[Infowarrior] - Senate introduces revised version of the Cybersecurity Act of 2012

[Richard Forno]

I have to ask about the "inventory of critical assets" cited -- 11 years after 9/11, almost 15 since PCCIP, and how many billions spent, why don't  companies or the government have such a listing already? Or security 'standards'?  One wonders if this is another case of reinventing the wheel in an effort to demonstrate activity and 'progress' in 'addressing' this general issue.  *shrug*  -- rick


Senate introduces revised version of the Cybersecurity Act of 2012

The measure features more toned-down language than its original draft did.

by Megan Geuss - July 19 2012, 10:05pm EDT

http://arstechnica.com/tech-policy/2012/07/senate-introduces-revised-version-of-the-cybersecurity-act-of-2012/

Five senators, including Senator Joe Lieberman, introduced a modified version of the Cybersecurity Act of 2012 (PDF) today, hoping to revitalize lagging support for the bill, especially among Republicans. The act, which was first introduced in February of 2012, calls for the creation of a council chaired by the Secretary of Homeland Security, and aims to promote the hardening of infrastructure critical to the US (and it's not to be confused with SOPA, CISPA, PIPA, or ACTA; each of which made a claim to "enhancing cybersecurity" in its own way).

The revised version of the act makes the originally mandatory, government-dictated, security standards optional, but still establishes a "National Cybersecurity Council" to "coordinate with owners and operators of critical infrastructure." If the measure is enacted, the Council would take an inventory of high-risk infrastructure, and would ask the owners of that infrastructure to come up with voluntary measures the could mitigate risks.

"A federal agency with responsibilities for regulating a critical infrastructure sector may adopt the practices as mandatory," a summary of the bill (PDF) noted.

The measure goes on to imply that enforcement will be loose: "Owners of critical infrastructure may apply for certification in the program by self-certifying to the Council that the owner is satisfying the cybersecurity practices developed under section 103 or submitting to the Council a third party assessment verifying that the owner is satisfying the cybersecurity practices."

But owners of critical infrastructure that self-certify with the council will be granted benefits for their participation, including liability protection if the infrastructure sustains damage while the voluntary risk-management measures were in place, expedited security clearance to employees, priority assistance on "cyber issues," and warnings on relevant threat information that other companies may report.

The new language also includes a number of rules that have been applauded by the ACLU, including prohibiting the Federal government, "from compelling the disclosure of information from a private entity relating to an incident unless otherwise authorized by law and from intercepting a wire, oral, or electronic communication relating to an incident unless otherwise authorized by law." The authors of the Cybersecurity Act went out of their way in the original document to avoid new regulation over individuals and networks, some say to stay away from the blacklash created by SOPA and CISPA, so the additions seem like a bid to find support among privacy experts.

---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.