Just two weeks after their counterparts on a House subcommittee approved their critical infrastructure cybersecurity proposal, Senate Homeland Security Committee leaders released their own comprehensive cybersecurity measure.
Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine), the chair and ranking member of the Senate Homeland Security and Governmental Affairs Committee, introduced S. 2105 (the “Cybersecurity Act”) in mid-February. The bill generally mirrors the framework of previous cybersecurity measures by aiming to boost computer network defenses of critical infrastructure assets that deliver “life-sustaining services, including energy, water, [and] transportation services,” among others, and whose failure due to a cyber attack could lead to mass casualties, evacuations, or other catastrophic damage. By this measure, it is likely that large drinking water systems would be in line for coverage under the bill.
Unlike some of the earlier proposals, however, the Lieberman-Collins bill includes a clearly defined role for the Information Sharing and Analysis Centers (ISACs) of each critical infrastructure sector. At various stages of the regulatory process outlined in the legislation, DHS is directed to work with appropriate sector specific agencies, state and local governments, and ISACs before establishing cybersecurity requirements for critical infrastructure assets within a given sector.
Other provisions of S. 2105 would:
-
Require DHS to conduct sector-by-sector cybersecurity risk assessments, in consultation with appropriate ISACs and other stakeholders, to identify which sectors present the greatest and most immediate cyber risks.
-
Direct DHS, sector specific agencies, and stakeholders to develop cybersecurity performance requirements for each sector based on the results of the risk assessments. Owners and operators of covered critical infrastructure would have to implement cybersecurity defenses of their own choosing that, in sum, meet or exceed the defined performance requirements. Owners and operators would have the option of requesting technical assistance or cybersecurity recommendations from DHS, though DHS could not mandate the use of a particular security measure.
-
Give critical infrastructure operators an opportunity to self-certify their compliance with the standards, or request third-party audits to determine their compliance. Civil penalties could apply to infrastructure owners that fail to meet the performance requirements, but those who meet the standards would be protected against lawsuits in the event of an attack.
-
Ensure that DHS works with appropriate sector-specific agencies to avoid imposing duplicative or contradictory cybersecurity mandates.
-
Create cybersecurity exchanges to “efficiently receive and distribute” cybersecurity and threat information.
In a statement marking the bill’s introduction, Sen. Lieberman said the legislation “would begin to arm us for battle in a war against the cyber mayhem that is being waged against us by our nation’s enemies, organized criminal gangs, and terrorists who would use the Internet against us.”
Senate Majority Leader Harry Reid (D-Nev.) is aiming to bypass the traditional committee markup process and bring the bill to the Senate floor before the beginning of April, but that plan has drawn criticism from some Senate Republicans who are planning to offer their own cybersecurity proposal that would encourage compliance with voluntary standards. The complete text and a summary of the “Cybersecurity Act” is available online athttp://www.hsgac.senate.gov/issues/cybersecurity.