Our representatives in the federal government have been working hard for years trying to pass cybersecurity legislation. Year after year, there’s a new government proposal that would mandate how private-sector businesses lock down their environments.
These efforts ranged from the Protecting Cyberspace as a National Asset Act of 2010 to the Cybersecurity and Internet Freedom Act of 2011. The latest incarnation is simply called the Cybersecurity Act of 2012.
Released in February, the Cybersecurity Act of 2012 is 205 pages worth of old and new rules that essentially put the Department of Homeland Security in charge of overseeing information security at private-sector businesses deemed part of the “covered critical infrastructure.” According to the proposed cybersecurity legislation, a system or asset would be designed as covered critical infrastructure:
“if damage or unauthorized access to that system or asset could reasonably result in the interruption of life-sustaining services, including energy, water, transportation, emergency services, or food, sufficient to cause a mass casualty event that includes an extraordinary number of fatalities; or mass evacuations with a prolonged absence; catastrophic economic damage to the United States including failure or substantial disruption of a United States financial market; incapacitation or sustained disruption of a transportation system; or other systemic, long-term damage to the United States economy; or severe degradation of national security or national security capabilities, including intelligence and defense functions.”
Sounds serious. Right along the lines of all the other fear, uncertainty and doubt we have continually pushed upon us.
More on cybersecurity legislation
Many of its backers want to push passage of the Cybersecurity Act of 2012 so we can avert a “cyber 9/11.” Vendors are all for getting it passed as well, maybe because they stand to gain as much from such government control as the politicians themselves. Sadly enough, rushing such cybersecurity legislation through will undoubtedly result in representatives not fully understanding what they’re voting for. This is especially true for the politicians who haven’t a clue about IT and what it takes to manage information risk.
Until now, proposed versions of cybersecurity legislation gave the president “kill switch” power over the Internet. That has been removed in the Cybersecurity Act of 2012. There are provisions for growing the cybersecurity workforce and national cybersecurity education and awareness. There’s FISMA reform in the bill as well. Interestingly, there are provisions for threat information sharing between the government and the private sector. You may be familiar with InfraGard? That’s been its mission for nearly two decades. It’s a perfect example of the government not using what it already has in place to accomplish its goals.
Looking at the big picture, I think we have enough information security and privacy regulations.
Looking at the big picture, I think we have enough information security and privacy regulations. All organizations -- private businesses and federal government agencies -- could stand to enhance their existing information security programs. Why layer yet another set of bureaucracy on top?
IT leaders at the businesses this legislation targets understand what’s truly at risk. Sure, I’ve ranted for years that certain executives have their heads in the sand over security. But the knowledge is there. So is the assumed fiduciary responsibility. We don’t need more government regulation.
I suspect that cybersecurity legislation won’t pass in an election year. But at some point, it’ll work its way through. Then, in another eight or 10 years a new set of politicians will come out and proclaim that we need better information security and privacy. The cycle never ceases.
Changes are happening day to day on the Cybersecurity Act of 2012, including a supposed alternative being introduced by Sen. John McCain (R-Ariz.). Stay tuned.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheelsinformation security audiobooks and blog.