New cybersecurity legislation introduced in the Senate this month could pressure federal agencies to impose “voluntary” cybersecurity practices on critical infrastructure owners and operators as new mandatory regulations.
Senator Joe Lieberman (I-Conn.) introduced S. 3414, the “Cybersecurity Act,” on July 19, calling the proposal an updated version of a bill by the same name that he had introduced earlier this year. Lieberman said that parts of the new bill are intended to address concerns that the critical infrastructure community had raised about mandatory federal cybersecurity standards that were included in the previous legislation. This new version, Lieberman said, uses “carrots instead of sticks” to encourage improvements to the cyber defenses of critical infrastructure assets.
Under S. 3414 a new National Cybersecurity Council (NCC), together with state, local, and industry stakeholders, would identify cybersecurity risks to various critical infrastructure sectors. Based on these vulnerabilities, the NCC would work with stakeholders to develop “voluntary cybersecurity practices” that could remediate or mitigate known cyber risks. Critical infrastructure owners and operators could then opt to voluntarily comply with the standards (subject to review and certification by the NCC) and in return receive benefits such as civil liability protection in the event of a cyber attack, extended security clearances, and access to prioritized technical assistance.
But despite these opportunities for voluntary compliance with the NCC standards, S. 3414 also appears to clear a path for the standards to be imposed on critical infrastructure assets through regulatory mandates. Section 103(g) of the bill specifies that federal agencies holding regulatory authority over critical infrastructure “may adopt these cybersecurity practices as mandatory requirements.” If the agency does not do so, within one year it must report to Congress on why it did not impose the standards through regulation, and explain whether the critical infrastructure assets under its authority are adequately mitigating cyber risks on their own. This requirement in particular appears to strongly encourage federal agencies to make the “voluntary” NCC standards mandatory through their own regulatory regimes.
The legislation is also unclear as to whether a critical infrastructure asset like a water utility would receive the civil liability protection and technical assistance benefits if it complied with the NCC standards pursuant to a regulation, or if the utility would still have to apply for and receive a separate certification through the NCC.
Senator Lieberman is pushing hard for the Senate to take up the bill before breaking for a month-long recess on August 3, but it was not immediately clear whether the new measure would reach the 60-vote threshold that would allow it to advance through the chamber.