identify and prevent attacks, and to contain any attacks with the Federal Emergency Management Agency (FEMA) in order to rebuild infrastructure capabilities.
Seven Senate Republican Ranking Members signed a letter expressing process and substance concerns and demanding hearings in their respective committees.