MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414

Similar documents
How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

-Eight types of cyber data, (Sec. 708(7))

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

- Cyber threat information: information directly pertaining to,

G7 Bar Associations and Councils

Cybersecurity Information Sharing Legislation

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

National Policy and Guiding Principles

Cyber and Supply Chain Policy Issues

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

The Impact of US Cybersecurity Policies on Submarine Cable Systems

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Section One of the Order: The Cybersecurity of Federal Networks.

Erik Puskar Standards Coordination Office 30 May, 2013 World Trade Center Moscow

Implementing Executive Order and Presidential Policy Directive 21

Cybersecurity & Privacy Enhancements

DHS Cybersecurity: Services for State and Local Officials. February 2017

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

Smart Grid Update. Christopher J. Eisenbrey. Director, Business Information Edison Electric Institute (EEI)

Written Statement of. Timothy J. Scott Chief Security Officer The Dow Chemical Company

Cyber Security Strategy

What Why Value Methods

SECURITY CODE. Responsible Care. American Chemistry Council. 7 April 2011

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

Cybersecurity and Data Privacy

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Senate Comprehensive Energy Bill

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

New Grid Security Measures for 2016

Robert Holleyman, President and CEO, BSA The Software Alliance

CYBERSECURITY LEGISLATION IT OUT!

Cybersecurity in Asia-Pacific State of play, key issues for trade and e-commerce

RELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO

Statement for the Record

Building Privacy into Cyber Threat Information Sharing Cyber Security Symposium Securing the Public Trust

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

Why you should adopt the NIST Cybersecurity Framework

ISAO SO Product Outline

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Navigation and Vessel Inspection Circular (NVIC) 05-17; Guidelines for Addressing

Presidential Documents

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

RESOLUTION 45 (Rev. Hyderabad, 2010)

Draft Resolution for Committee Consideration and Recommendation

Statement of Chief Richard Beary President of the International Association of Chiefs of Police

Program 1. THE USE OF CYBER ACTIVE DEFENSE BY THE PRIVATE SECTOR

Mapping to the National Broadband Plan

Electricity Sub-Sector Coordinating Council Charter FINAL DISCUSSION DRAFT 7/9/2013

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Security of Critical Information Infrastructure: Legal Issues

Cybersecurity Considerations for GDPR

Cybersecurity and Data Protection Developments

Cybersecurity Policy in the EU: Security Directive - Security for the data in the cloud

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Legal, Ethical, and Professional Issues in Information Security

U.S. Japan Internet Economy Industry Forum Joint Statement October 2013 Keidanren The American Chamber of Commerce in Japan

Promoting Global Cybersecurity

Use of Standards and Conformity Assessment in U.S. Regulation: Perspective of the Private Sector

Cybersecurity and Hospitals: A Board Perspective

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

The APEC Model. Global Partnership through Regional Initiatives

Cybersecurity for the Electric Grid

Conference for Food Protection. Standards for Accreditation of Food Protection Manager Certification Programs. Frequently Asked Questions

Critical Infrastructure Resilience

Information Bulletin

Cybersecurity Risk Management

Critical Infrastructure Protection and Suspicious Activity Reporting. Texas Department of Public Safety Intelligence & Counterterrorism Division

The Stakes Are Going Up: Hacking and the New Paradigm of Data Breaches

Investigating Insider Threats

California Code of Regulations TITLE 21. PUBLIC WORKS DIVISION 1. DEPARTMENT OF GENERAL SERVICES CHAPTER 1. OFFICE OF THE STATE ARCHITECT

Chemical Facility Anti- Terrorism Standards

Grid Security & NERC

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Legal and Regulatory Developments for Privacy and Security

We collect information from you when You register for an Traders account to use the Services or Exchange and when You use such Services. V.

USA HEAD OFFICE 1818 N Street, NW Suite 200 Washington, DC 20036

US-China Business Council Comments on The Draft Cybersecurity Law

ASSEMBLY, No STATE OF NEW JERSEY. 217th LEGISLATURE INTRODUCED FEBRUARY 4, 2016

Special Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure (Provisional Translation)

VERSION 1.3 MAY 1, 2018 SNOWFLY PRIVACY POLICY SNOWFLY PERFORMANCE INC. P.O. BOX 95254, SOUTH JORDAN, UT

OUTCOME DOCUMENT OF THE INTERNATIONAL CONFERENCE ON CYBERLAW, CYBERCRIME & CYBERSECURITY

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

CHAPTER 13 ELECTRONIC COMMERCE

HPH SCC CYBERSECURITY WORKING GROUP

Indonesia Cyber Security Market

The Office of Infrastructure Protection

Cyber Security and Cyber Fraud

Angela McKay Director, Government Security Policy and Strategy Microsoft

Economic and Social Council

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Cybersecurity: CRS Experts

Homeland Security Institute. Annual Report. pursuant to. Homeland Security Act of 2002

Package of initiatives on Cybersecurity

Content. Privacy Policy

Regulating Cyber: the UK s plans for the NIS Directive

Transcription:

MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414 The Cybersecurity Act of 2012, S. 3414, has not been the subject of a legislative hearing and has skipped regular order. HSGAC has not marked it up and the Majority Leader used Rule 14 to bypass committee action and proceed directly to the floor with this legislation. The American people deserve to have the opportunity to learn what is in this bill, how much it will cost, and what this highly-technical, 211 page bill that uses the word shall 295 times means for personal and economic freedom. MYTH Title I: Critical Cyber Infrastructure REALITY This bill creates a public-private partnership with private sector developed voluntary standards. (S. 3414 Summary) This Council would conduct risk assessments to determine which sectors are subject to the greatest and most immediate cyber risk and would identify particular categories of critical infrastructure as critical cyber infrastructure. (S. 3414 Summary) Congress should not authorize open-ended, undefined regulatory schemes. Dodd-Frank, Cap & Trade, and Internet regulations like network neutrality were all regulatory bills with a defined universe of impacted industries. This revised bill is even worse because it has two core, unprecedented components: it allows the DHS-led, government-only National Council (including Federal regulators) to (1) define the scope of who they want to regulate; and (2) develop whatever regulations it wants in the name of cybersecurity. This limitless, unbridled government authority will be handed over to every federal agency connected to the Internet.... this revised legislation would establish a robust public private partnership (S. 3414 Summary) Industry would develop voluntary cybersecurity practices and a multi agency Government council would ensure these practices are adequate to secure systems from attacks. (S. 3414 Summary) Under the bill, the government, not the private sector, adopts and promulgates all standards, and sector coordinating councils (private sector) must comply with them. In Sec. 103(a), sector coordinating councils (private sector) shall propose voluntary outcome-based cybersecurity practices, which are then submitted to the DHS-led, government-only National Council. The government then decides whether and how to amend or add to those voluntary cybersecurity practices (Sec. 103(b)(1)(D)). Under this bill, the private sector cannot object; there is no due process available or any means to stop the government from deciding to completely change these voluntary standards. In short, what began in one subsection as voluntary proposed 1

standards, will likely become government developed and approved standards, with no recourse for the private sector. Nothing in this bill ensures that any consideration will be given to the specific needs and economic interests of small businesses. This Council (government) would conduct risk assessments to determine which sectors are subject to the greatest and most immediate cyber risk and would identify particular categories of critical infrastructure as critical cyber infrastructure. (S. 3414 Summary) The Political and Chinese Carve-out For political, not national security reasons, the bill carves-out technology products including those manufactured in countries like China. Under Section 102(b)(5), the DHS-led, government-only National Council may not identify these products as critical cyber infrastructure. Having the Council single out certain critical infrastructure in the first place is bad policy, but the flawed process and exemptions for politically selected products including from countries like China is exactly the opposite of common sense cybersecurity. The bill creates no new regulators, and provides no new authority for an agency to establish standards that are not otherwise authorized by law. (S. 3414 Summary) If these standards are voluntary, then federal taxes are optional. Given that the standards will be what the government wants (Sec. 103(b)(1)(D)), there are big regulatory consequences from sector specific regulators like SEC, FCC, DoE and DHS. Section 103(g)(1)(A) is clear: A Federal agency with responsibilities for regulating the security of critical infrastructure may adopt the cybersecurity practices as mandatory requirements. So what began, and is being sold as voluntary proposals will soon become mandatory requirements. As our economy falters and regulations strangle American businesses, now is no time to give regulatory agencies even more unbridled authority. But the bill does not stop there. Section 103(g)(B) mandates a report to Congress if a Federal Agency with responsibilities for regulating the security of critical infrastructure has NOT adopted the cybersecurity practices as mandatory requirements. That s right, if the voluntary proposals are NOT mandated by regulatory agencies, the regulatory agency must explain why. This is an explicit presumption in favor of regulation. 2

Section 105 drives this point home: Nothing in this title shall be construed to limit the ability of a Federal agency with responsibilities for regulating the security of critical infrastructure from requiring that the cybersecurity practices developed under section 103 be met. Title VII: Information Sharing Improve Information Sharing While Protecting Privacy and Civil Liberties. (S. 3414 Summary) While it promotes the sharing of cyber threat information, this legislation also ensures that privacies and civil liberties are protected. (S. 3414 Summary) The information sharing provisions in the revised bill are a big step back. In order to appease certain privacy groups and their inaccurate perceptions about defense agencies, the revised bill eliminates DoD s existing ability to get cyber threat information immediately and directly from the private sector (Sec. 703(a)(1)). Requiring that NSA and other DoD agencies get such information from DHS-selected exchanges in as close to real time as possible (Sec. 703(a)(2)) means only that our response to real-time cyber threats including those from China, Russia and Iran will be seriously delayed. Both the private sector and the government have information about cyber threats that help protect networks. (S. 3414 Summary) As we learned from 9/11, information about national security threats must be shared fully and timely within the government so that the right people have access to the right information. Yet, the revised bill rebuilds the pre-9/11 walls by limiting the government s use of cyber threat information to only investigating cyber crimes, or cases of imminent threats of death or child safety (Sec. 704(g)). This means that, unless information is related to one of those cases, the government cannot ever use cyber threat information it gets from the private sector to prevent terrorist acts or catch spies. Sec. 104(c)(4) allows the government to use real-time sharing of classified cyber threat information as an incentive for a private entity to be certified under title I, directly undermining the attempted improvements to information sharing in title VII. Non-certified entities have a singificant need to know the nature of the threats so that they will take action, but under this punitive measure, these companies will be in line for information behind all certified owners. 3

It [the bill, S. 3414] would also provide a framework for private sector companies to share information about cyber threats with each other and with the federal government and provide certain liability protection for companies that do so. (S. 3414 Summary) The framework for sharing information under this bill is more government bureaucracy. The DHS Secretary is given unchecked authority to designate Federal and non-federal entities as cyber exchanges (Sec. 703(a)). Non- Federal entities have no ability to challenge a designation, or receive liability protection for serving in this role. Right now, six cybersecurity centers exist that can and do serve as information sharing partners with the private sector, but this bill opts instead for more bureaucracy which adds layers between the information and those who are most able to keep Americans safe - at the sole discretion of one department, DHS. The information sharing procedures are designed to ensure that privacy and civil liberties are protected when information is shared under this bill. (S. 3414 Summary) This bill would authorize the government to provide security clearances to companies with a need to receive classified information to protect their networks. (S. 3414 Summary) If ensuring that privacy and civil liberties are protected means providing more job security for trial lawyers, then the revised bill is right on target. From providing a broad cause of action against the Federal government (Sec. 704(g)(7)), to putting the onus on one private entity to know if another is unreliable (Sec. 702(c)), to complicated and multi-tiered liability provisions (Sec. 706)), this bill will ensure that information sharing activities will be a constant source of litigation. If this is the incentive for the private sector to share with the government and with each other, we should not be surprised if company lawyers advise their clients that it s just not worth the risk. Unfortunately, because of the lack of strong liability protection and the probability of putting a company at legal liability risk, companies will be less likely to share the information they have which makes Americans less safe. Remember, the private sector plays a critical role because they own 80 to 90 percent of America s cyber infrastructure. Congress should encourage the sharing of classified information, but tying security clearances, that should be based on a need-to-know and eligibility, to compliance with a government certification process (Sec. 104(c)(2)) is bad policy. 4

5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback