A bipartisan group of Senate leaders introduced The Cybersecurity Act of 2012 on Tuesday that aims to guard against the nation’s increasing vulnerability to cyber attack by securing the cyber systems of the nation’s essential services.
Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, Ranking Member Susan Collins, Commerce Committee Chairman Jay Rockefeller and Select Intelligence Committee Chairman Dianne Feinstein introduced the bill.
“This bill would begin to arm us for battle in a war against the cyber mayhem that is being waged against us by our nation’s enemies, organized criminal gangs, and terrorists who would use the Internet against us as surely as they turned airliners into guided missiles,” Lieberman said. “The nation responded after 9/11 to improve its security. Now we must respond to this challenge so that a cyber 9/11 attack on America never happens.”
The legislation reflects recommendations from companies and trade associations representing the information technology, financial services, telecommunications, chemical, and energy sectors, among others. National security, privacy and civil liberties experts also provided essential counsel.
“I can’t think of a more urgent issue facing this country. Hackers are stealing information from Fortune 500 companies, breaking into the networks of our government and security agencies and toying with the networks that power our economy. The new frontier in the war against terrorists is being fought online and this bill will level the playing field. We can and will stop cyber criminals from getting the upper hand. This comprehensive legislation is an important step towards securing the Internet from cyber theft,” said Rockefeller.
To move the legislative process forward, the senators have not included emergency authorities for the president, as previous bills did. The legislation also does not contain a special White House cybersecurity office.
“Our nation’s vulnerability has already been demonstrated by the daily attempts by nation-states, cyber criminals, and hackers to penetrate our systems,” Collins said. “The threat is not just to our national security, but also to our economic well-being. A Norton study last year calculated the cost of global cybercrime at $114 billion annually. When combined with the value of time victims lost due to cybercrime, this figure grows to $388 billion globally, which Norton described as ‘significantly more’ than the global black market in marijuana, cocaine and heroin combined. Our bill is needed to achieve the goal of improving the security of critical cyber systems and protecting our national and economic security.”
Both the Homeland Security and Governmental Affairs and the Commerce Committees have held several hearings over the years on cybersecurity. In the 111th Congress, both Committees marked up and reported out cybersecurity legislation. In the 112th Congress, the two Committees merged their bills, refined and perfected them to produce new legislation.
According to a statement from the senators, the bill would require:
- The Department of Homeland Security to assess the risks and vulnerabilities of critical infrastructure systems – whose disruption from a cyber attack would cause mass death, evacuation, or major damage to the economy, national security, or daily life – to determine which should be required to meet a set of risk-based security standards.
- Owners/operators who think their systems were wrongly designated would have the right to appeal.
- DHS to work with the owners/operators of designated critical infrastructure to develop risk-based performance requirements, looking first to current standards or industry practices. If a sector is sufficiently secured, no new performance requirements would be developed or required to be met.
- The owners of a covered system to determine how best to meet the performance requirements and then verify that it was meeting them. A third-party assessor could also be used to verify compliance, or an owner could choose to self-certify compliance Current industry regulators to continue to oversee their industry sectors.
- Information-sharing between and among the private sector and the federal government to share threats, incidents, best practices, and fixes, while maintaining civil liberties and privacy.
- DHS to consolidate its cybersecurity programs into a unified office called the National Center for Cybersecurity and Communications.
- The government to improve the security of federal civilian cyber networks through reform of the Federal Information Security Management Act.