A bipartisan group of senators has proposed legislation that would give the United States Department of Homeland Security (DHS) increased power over critical IT infrastructure owned by the private sector.
The Cybersecurity Act of 2012 was introduced in the Senate Tuesday by Senator Joseph Lieberman, chairman of the Homeland Security and Governmental Affairs Committee.
It will require the DHS to establish a procedure for designating critical infrastructure as covered critical infrastructure and assess the risks and vulnerabilities of critical infrastructure systems as defined in section 1016(e) of the U.S. Patriot Act.
Input from the private sector owners of the infrastructure and from other government agencies will be sought throughout the process.
“There are many pending bills with an abundance of authority vested in the DHS,” observed W. Hord Tipton, executive director of the International Information Security Certification Consortium (ICS2) and former CIO of the U.S. Department of the Interior. “As the bill is more developed, hopefully it will coalesce into a more understandable set of directions.”
The offices of Senators Joe Lieberman and Dianne Feinstein, a cosponsor of the bill, did not respond to our request for further details.
About the Cybersecurity Act of 2012
Ninety days after the act is passed, the DHS will have to work with owners and operators of critical infrastructure as well as various federal organizations and agencies, including the intelligence community, to conduct a top-level assessment and determine which sectors in the country’s critical infrastructure pose the greatest immediate risk.
The DHS will then conduct ongoing cyber risk assessments of the critical infrastructure, sector by sector, beginning with those sectors that have the highest priority. It will look at the actual or assessed threat to them and the impact breaches of or damage to each sector will have on people;, national security and the operation of other critical infrastructure.
Other factors, including the risk of national or catastrophic damage within the U.S. caused by damage to or a breach of information infrastructure outside the nation, will also be examined.
What Might Covered Critical Infrastructure Be?
Systems or assets based on activities protected by the first amendment to the U.S. Constitution can’t be designated as critical infrastructure. Nor can IT products or services that can be or are used in covered critical infrastructure, and commercial IT products, including hardware and software.
Barring these exclusions, a system or asset can be designated as covered critical infrastructure if damage or unauthorized access to it interrupt life-sustaining services such as power, water and transportation because of damage or unauthorized access to it.
Some other reasons are mass casualties that include an “extraordinary” number of fatalities, long-term mass evacuations or failure or substantial disruption of a U.S. financial market resulting from damage or unauthorized access to that system or asset.
The DHS will have to review and update designations at least annually.
Appeals against designations made through the process must be filed in the U.S. District Court for the District of Columbia.
Implementing New Measures
Owners and operators of covered critical infrastructure must mediate or mitigate identified risks and any associated consequences according to guidelines to be developed by the DHS working with various government agencies and organizations.
Those requirements won’t allow any Federal employee or agency to regulate commercial IT products and services or regulate the design, development and manufacturing of commercial IT products.
The president may exempt, or reconsider any exemption of, covered critical infrastructure from the requirements of the Cybersecurity Act of 2012 if under certain circumstances.
Punishment Is the Key
Failure to adhere to cybersecurity requirements developed to protect critical infrastructure, or to report significant cyber incidents affecting such infrastructure will incur civil penalties.
“The key at the end of the day with all these acts is to see what’s actually going to be enforced, and what the penalties [for non-compliance] are,” Darren Hayes, CIS program chair at Pace University, told TechNewsWorld.
“Without penalties, there’s less of an incentive for companies to comply,” Hayes continued. For example, “there have really been no provision of penalties for data breaches, and that’s what has historically been lacking in legislation.”