GovDefenders Wednesdays | Cybersecurity Legislation: Are We There Yet?
Track cybersecurity and other legislation on the Library of Congress THOMAS website by bill number, keyword, or sponsor.
The Senate worked throughout last year to gain consensus on a cybersecurity bill. The Cybersecurity Act of 2012 (CSA 2012) (S.3414) co-sponsored by Senators Joe Lieberman and Susan Collins, sought to establish a National Cybersecurity Council to be chaired by the Secretary of the Department of Homeland Security. The thrust of this particular legislation would have been to put in place a framework for protection of so called “critical infrastructure” - power plants, refineries, chemical production installations and similar facilities. If these installations were crippled through a cyber attack, it is argued, the impact on our safety and economy could be severe. The CSA 2012 framework would have provided for compliance with an as yet undetermined set of regulations and voluntary sharing of threat and incident data among industry and with the Federal government.
One aspect of the problem that critical infrastructure legislation is addressing is the vulnerability of industrial control systems (remember STUXNET?). These computer systems, collectively referred to as Supervisory Control and Data Acquisition (SCADA) systems, are used to measure and control the flows of liquids, gases, and power through industrial systems. Typically, SCADA sensors are linked to a central, semi-automated station for monitoring and control of the plant. While the automation of process manufacturing and power plant operation is well-proven technology, in recent years the transmission of sensor readings and commands to valves and pumps to open or close has become vulnerable to malware threats, especially as the network nodes are exposed to the public Internet.
So, reasonable citizens could conclude that this is an area of national concern that we should address collectively and as aggressively as we have other cyber threats that affect national security, our digitally stored health information, or our financial data.
Objections to the CSA 2012 legislation centered on the regulatory process, compliance cost, liability issues, and scope of coverage (which industries and facilities would be covered?). CSA 2012 failed to pass in mid-November and the Administration cautioned that, absent legislation, certain provisions of the bill were likely to be implemented through an executive order. It has been reported in various media that the Administration continues to work on an executive order that, if issued, would create a process for government and industry to develop a set of cybersecurity standards the industry would adopt voluntarily.
Now, in the current Congress, the Cybersecurity and American Competitiveness Act of 2013 (S.21) was introduced on January 22, 2013 as a “Sense of Congress” bill. It establishes broad principles that are expected to become the basis for more detailed legislation during the year. Given the importance of this topic to the technology community, it is worthwhile to list the elements of future legislation this Sense of Congress bill anticipates.
“It is the sense of Congress that Congress should enact, and the President should sign, bipartisan legislation to improve communication and collaboration between the private sector and the Federal Government to secure the United States against cyber attack, to enhance the competitiveness of the United States and create jobs in the information technology industry, and to protect the identities and sensitive information of United States citizens and businesses by:
- enhancing the security and resiliency of public and private communications and information networks against cyber attack by nation-states, terrorists, and cyber criminals;
- establishing mechanisms for sharing cyber threat and vulnerability information between the government and the private sector;
- developing a coherent public-private system to improve the capability of the United States to assess cyber risk and prevent, detect, and robustly respond to cyber attacks against United States critical infrastructure, such as the electric grid, the financial sector, and telecommunications networks;
- promoting research and development investments in the United States information technology sector that create and maintain good, well-paying jobs in the United States and help to enhance the economic competitiveness and cybersecurity of the United States;
- promoting cybersecurity and information technology training to develop the country's next generation of cyber professionals;
- preventing and mitigating identity theft and guarding against abuses or breaches of personally identifiable information;
- enhancing United States diplomatic capacity and public-private international cooperation to respond to emerging cyber threats, including promoting security and freedom of access for communications and information networks around the world and battling global cyber crime through focused diplomacy;
- expanding tools and resources for investigating and prosecuting cyber crimes in a manner that respects privacy rights and civil liberties and promotes United States innovation; and maintaining robust protections of the privacy of United States citizens and their online activities and communications.”
GovDefenders Wednesdays is written by Van Ristau, DLT Solutions’ Chief Technology Officer. Throughout the month, he’ll explore the world of public sector cybersecurity; introducing concepts, offering opinions, providing resources, and identifying ways to protect your agency. You may also follow Van on Twitter at@VanRistau.