A reworked version of a proposed and controversial federal cyber-security law is again going before the U.S. Senate, but this time, the so-called Cybersecurity Act of 2012 might have enough changes and comprises to make it more palatable for all sides.
Senate debate on the revised legislation will begin July 31, several months after an earlier version was withdrawn due to criticism of some of its language and policy related to digital privacy and personal freedoms.
"This revised legislation would establish a robust public‐private partnership to improve the cybersecurity of our nations most critical infrastructure, which is mostly owned by the private sector," according to a summary of the bill. "Industry would develop voluntary cybersecurity practices and a multi‐agency government council would ensure these practices are adequate to secure systems from attacks."
The bill "was developed in response to what defense and intelligence leaders have called an existential threat to our country," according to the legislation. "Our critical infrastructure is increasingly vulnerable to cyber threats, and can be manipulated or attacked by faceless individuals using computers halfway around the globe. The destruction or exploitation of critical infrastructure through a cyber attack, whether a nuclear power plant, a regions water supply, or a major financial market, could cripple our economy, our national security, and the American way of life. We must act now."
Several critics of the earlier version of the legislation say they are more comfortable with the new version of the bill, though they still question whether such a law is ultimately needed.
"The bill is a step in the right direction of protecting online rights, but still has major flaws that allow for nearly unlimited monitoring of user data or countermeasures (like blocking or dropping packets)," wrote Mark Jaycox and Rainey Reitman of the Electronic Frontier Foundation privacy group in a blog post. That "overly broad" language is contained in Section 701 of the bill, they wrote, and is being addressed by an amendment that would remove this specific language.
"We remain unconvinced that a cybersecurity bill is necessary at this time, and we're committed to fighting to ensure user privacy isn't sacrificed in the rush to pass a bill," they wrote. "While the most recent version of the bill has strong privacy protections, Section 701 continues to pose a real threat to the rights of users to communicate privately."
The American Civil Liberties Union said the new version of the bill better addresses key privacy concerns that the group had with the previous version.
"Senators have unveiled significant privacy amendments" in the new legislation, wrote Michelle Richardson, legislative counsel for the ACLU in Washington, in a blog post, including that "companies who share cybersecurity information with the government give it directly to civilian agencies, and not to military agencies like the National Security Agency."
"The single most important limitation on domestic cybersecurity programs is that they are civilian-run and do not turn the military loose on Americans and the Internet," Richardson added.
The revised bill would also "restrict the governments use of information it receives under the cyber info sharing authority so that it can be used only for actual cybersecurity purposes and to prosecute cyber crimes, protect people from imminent threat of death or physical harm, or protect children from serious threats," Richardson wrote.
The bill would also "require annual reports from the Justice Department, Homeland Security, Defense and Intelligence Community Inspectors General that describe what information is received, who gets it, and what is done with it," Richardson wrote, as well as "allow individuals to sue the government if it intentionally or willfully violates the law."
In a statement, Fred Humphries, vice president of U.S. government affairs for Microsoft, called the new bill "an encouraging step in the legislative process."
"Microsoft supports Congress efforts to advance risk management practices, strengthen protection of critical infrastructure, and enhance appropriate information sharing about cyber-threats," Humphries said. The framework is flexible enough to permit future improvements to security−an important point since cyber-threats evolve over time. The current bill as it stands seeks to advance these priorities and we continue to work to help ensure that any legislation is optimized to meet cyber-security challenges while protecting civil liberties and privacy."
The highlights of the new bill include the following:
- It would establish the National Cybersecurity Council made up of members from the departments of Defense, Justice, Commerce, the intelligence community and other federal agencies, to conduct risk assessments to find the greatest and most immediate cyber-risks to Americans. The Council would also identify the nation's most critical infrastructure to help improve national security against attacks.
- It would improve information sharing between private sector companies and the federal government while protecting individual and civil liberties.
- It would improve the security of federal government networks by amending the Federal Information Security Management Act (FISMA) and would require the federal government to develop a comprehensive acquisition risk management strategy. The amendments to FISMA would move agencies away from a culture of compliance to a culture of security by giving the Department of Homeland Security the authority to streamline agency reporting requirements and reduce paperwork through continuous monitoring and risk assessment.
A national cyber-security bill has been in serious discussions for the last several years. In 2010, Senate Bill 3480, the Protecting Cyber Space as a National Asset Act, failed to be taken up by the full Senate, according to The Homeland Security and Governmental Affairs Committee. Then in February 2011, Senate Bill 413, the Cybersecurity and Internet Freedom Act, was introduced. It was later merged with similar legislation from other congressional committees, resulting in The Cybersecurity Act of 2012, Senate Bill 2105, the original cyber-security law was introduced this past February.