A comprehensive cyber security bill was introduced in the Senate yesterday that would require the Department of Homeland Security (DHS) to assess risks and vulnerabilities to the nation’s critical infrastructure and to work with the owners and operators of designated critical infrastructure to develop risk-based performance requirements.
Senate Majority Leader Harry Reid (D-Nev.) said that he will move quickly to bring the Cyber Security Act of 2012 to the floor.
“This bi-partisan legislation will protect our country from cyber attacks that could cripple anything from our military defense to critical infrastructure such as power grids and emergency response systems,” Reid said in a statement. “Our enemies, whether they are terrorist organizations or hostile states, will not hesitate to harm our nation while hiding behind the anonymity of a screen name.”
The bill does not contain emergency authorities for the president nor call for a special White House cyber security office to help move the bill forward. However, it would require a Senate-confirmed cyber security director at DHS.
“Some of our colleagues have urged us to focus narrowly on the Federal Information Security Management Act, as well as on federal research and development and improved information sharing,” Sen. Susan Collins (R-Maine), one of four original co-sponsors of the bill, said on the Senate floor as part of the bill’s introduction. “We do need to address these issues, and our bill does. However, with 85 percent of our nation’s critical infrastructure owned by the private sector, government also has a critical role in ensuring that the most vital parts of our infrastructure–those whose disruption could result in truly catastrophic consequences, such as mass casualties and mass evacuations–meet reasonable, risk-based performance standards.”
The bill allows owners and operators who think their critical infrastructure has been wrongly designated to appeal. Any infrastructure that is deemed secure would not be required to meet new performance requirements.
Owners of designated infrastructure could determine how best to meet the performance requirements and then self-verify, or rely on a third party to verify, that it was meeting them.
The bill also requires information sharing between and among the private sector and federal government on threats, incidents, best practices and fixes while also maintaining civil liberties and privacy.
The legislation was crafted after three years of hearings by different Senate committees and with input from a variety of stakeholders from companies and trade associations representing different industries and service sectors.
Other co-sponsors of the bill include Joseph Lieberman (I/D-Conn.), chairman of the Homeland Security and Governmental Affairs Committee, Jay Rockefeller (D-W. Va.), chairman of the Commerce Committee, and Dianne Feinstein (D-Calif.), chairman of the Select Intelligence Committee.
Separate, and piecemeal, cyber legislation is moving forward in the House.