The White House is considering its options after the Cybersecurity Act of 2012 died in the U.S. Senate Aug. 2, including possibly using an executive order to mandate parts of the bill if Congress refuses to vote on it, according to a report.
According to The Hill, White House press secretary Jay Carney said President Obama is "determined to do absolutely everything we can to better protect our nation against today's cyber-threats."
In the wake of Congressional inaction and Republican stall tactics, unfortunately, we will continue to be hamstrung by outdated and inadequate statutory authorities that the legislation would have fixed, Carney said.
On Aug. 2, the cyber-security legislation came eight votes short of the 60 votes necessary to end debate and send the bill to a final vote in the Senate. The failure came despite a full-court press of support from the White House and the backing of technology firms such as Microsoft, EMC and Oracle, as conflicts over amendments stalled the bill on the Senate floor.
Today, the utilities and critical infrastructure industries in the United States are under constant cyber-attack from nation states and other groups. ¦ Bolstering their IT security hardware, policies and procedures should be mandated because the stakes are too high and the damaging blow it could land to the citizens of this country and our economy is far too great to overlook any longer, said Chris Petersen, CTO of log management firm LogRhythm.
In a survey of 241 attendees at the recent Black Hat USA conference in Las Vegas, security vendor nCircle found that 60 percent said government regulation would not improve information security for critical infrastructure. While not a large sample size, the survey indicates that there are those who are skeptical that federal legislation will provide the means to bolster IT infrastructure security.
Its not surprising that IT security professionals think government regulation wont improve critical infrastructure security as Congress doesnt seem to have the technical expertise to craft laws that address critical infrastructure security, said Lamar Bailey, director of security research and development for nCircle.
Legislation, however, can provide a baseline of security for the nation's utilities, said Dave Madden, who specializes in smart-grid security for data protection firm SafeNet.
"I think it is helpful to look to other industries that have had security regulations implemented to see what benefits have resulted for both the organization and consumer," he said. "For example, when you look back to PCI-DSS ¦ the regulations were designed to protect high-valued data and provided organizations with a clear step-by-step process for what they needed to implement in order to achieve compliance. Given the increase of hacktivists and the rash of sophisticated breaches, many organizations are now going beyond PCI compliance to avoid public and costly breaches, some of which were in the news recently."
"As such, its reasonable to expect that utilities are looking more closely at what kind of security is the right fit for smart-grid technologies, given the increasing concerns that they, too, may be a target for hacktivists or worsecyber-warfare," he said.
Among other things, the Cybersecurity Act touches on the issue of sharing information between the public and private sector, which businesses have often complained has been a one-way street. In addition, privacy advocates were concerned that the legislation could endanger the privacy of consumers.
Its important that any cyber-security legislation afford protection to the private sector for disclosure of escalation of threats and exposure of incidences to the federal government," said Brian Ahern, CEO of Industrial Defender. "Without these protections in place, private-sector companies will be less inclined to share the information and risk potential negative exposure to the public and government. In order to ensure open communication from the private sector, it is essential to provide privacy protection for the disclosing entity as well as the cyber-security data being disclosed.