Tip

New and not-so-new security twists in the Cybersecurity Act of 2012

Our representatives in the federal government have been working hard for years trying to pass cybersecurity legislation. Year after year, there’s a new government proposal that would mandate how private-sector businesses lock down their environments.


Kevin Beaver

These efforts ranged from the

    Requires Free Membership to View

Protecting Cyberspace as a National Asset Act of 2010 to the Cybersecurity and Internet Freedom Act of 2011. The latest incarnation is simply called the Cybersecurity Act of 2012.

Released in February, the Cybersecurity Act of 2012 is 205 pages worth of old and new rules that essentially put the Department of Homeland Security in charge of overseeing information security at private-sector businesses deemed part of the “covered critical infrastructure.” According to the proposed cybersecurity legislation, a system or asset would be designed as covered critical infrastructure:

“if damage or unauthorized access to that system or asset could reasonably result in the interruption of life-sustaining services, including energy, water, transportation, emergency services, or food, sufficient to cause a mass casualty event that includes an extraordinary number of fatalities; or mass evacuations with a prolonged absence; catastrophic economic damage to the United States including failure or substantial disruption of a United States financial market; incapacitation or sustained disruption of a transportation system; or other systemic, long-term damage to the United States economy; or severe degradation of national security or national security capabilities, including intelligence and defense functions.”

Sounds serious. Right along the lines of all the other fear, uncertainty and doubt we have continually pushed upon us.

Many of its backers want to push passage of the Cybersecurity Act of 2012 so we can avert a “cyber 9/11.” Vendors are all for getting it passed as well, maybe because they stand to gain as much from such government control as the politicians themselves. Sadly enough, rushing such cybersecurity legislation through will undoubtedly result in representatives not fully understanding what they’re voting for. This is especially true for the politicians who haven’t a clue about IT and what it takes to manage information risk.

Until now, proposed versions of cybersecurity legislation gave the president “kill switch” power over the Internet. That has been removed in the Cybersecurity Act of 2012. There are provisions for growing the cybersecurity workforce and national cybersecurity education and awareness. There’s FISMA reform in the bill as well. Interestingly, there are provisions for threat information sharing between the government and the private sector. You may be familiar with InfraGard? That’s been its mission for nearly two decades. It’s a perfect example of the government not using what it already has in place to accomplish its goals.

Looking at the big picture, I think we have enough information security and privacy regulations.

 

Looking at the big picture, I think we have enough information security and privacy regulations. All organizations -- private businesses and federal government agencies -- could stand to enhance their existing information security programs. Why layer yet another set of bureaucracy on top?

IT leaders at the businesses this legislation targets understand what’s truly at risk. Sure, I’ve ranted for years that certain executives have their heads in the sand over security. But the knowledge is there. So is the assumed fiduciary responsibility. We don’t need more government regulation.

I suspect that cybersecurity legislation won’t pass in an election year. But at some point, it’ll work its way through. Then, in another eight or 10 years a new set of politicians will come out and proclaim that we need better information security and privacy. The cycle never ceases.

Changes are happening day to day on the Cybersecurity Act of 2012, including a supposed alternative being introduced by Sen. John McCain (R-Ariz.). Stay tuned.

Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheelsinformation security audiobooks and blog.

This was first published in February 2012

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.