WASHINGTON, D.C.—To guard against the nation’s increasing vulnerability to cyber attack, a group of Senate Committee leaders introduced bipartisan legislation Tuesday to secure the cyber systems of essential services that keep our nation running.
The Senators are Commerce Committee Chairman John D. (Jay) Rockefeller IV, Homeland Security Committee Chairman Joe Lieberman, Homeland Security Committee Ranking Member Susan Collins, and Intelligence Committee Chairwoman Dianne Feinstein.
The Cybersecurity Act of 2012 (S. 2105) is the product of three years of hearings, consultations, and negotiations. The bill envisions a public-private partnership to secure those systems, which, if commandeered or destroyed by a cyber attack, could cause mass deaths, evacuations, disruptions to life-sustaining services, or catastrophic damage to the economy or national security.
“I can’t think of a more urgent issue facing this country,” Rockefeller said. “Hackers are stealing information from Fortune 500 companies, breaking into the networks of our government and security agencies and toying with the networks that power our economy. The new frontier in the war against terrorists is being fought online and this bill will level the playing field. We can and must stop cyber criminals from getting the upper hand. This comprehensive legislation is an important step towards securing the Internet from cyber theft.”
Lieberman said: “This bill would begin to arm us for battle in a war against the cyber mayhem that is being waged against us by our nation’s enemies, organized criminal gangs, and terrorists who would use the Internet against us as surely as they turned airliners into guided missiles. The nation responded after 9/11 to improve its security. Now we must respond to this challenge so that a cyber 9/11 attack on America never happens.”
Collins said: “Our nation’s vulnerability has already been demonstrated by the daily attempts by nation-states, cyber criminals, and hackers to penetrate our systems. The threat is not just to our national security, but also to our economic well-being. A Norton study last year calculated the cost of global cybercrime at $114 billion annually. When combined with the value of time victims lost due to cybercrime, this figure grows to $388 billion globally, which Norton described as ‘significantly more’ than the global black market in marijuana, cocaine and heroin combined. Our bill is needed to achieve the goal of improving the security of critical cyber systems and protecting our national and economic security.”
Feinstein said: “Alongside terrorism, cybersecurity is perhaps the number one threat facing our nation today, but many obstacles exist that prevent the cooperation and coordination needed to deter this growing threat. It’s past time that the government and the private sector join together to address the widespread and devastating effects that cyber intrusions are having on our country.”
The legislation reflects recommendations from companies and trade associations representing the information technology, financial services, telecommunications, chemical, and energy sectors, among others. National security, privacy and civil liberties experts also provided essential counsel. Majority Leader Harry Reid’s support was instrumental.
The Senators stressed that the Cybersecurity Act of 2012 in no way resembles the Stop Online Piracy Act or the Protect Intellectual Property Act, which involved the piracy of copyrighted information on the internet. The Cybersecurity Act involves the security of systems that control the essential services that keep our nation running—for instance, power, water, and transportation.
To move the legislative process forward, the Senators have not included emergency authorities for the president, as previous bills did. The legislation also does not contain a special White House cybersecurity office.
Both the Homeland Security and Governmental Affairs and the Commerce Committees have held several hearings over the years on cybersecurity. In the 111th Congress, both Committees marked up and reported out cybersecurity legislation. In the 112th Congress, the two Committees merged their bills, refined and perfected them to produce new legislation.
The Cybersecurity Act of 2012 would require:
- The Department of Homeland Security (DHS) to assess the risks and vulnerabilities of critical infrastructure systems—whose disruption from a cyber attack would cause mass death, evacuation, or major damage to the economy, national security, or daily life—to determine which should be required to meet a set of risk-based security standards. Owners/operators who think their systems were wrongly designated would have the right to appeal.
- DHS to work with the owners/operators of designated critical infrastructure to develop risk-based performance requirements, looking first to current standards or industry practices. If a sector is sufficiently secured, no new performance requirements would be developed or required to be met.
- The owners of a covered system to determine how best to meet the performance requirements and then verify that it was meeting them. A third-party assessor could also be used to verify compliance, or an owner could choose to self-certify compliance.
- Current industry regulators to continue to oversee their industry sectors.
- Information-sharing between and among the private sector and the federal government to share threats, incidents, best practices, and fixes, while maintaining civil liberties and privacy.
- DHS to consolidate its cybersecurity programs into a unified office called the National Center for Cybersecurity and Communications.
- The government to improve the security of federal civilian cyber networks through reform of the Federal Information Security Management Act.