MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414 The Cybersecurity Act of 2012, S. 3414, has not been the subject of a legislative hearing and has skipped regular order. HSGAC has not marked it up and the Majority Leader used Rule 14 to bypass committee action and proceed directly to the floor with this legislation. The American people deserve to have the opportunity to learn what is in this bill, how much it will cost, and what this highly-technical, 211 page bill that uses the word shall 295 times means for personal and economic freedom. MYTH Title I: Critical Cyber Infrastructure REALITY This bill creates a public-private partnership with private sector developed voluntary standards. (S. 3414 Summary) This Council would conduct risk assessments to determine which sectors are subject to the greatest and most immediate cyber risk and would identify particular categories of critical infrastructure as critical cyber infrastructure. (S. 3414 Summary) Congress should not authorize open-ended, undefined regulatory schemes. Dodd-Frank, Cap & Trade, and Internet regulations like network neutrality were all regulatory bills with a defined universe of impacted industries. This revised bill is even worse because it has two core, unprecedented components: it allows the DHS-led, government-only National Council (including Federal regulators) to (1) define the scope of who they want to regulate; and (2) develop whatever regulations it wants in the name of cybersecurity. This limitless, unbridled government authority will be handed over to every federal agency connected to the Internet.... this revised legislation would establish a robust public private partnership (S. 3414 Summary) Industry would develop voluntary cybersecurity practices and a multi agency Government council would ensure these practices are adequate to secure systems from attacks. (S. 3414 Summary) Under the bill, the government, not the private sector, adopts and promulgates all standards, and sector coordinating councils (private sector) must comply with them. In Sec. 103(a), sector coordinating councils (private sector) shall propose voluntary outcome-based cybersecurity practices, which are then submitted to the DHS-led, government-only National Council. The government then decides whether and how to amend or add to those voluntary cybersecurity practices (Sec. 103(b)(1)(D)). Under this bill, the private sector cannot object; there is no due process available or any means to stop the government from deciding to completely change these voluntary standards. In short, what began in one subsection as voluntary proposed 1
standards, will likely become government developed and approved standards, with no recourse for the private sector. Nothing in this bill ensures that any consideration will be given to the specific needs and economic interests of small businesses. This Council (government) would conduct risk assessments to determine which sectors are subject to the greatest and most immediate cyber risk and would identify particular categories of critical infrastructure as critical cyber infrastructure. (S. 3414 Summary) The Political and Chinese Carve-out For political, not national security reasons, the bill carves-out technology products including those manufactured in countries like China. Under Section 102(b)(5), the DHS-led, government-only National Council may not identify these products as critical cyber infrastructure. Having the Council single out certain critical infrastructure in the first place is bad policy, but the flawed process and exemptions for politically selected products including from countries like China is exactly the opposite of common sense cybersecurity. The bill creates no new regulators, and provides no new authority for an agency to establish standards that are not otherwise authorized by law. (S. 3414 Summary) If these standards are voluntary, then federal taxes are optional. Given that the standards will be what the government wants (Sec. 103(b)(1)(D)), there are big regulatory consequences from sector specific regulators like SEC, FCC, DoE and DHS. Section 103(g)(1)(A) is clear: A Federal agency with responsibilities for regulating the security of critical infrastructure may adopt the cybersecurity practices as mandatory requirements. So what began, and is being sold as voluntary proposals will soon become mandatory requirements. As our economy falters and regulations strangle American businesses, now is no time to give regulatory agencies even more unbridled authority. But the bill does not stop there. Section 103(g)(B) mandates a report to Congress if a Federal Agency with responsibilities for regulating the security of critical infrastructure has NOT adopted the cybersecurity practices as mandatory requirements. That s right, if the voluntary proposals are NOT mandated by regulatory agencies, the regulatory agency must explain why. This is an explicit presumption in favor of regulation. 2
Section 105 drives this point home: Nothing in this title shall be construed to limit the ability of a Federal agency with responsibilities for regulating the security of critical infrastructure from requiring that the cybersecurity practices developed under section 103 be met. Title VII: Information Sharing Improve Information Sharing While Protecting Privacy and Civil Liberties. (S. 3414 Summary) While it promotes the sharing of cyber threat information, this legislation also ensures that privacies and civil liberties are protected. (S. 3414 Summary) The information sharing provisions in the revised bill are a big step back. In order to appease certain privacy groups and their inaccurate perceptions about defense agencies, the revised bill eliminates DoD s existing ability to get cyber threat information immediately and directly from the private sector (Sec. 703(a)(1)). Requiring that NSA and other DoD agencies get such information from DHS-selected exchanges in as close to real time as possible (Sec. 703(a)(2)) means only that our response to real-time cyber threats including those from China, Russia and Iran will be seriously delayed. Both the private sector and the government have information about cyber threats that help protect networks. (S. 3414 Summary) As we learned from 9/11, information about national security threats must be shared fully and timely within the government so that the right people have access to the right information. Yet, the revised bill rebuilds the pre-9/11 walls by limiting the government s use of cyber threat information to only investigating cyber crimes, or cases of imminent threats of death or child safety (Sec. 704(g)). This means that, unless information is related to one of those cases, the government cannot ever use cyber threat information it gets from the private sector to prevent terrorist acts or catch spies. Sec. 104(c)(4) allows the government to use real-time sharing of classified cyber threat information as an incentive for a private entity to be certified under title I, directly undermining the attempted improvements to information sharing in title VII. Non-certified entities have a singificant need to know the nature of the threats so that they will take action, but under this punitive measure, these companies will be in line for information behind all certified owners. 3
It [the bill, S. 3414] would also provide a framework for private sector companies to share information about cyber threats with each other and with the federal government and provide certain liability protection for companies that do so. (S. 3414 Summary) The framework for sharing information under this bill is more government bureaucracy. The DHS Secretary is given unchecked authority to designate Federal and non-federal entities as cyber exchanges (Sec. 703(a)). Non- Federal entities have no ability to challenge a designation, or receive liability protection for serving in this role. Right now, six cybersecurity centers exist that can and do serve as information sharing partners with the private sector, but this bill opts instead for more bureaucracy which adds layers between the information and those who are most able to keep Americans safe - at the sole discretion of one department, DHS. The information sharing procedures are designed to ensure that privacy and civil liberties are protected when information is shared under this bill. (S. 3414 Summary) This bill would authorize the government to provide security clearances to companies with a need to receive classified information to protect their networks. (S. 3414 Summary) If ensuring that privacy and civil liberties are protected means providing more job security for trial lawyers, then the revised bill is right on target. From providing a broad cause of action against the Federal government (Sec. 704(g)(7)), to putting the onus on one private entity to know if another is unreliable (Sec. 702(c)), to complicated and multi-tiered liability provisions (Sec. 706)), this bill will ensure that information sharing activities will be a constant source of litigation. If this is the incentive for the private sector to share with the government and with each other, we should not be surprised if company lawyers advise their clients that it s just not worth the risk. Unfortunately, because of the lack of strong liability protection and the probability of putting a company at legal liability risk, companies will be less likely to share the information they have which makes Americans less safe. Remember, the private sector plays a critical role because they own 80 to 90 percent of America s cyber infrastructure. Congress should encourage the sharing of classified information, but tying security clearances, that should be based on a need-to-know and eligibility, to compliance with a government certification process (Sec. 104(c)(2)) is bad policy. 4
5