One Last Push for Cybersecurity Reform Before the August 2012 Recess
Wednesday, July 25, 2012
Last week leadership of the Senate’s Homeland Security and Governmental Affairs Committee released a copy of the revised “Cybersecurity Act of 2012,” which is the latest draft bill aimed at reforming cybersecurity laws and regulations.
Yesterday, Senator Reid’s office stated that the bill would be up for a floor vote this week. Senators Lieberman, Rockefeller, Collins and Snowe, among others, worked diligently behind the scenes to move the bill forward by securing bipartisan support for the bill. It remains to be seen whether the bill has the requisite votes needed to pass the Senate. If the bill does pass, it raises pressure on leadership of the House to move on comprehensive cybersecurity reform.
Many earlier versions of cybersecurity reform contained mandates and penalties for owners and operators of critical infrastructures who failed to protect their computer systems from security threats and attacks. The new bill modifies those provisions, which are discussed below. Nonetheless, it should be noted that the drafters of the legislation provided a significant concession by supporting the elimination of mandates and penalties since many Democratic senators adamantly supported those earlier provisions.
Among the bill highlights is the much anticipated and non-controversial reform of the Federal Information Security Management Act (FISMA). Under the proposed law, federal agencies would be required to adopt a “continuous monitoring model” as opposed to the current outdated FISMA approach that requires quarterly and yearly monitoring and reporting on cybersecurity threats and attacks.
Another non-controversial yet critical provision in the bill focuses on education, outreach and workforce, which takes a proactive approach to improve the overall cybersecurity ecosystem. Key components of this section include: reports to Congress on the state of cybersecurity education; establishes national cybersecurity challenges as a way of identifying and recruiting talented individuals; creates a federal cyber scholarship for service program; and the establishment of a program to provide training to improve the technical skills and capabilities of Federal employees engaged in the cybersecurity mission. There is also a section focused on research and development that creates various R&D programs – both within the government and at institutions of higher educations. These combined efforts are designed to help federal agencies stay a step ahead of cyber trends, threats and attacks.
Next, the bill would create a new program designed to promote the adoption of best practices for securing critical infrastructures from ongoing threats and attacks. Owners and operators of critical infrastructures who voluntarily participate in the program would receive benefits, such as “liability protection from any punitive damages arising from an incident related to a cybersecurity risk . . .” However, in order to receive this protection a stakeholder must either self-certify or obtain a third-party assessment that confirms a minimum level of acceptable cybersecurity programs, measures and practices.
The proposed bill would require the Security and Exchange Commission (SEC) to “evaluate existing guidance to companies related to requirements to disclose to investors ‘material risks’” . . . related to cybersecurity matters. This provision is controversial and may need to be revised before Sen. Reid can secure the necessary votes to pass a floor vote. The concern is that some may see this provision as a blank canvas for the SEC to impose new and ongoing cybersecurity reporting obligations for publicly traded companies.
Also worth mentioning is the inclusion of an international cooperation piece which would enable the U.S. to better engage with our friends overseas in working together to combat cyber crime. On the home front, there is a provision that would allow for better information sharing between government to government, private sector to government, and private sector to private sector. By sharing information domestically and abroad, we can better combat cyber criminals.
We are in the process of a more thorough review of the updated legislation and look forward to continuing to work with staff on continuing to improve the bill.
Randi Parker, CompTIA’s new director of advocacy to focus on tech workforce issues on Capitol Hill, contributed to this post.