11-15-12 | Blog Post
A bipartisan bill that would have created voluntary cybersecurity standards for companies that operate critical U.S. infrastructure, such as power grids and chemical plants, has been shot down once again this past Tuesday. The revised bill was blocked by a vote of 51-47. This will be the second time the Cybersecurity Act of 2012 has been thwarted; the initial bill was rejected in early August by a vote of 52-46, with concerns about increased government regulation of private businesses.
Who would the bill apply to? Systems or assets would be designated as ‘critical infrastructure’ if damage or unauthorized access could lead to:
The language of the bill is somewhat arguably vague (lending itself ample leeway in the scope of which companies can be designated as a critical infrastructure and therefore subject to the terms and penalties of noncompliance) which may have hurt its chances at passing in the Senate. However, the overall sentiment that our critical infrastructure should be held to some kind of security standard, if not the highest, is not out of bounds. If our medical records must be protected by a federal, national standard (HIPAA compliance), then why can’t we protect our power grids? And why shouldn’t there be penalties for noncompliance, if noncompliance could result in mass economic destruction or fatalities?
Opposition to the bill by the U.S. Chamber of Commerce’s National Security & Emergency Preparedness Dept. claims that minimum standards for cybersecurity should be developed by industry, not government, and should vary for different sectors, according to VP Ann Beauchesne, as reported by Bloomberg.com. However, the bill does acknowledge different cybersecurity requirements for each sector (see details in the bullets below), invalidating that argument.
Similar to best practices for HIPAA compliance, the bill requires owners to also “submit a third-party assessment…on an annual basis,” with enforced penalties if they failed to do so. The OCR recently released audit guidelines for covered entities and business associates (third-parties), based on an initial pilot audit program intended to uncover security issues and improve upon general operating standards of private and public healthcare companies alike. HIPAA extends to third-parties, as they are another link in the ‘chain of trust’ and can have a significant role in the security of patient data.
The same would hold true for ‘covered critical infrastructures,’ as noted by the cybersecurity bill. So what would the bill actually require of covered critical infrastructure business owners?
This appears to be a fairly standard set of responsibilities for owners. Reporting significant cyber incidents are key to preventing an even bigger and more destructive attack in the future, with investigations and ongoing monitoring allowing the utmost transparency into invasions. Gathering intelligence on these attacks can also allow investigators to create profiles of groups or individuals, which might spark privacy concerns but could also prevent a catastrophic attack on our critical network systems.
According to Bloomberg.com, the current administration may have to issue an executive order to pass parts of the bill instead of the whole, considering it has already failed to pass twice in Senate.
Find out how you can protect your own company or organization by building your own security toolkit, complete with technical security, physical security and administrative security services.
Cybersecurity Act of 2012 (Full Text of Bill, PDF)
Cybersecurity Bill Fails to Advance in Senate
Cybersecurity Bill Killed, Paving Way for Executive Order
Hacker Attack Warnings Don’t Budge Opposing Sides on Cyber Bill