Senators introduce new cybersecurity act

Senators introduce new cybersecurity act

Summary: The new law would require the DHS to to assess risks and vulnerabilities of computer systems running at critical infrastructure sites.

TOPICS: Security

A group of senators today introduced a bipartisan cyber security bill that includes some new regulation requirements but does not give the president emergency authorities to interfere with the Internet as a previous version did.

The Cybersecurity Act of 2012 calls for the Department of Homeland Security (DHS) to assess risks and vulnerabilities of computer systems running at critical infrastructure sites such as power companies and electricity and water utilities and to work with the operators to develop security standards that they would be required to meet.

The DHS would determine which companies fit the definition of critical infrastructure as defined by systems "whose disruption from a cyber attack would cause mass death, evacuation, or major damage to the economy, national security, or daily life." Companies would have the right to appeal the designation, under the measure introduced by Sens. John D. (Jay) Rockefeller IV, (D-West Virginia), Joe Lieberman (I-Connecticut), Susan Collins (R-Maine) and Dianne Feinstein (D-California).

Owners or operators of critical infrastructure systems would need to determine how to best meet performance requirements and to verify that that they were doing so, with owners having the ability to either "self-certify" compliance or use a third-party assessor.

There also are provisions for information sharing between the government and the private sector that maintain civil liberties. And DHS would consolidate its cybersecurity programs into a National Center for Cybersecurity and Communications office.

The proposed law "is the product of three years of hearings, consultations, and negotiations," the statement announcing the measure says. "The bill envisions a public-private partnership to secure those systems, which, if commandeered or destroyed by a cyber attack, could cause mass deaths, evacuations, disruptions to life-sustaining services, or catastrophic damage to the economy or national security."

Still smarting from the recent derailing of the controversial Stop Online Piracy Act (SOPA) following public protests and vehement opposition from tech and Internet firms, including many that staged a one-day site blackout. Critics complained that SOPA would have allowed the U.S. government to order Internet service providers to all but eliminate Web sites that allegedly contain pirated material.

In introducing the new cybersecurity legislation, the sponsors said the measure "in no way resembles the Stop Online Piracy Act or the Protect Intellectual Property Act [the House of Representatives version], which involved the piracy of copyrighted information on the internet. The Cybersecurity Act involves the security of systems that control the essential services that keep our nation running--for instance, power, water, and transportation."

And the sponsors noted that in the interest of moving the "legislative process forward," they have not included emergency authorities for the president or included a provision to create a special White House cybersecurity office.

No doubt there will be detractors. The U.S. Chamber of Commerce is one of them.

"Gov. Tom Ridge, the chairman of the Chamber's National Security Task Force, will be testifying on Thursday before the Senate," Chamber spokesman Bobby Maldonado wrote in an e-mail to CNET. "His testimony will be consistent with our January 30 letter to Senate Leaders Reid and McConnell. The Chamber is not supportive of a core component of the new bill -- a regulatory 'covered' critical infrastructure (CCI) program. Instead, we believe that Congress should continue to develop information-sharing legislation that will produce more immediate improvements to American's security and that has robust protections for the business community."

Industry opposition to regulation provisions has been a debate point that has held up cyber security legislation. Meanwhile, a controversial "kill switch" provision that critics said could led to a government mandated Internet shut down, was removed a year ago.

Last May, the White House sent a proposed cybersecurity law to Congress. Increasing reports of hacking risks and flaws in software used in systems controlling critical infrastructure lend a sense of urgency to the cause.

This story originally appeared on CNET News.

About Elinor Mills
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Senators introduce new cybersecurity act

    Sounds like a solution looking for a problem.
    • not so

      @Vapur9: After reading Richard Clarke's book, I wouldn't be surprised to learn that every SCADA system in in the U.S. electric grid has been pwned by China.
    • RE: Senators introduce new cybersecurity act

      @Vapur9: Actually, the US has a lot of critical infrastructure that is not (well) secured. IMHO the effectiveness of this bill will depend on who was involved in writing the security requirements.
  • Self Certify??

    The section that has:

    they were doing so, with owners having the ability to either "self-certify" compliance or use a third-party assessor.

    Are you kidding me....they can self certify their audits. Hmmmm...just a thought!
  • RE: Senators introduce new cybersecurity act

    Why allow "critical" systems to be connected to the internet at all?
    Surely they can afford seperate computers for an internet connection.
    One way serial connections from critical components to the internet based computer make good security sense where remote monitoring is required.
    This idea that everything must be IP enabled is the major security concern.
    • The critcal systems are NOT connected to the internet; its an Urban Legend

      ???Why allow "critical" systems to be connected to the internet at all????
      They aren???t connected to the internet. It???s an Urban Legend pushed hard by the government to help justify its actions against utilities like the heavy handed CCI program. If people knew the systems were not connected to the internet then the Feds would have a very hard time convincing people that the Feds need the power of control over these utilities.

      That???s not to say they are free from digital attacks only that the attacks must be made in some way other than the open internet. If one could get into the plant and connect to its network and access its critical systems then they could wreak havoc on the plant. But they can???t do this over the internet.
  • Government Failure

    Are you kidding me ? They are going to make sure our networks are secured ? They can't even secure their own systems. It will be another poorly written legislation with unintended consequences causing private businesses excess costs that are needless and they will have to recover these costs and pass them down to the consumer. Once again we will be thanking Government for giving us such great service.

    No thank you....we have had enough job-killing mandates, subsidies, and and pointless regulations. Quit spending our hard-earned money and concentrate on things you are supposed to be doing like a balanced budget with no spending overages.

    If I want to harden my network I will do it myself or hire someone skilled enough to do it....not some government agency dictating to me without the required knowledge !
    • RE: Senators introduce new cybersecurity act

      I believe this legislation was written by those who want to perform the auditing services. 'It's good for business!'
    • RE: Senators introduce new cybersecurity act

      @pizzaman7 Besides, Who Takes Care of the Caretaker's daughter?
      (If you're old enough to get this one, you must be dead.)
  • RE: Senators introduce new cybersecurity act

    Whatever happened to the GOP promises for less regulation??
    terry flores
  • RE: Senators introduce new cybersecurity act

    I dont think so they can make our networks secured
  • More on what was NOT covered about the Cybersecruity Act of 2012

    While the piece does mention that the highly criticized "Kill Switch" component of the bill had been removed it also neglects to mention the fact that the White House has said it believes the president still has such "Internet Kill Switch" power via the powers it has retained under the law that created the Federal Communications Commission in 1934.

    What else is left out?? When describing the CCI (covered critical infrastructure) program outlined in the bill, the story conveniently leaves out the fact that the government can through this program shut down utilities such as power plants (i.e. coal burning power plants) through the requirement of expensive mandates to the security systems of the facility. It???s also a great way to get kickbacks by setting forth mandates outlining requirements that only those security providers who are working with government are able to meet. In other words it???s a way to bypass the open market by requiring a utility to use services and products from White House ???preferred??? partners.

    Why would government use the CCI program to shut down utilities? The Federal government has been shutting down Utilities for several years all in the name of saving the planet under the bogus claims made by global climate change which has more recently converted to sustainability aka ???Agenda 21???. If the Feds can???t shut down a utility that is not owned by one of the White Houses preferred ???Private-Public??? partnerships then it can use the CCI program to make it too expensive for the utility to continue operations and therefore force it closed.

    The Cyber security Act of 2012 is not about making the internet or use of it safer but how to bring about an environment that favors business that participate in government preferred initiatives like Agenda 21. And if you think that???s conspiracy theory then Google ???Obama to shutdown coal burning power plants??? and listen to the president say he will bankrupt cola burning power plants.
    • RE: Senators introduce new cybersecurity act

      @BlueCollarCritic but if they're burning cola then they should go bankrupt.
  • RE: Senators introduce new cybersecurity act

    Governments will always move toward control of free speech. The internet is the one greatest threat to fascism the world has ever known. It must remain open and free from government control or we are all toast.
  • Not only US...

    But, what about other countries? Afaik, US systems are still better secured than most other countries out there. Right?
  • Regulated by sensible information level

    The companies that have sensible information should have their services regulated and tested periodically in deep by professional hackers; or else won't be allowed to provide access to their info online.

    The past acts had for priority to fight piracy. This was only in direct benefice for the enterprises, not for the customers and everyday users. A regulation to enterprises and government sites and services (internal and external), would be more beneficial for the security of their information and for their customers.