A bipartisan bill that would have created voluntary cybersecurity standards for companies that operate critical U.S. infrastructure, such as power grids and chemical plants, has been shot down once again this past Tuesday. The revised bill was blocked by a vote of 51-47. This will be the second time the Cybersecurity Act of 2012 has been thwarted; the initial bill was rejected in early August by a vote of 52-46, with concerns about increased government regulation of private businesses.
Who would the bill apply to? Systems or assets would be designated as ‘critical infrastructure’ if damage or unauthorized access could lead to:
- The interruption of life-sustaining services that could lead to an extraordinary number of fatalities or mass evacuations.
- Catastrophic economic damage to the U.S., including failure or disruption of the U.S. financial market, transportation system, or other systemic, long-term damage to the economy.
- Severe degradation of national security or national security capabilities, including intelligence and defense functions.
The language of the bill is somewhat arguably vague (lending itself ample leeway in the scope of which companies can be designated as a critical infrastructure and therefore subject to the terms and penalties of noncompliance) which may have hurt its chances at passing in the Senate. However, the overall sentiment that our critical infrastructure should be held to some kind of security standard, if not the highest, is not out of bounds. If our medical records must be protected by a federal, national standard (HIPAA compliance), then why can’t we protect our power grids? And why shouldn’t there be penalties for noncompliance, if noncompliance could result in mass economic destruction or fatalities?
Opposition to the bill by the U.S. Chamber of Commerce’s National Security & Emergency Preparedness Dept. claims that minimum standards for cybersecurity should be developed by industry, not government, and should vary for different sectors, according to VP Ann Beauchesne, as reported by Bloomberg.com. However, the bill does acknowledge different cybersecurity requirements for each sector (see details in the bullets below), invalidating that argument.
Similar to best practices for HIPAA compliance, the bill requires owners to also “submit a third-party assessment…on an annual basis,” with enforced penalties if they failed to do so. The OCR recently released audit guidelines for covered entities and business associates (third-parties), based on an initial pilot audit program intended to uncover security issues and improve upon general operating standards of private and public healthcare companies alike. HIPAA extends to third-parties, as they are another link in the ‘chain of trust’ and can have a significant role in the security of patient data.
The same would hold true for ‘covered critical infrastructures,’ as noted by the cybersecurity bill. So what would the bill actually require of covered critical infrastructure business owners?
- Owners will be regularly informed of cyber risk assessments, identified cybersecurity threats, and risk-based security performance requirements (varies by sector).
- Owners will select and implement cybersecurity measures as they see fit to best fulfill the risk-based cybersecurity requirements as established by the government (similar to HIPAA’s addressable standards).
- Owners will develop or update continuity of operations and incident respond plans (time to read up on IT disaster recovery, cloud-based disaster recovery and offsite backup options).
- Owners will report significant cyber incidents affected covered critical infrastructure (similar to how the HIPAA Breach Notification Rule requires covered entities to report data breaches that affect over 500 individuals).
This appears to be a fairly standard set of responsibilities for owners. Reporting significant cyber incidents are key to preventing an even bigger and more destructive attack in the future, with investigations and ongoing monitoring allowing the utmost transparency into invasions. Gathering intelligence on these attacks can also allow investigators to create profiles of groups or individuals, which might spark privacy concerns but could also prevent a catastrophic attack on our critical network systems.
According to Bloomberg.com, the current administration may have to issue an executive order to pass parts of the bill instead of the whole, considering it has already failed to pass twice in Senate.
Cybersecurity Act of 2012 (Full Text of Bill, PDF)
Cybersecurity Bill Fails to Advance in Senate
Cybersecurity Bill Killed, Paving Way for Executive Order
Hacker Attack Warnings Don’t Budge Opposing Sides on Cyber Bill