On February 14, 2012, a joint U.S. congressional committee, including Senators Joseph Lieberman (I-CT), Susan Collins (R-ME), Jay Rockefeller (D-WV) and Dianne Feinstein (D-CA), introduced the Cybersecurity Act of 2012 (the “Act”). Although the legislation appears to have strong bipartisan support, during a February 15 hearing before the Homeland Security and Governmental Affairs Committee, Senator John McCain (R-AZ) indicated that he and six Republican colleagues would propose their own cybersecurity legislation in March.
Under the Act, the Department of Homeland Security (“DHS”) would have significant responsibility for crafting and enforcing a new cybersecurity program that has the potential to impact a broad and diverse group of the nation’s industrial sectors including energy, chemical, transportation, telecommunication and financial services. Similar to the 2007 legislation that authorized DHS to develop regulations addressing the security of the nation’s chemical facilities, the impact of this legislation is difficult to predict until the regulations are promulgated and implemented.
The Act has several key components. Most significantly, it would empower DHS to assess the risks and vulnerabilities to cyber attack of the nation’s critical infrastructure and to create a regulatory framework for securing these assets. In addition, it would provide a mechanism for the federal government, the intelligence community and private industry to share information through federally-run cybersecurity exchanges.
Using a phased approach to implementation, the legislation would require DHS to use its risk and vulnerability assessments of the nation’s core critical infrastructure to designate and then prioritize which industry sectors should be covered by regulations to be developed by DHS. The legislation establishes an opportunity for affected sectors to appeal designations to DHS or in federal court. The final regulations would establish sector-specific cybersecurity performance requirements for affected facilities and assets and provide liability protections for owners and operators of covered critical infrastructure that meet the security requirements.
Backers of the legislation say that it would provide sufficient flexibility for owners and operators of covered critical infrastructure to develop their own site-specific cybersecurity standards as long as those standards meet the regulatory requirements. In this regard, the legislation expressly precludes DHS from imposing the use of any particular technology or software products. However, in his February 16 testimony to the U.S. Senate Committee on Homeland Security and Governmental Affairs, former DHS Secretary Tom Ridge expressed concern—based on the recent experiences of companies subject to the DHS Chemical Facility Anti-Terrorism Standards (“CFATS”) rule—that despite the Congressional intent for flexibility, any regulatory program developed by DHS may result in prescriptive requirements and mandates for covered infrastructure.
As the legislation is written, on an annual basis owners and operators of covered infrastructure would have to either certify compliance with the performance requirements or submit to a third-party assessment of their compliance. DHS would have authority to seek civil penalties for non-compliance. Owners and operators of covered critical infrastructure can seek exemptions from the performance requirements for any systems or assets which they believe are sufficiently secure from identified cyber risks. In addition, the legislation precludes DHS from asserting jurisdiction over entities operating in a sector that is already adequately regulated by a separate federal authority. Notably, DHS is currently engaged in addressing what have become difficult overlapping jurisdictional issues in the implementation and development of the CFATS program.
The legislation also seeks to establish a mechanism for information sharing among government and private industry actors and remove certain legal barriers to such sharing. For example, shared information would be exempt from release under the Freedom of Information Act and sharing under the Act would not be deemed to waive privilege. The legislation also provides a complete liability defense for information sharing by the owner or operator of covered critical infrastructure if it is able to demonstrate its “good faith” belief that the sharing was authorized under the Act.
The legislation further directs DHS and other federal agencies to work with the intelligence community to ensure that real-time threat intelligence is shared with the owners of critical infrastructure. It includes a liability waiver provision to cover the reasonable failure of a private entity to act on cybersecurity information.