The federal government led by President Barack Obama, is concerned that cybersecurity has become a real threat to our national security. As a result, a piece of legislation called the Cybersecurity Act of 2012 (CSA) has been drafted and is going through its political rounds in Congress to address those concerns.
Though it has much more widespread support than earlier attempts at cybersecurity enforcement, like CISPA, with such legislation, there is still -what has become- a predictable abundance of misinformation and sensationalism regarding the scope of the bill and the authority it gives the federal government. More specifically, harsh criticism that the bill is inherently “anti-business” and a threat to free-enterprise.
After reading the 205 page updated version of the Cybersecurity Act of 2012, I wanted to dispel some of the myths and misconceptions surrounding this bill, which consequently seems to be getting ever closer to becoming law.
What CSA attempts to do:
Risk Assessment – The first step to addressing cybersecurity concerns is an assessment of risks. For all intents and purposes, the meat and potatoes of CSA is just this: a risk assessment. What the federal government is really concerned about is protecting what is referred to in the bill as “covered critical infrastructure”. A designation authorized by the secretary of homeland security according to a set of criteria within the bill (see below). The entire goal of this first part of the bill is to identify infrastructure from both public and private enterprises that are vulnerable to cyber attacks that could become a threat to national security. The first few sections of the bill outline the guideline for finding, labeling, and prioritizing such risks.
Performance Standards – Once a risk assessment has been done, only then can the appropriate security performance standards be developed for the various levels and categories of risk. The current bill actually does very little to attempt to set any tangible requirements, and leaves the responsibility of coming up with the specific standards to the secretary of homeland security. Also, security standards are based on performance of security measures, (not a standard of methodology) so as to encourage security innovation. The only part of the bill that outlines the actual application of the requirements is the yearly performance evaluations (to be done by a 3rd party) for compliance as an entity designated as covered critical infrastructure.
Compliance, too, is not mandatory. Early versions of the bill included such language, but as it stands, it will be voluntary. Instead incentives have been set up for compliance, like access to cybersecurity intelligence as well as liability protections for punitive damages for security breaches.
Improved Cybersecurity Intelligence – Another major section of CSA was developed in order to improve the intelligence gathering and sharing of “cybersecurity threat indicators”. A voluntary program established to create a network for sharing such information amongst the participating federal agencies as well as private corporations. It is this part of the bill, however, that has been under fire for privacy protection issues as the definition of “threat indicators” was too vague, and earlier versions didn’t do enough to protect people’s privacy and 1st amendment rights.
Internal Restructuring & Prioritizing – The rest of the law contains a number of additional internal measures intended to improve government cybersecurity, establish it as a priority, and clarify the roles of a number of federal regulatory and law enforcement agencies.
Who will be affected by CSA?
Because this bill is specifically designed to regulate corporate as well as government run infrastructure, the bill has been criticized for being “anti-business”. And while the libertarian argument that regulation can detract from free markets is certainly valid, to suggest that businesses of all kinds will be affected negatively by this bill is a bit of an exaggeration.
The truth is, small businesses (and the majority of large ones) don’t really carry a security risk that could be considered a threat to national security. The designation as “covered critical infrastructure” is actually quite specific in the bill:
Part (b) of section (103) Designation of Covered Infrastructure:
(C) only designate a system or asset as covered critical infrastructure if damage or unauthorized access to that system or asset could reasonably result in:
….(i) the interruption of life-sustaining services, including energy, water, transportation, emergency services, or food, sufficient to cause:
……..(I) a mass casualty event that includes an extraordinary number of fatalities; or
……..(II) mass evacuations with a prolonged absence;
….(ii) catastrophic economic damage to the United States including:
……..(I) failure or substantial disruption of a United States financial market;
……..(II) incapacitation or sustained disruption of a transportation system; or,
……..(III) other systemic, long-term damage to the United States economy;
….(iii) severe degradation of national security or national security capabilities, including intelligence and defense functions;
The bill continues with additional limitations including any:
commercial information technology product, including hardware and software
CSA is intended to create minimum performance standards for infrastructure and industries that pose the greatest risk of being targets of cyber-terrorism (cyber attacks that are likely to cause widespread damage). This means utilities industries like gas, electric, and water supply as well as transportation and emergency services sectors, could be among the most scrutinized. Likely, it could also mean the banking & financial services and communications industries too. Any industry and any company could be game, technically, and that might scare some people; But it’s those that pose a real risk to national security (if breached) that this bill intends to regulate.
Criticisms and revisions of the Cybersecurity Act of 2012
Mandatory statute – The initial bill that was proposed included language that made compliance with set standards mandatory. Such measures did not receive bipartisan support and were amended. The revised version instead gives incentives for compliance including liability protections as well as access to cybersecurity information sharing. Still, even with optional compliance, the bill has strong opposition from the business sector.
Moral hazards – Some argue that incentives for minimum security standards, particularly the liability protections, creates a moral hazard. Companies might only seek to meet the absolute minimum standards in order to mitigate cybersecurity risks, essentially eliminating natural incentives to manage risks beyond that. In effect, this could both weaken security (instead of strengthen it) and limit the ability of individual victims to seek damages in the case of a breach.
Too broad – Whenever a bill is vague or too broad, the worry isn’t what the bill is intended for, but what it could be used for. In this case, a bill that doesn’t come with a clear scope of impact and some rather vague definitions (especially in its earlier versions) could be interpreted much more broadly than it was originally intended. Although later revisions of the bill have met some of these concerns head on.
Privacy – Part of the bill includes a section (701) dedicated to improved information sharing for what’s called “cybersecurity threat indicators” among the various agencies as well as private companies (a voluntary program). Many argued that the broad definition for “threat indicators” as well as lack of privacy and other 1st amendment protections made the bill unconstitutional. Since then, there have been improvements to the language and privacy protections that drew praise from the ACLU. Still, some aren’t satisfied, like Senator Al Franken who is pushing for further amendments to the language of this section of the bill.
Stifle innovation – As with most regulations, a concern about security standards is that it could serve to stifle innovation in advancing security in the future. Although the standards aren’t meant to regulate specific methodology, that’s still up to the administrator of the system in question, there’s little incentive to go beyond those standards, thus potentially slowing innovation.