With increasing concern over cyberattacks against critical infrastructure within the United States, the House and Senate both introduced bills earlier this year that were intended to help strengthen security. They would help facilitate the reporting of cyberattacks between private companies and the government, but were met with backlash as some thought this could lead to violations of anti-trust laws by the government, among other concerns.
The Cyber-Intelligence Sharing and Protection Act (CISPA) passed in the House and awaits a Senate vote. More recently, the Senate introduced Cybersecurity Act of 2012 (CSA2012), which has undergone changes since its first introduction that raised privacy concerns among Republicans.
The Huffington Post reports that five senators re-introduced CSA2012, omitting security requirements and subsequent penalties for companies maintaining critical infrastructure. It states Republicans had initially quipped that the government should not require companies to institute what could be costly security upgrades. Going forward, the bill makes government reviews of companies’ security measures and meeting standards voluntary. It is expected to be heard on the Senate floor later this week.
Not everyone is happy with this change though. Some say it doesn’t do enough to protect infrastructure. The Huffington Post has more:
The new bill “basically depends on the industry to make a good faith effort to improve security, and up until now they haven’t done anything,” said Joe Weiss, a security expert on critical infrastructure. “The question is, ‘Why would you expect all of a sudden for that to change?'”
James Lewis, a senior fellow at the Center for Strategic and International Studies, said, “The problem is the bill doesn’t give the government any new capabilities. You don’t need this bill. Nothing really changes.”
Still, there are those who see the revised bill as increasing its privacy protections adequately. Ginny Sloan, president of The Constitution Project, wrote in an op-ed for the Huffington Post that with the updates, it “may actually be able to carry out the promise of providing meaningful privacy and civil liberties safeguards.”
The changes made to allow for this, Sloan writes, are tighter restrictions on the government’s use of the information obtained from companies. For example, Sloan points out that any data given for cybersecurity reasons cannot be used for national security or criminal prosecutions. She also says the information to be shared with the government for security has been further limited. She praises the new bill for including that the flow of information from private company to the government will be through civilian companies, not the NSA or other government agencies.
At this point, Sloan says the current version of the Cybersecurity Act of 2012 is “far superior” to the House version CISPA. Read more details in Sloan’s full post here.
Others, like Paul Rosenzweig, a visiting fellow at the Heritage Foundation, have acknowledged improvements made but still find it having “grave problems that are likely to chill innovation without improving cybersecurity.” It is the “incentives” that would be given to those voluntarily providing the government with its information that Rosenzweig takes issue with:
Those incentives include liability protection, priority assistance for cyber threats, and access to classified information about threats.
There are several problems with this new approach. First, the government should not be in the position of denying its threat information to critical infrastructure owners who choose not to adopt the voluntary standards, likely for justifiable business reasons. If the infrastructure in question is truly “critical,” it is in America’s collective interest to protect it as much as possible.
Rosenzweig goes on to say liability protection offered as an incentive is too weak. He also cautions about just how voluntary meeting these standards would be:
Under section 103(g) of the bill, federal regulatory agencies are free to make the voluntary regulations mandatory in the sectors they regulate, and they are required to report to Congress if they choose not to do so—which is a strong incentive to adopt the “voluntary” rules.
Read more of Rosenzweig’s perspective on the revised bill here.
PhysOrg reports Michelle Richardson with the ACLU saying that though the changes are improvements — the organization previously criticized this bill as well as CISPA — it should be watched carefully for any updates that could occur when it meets the the Senate floor.
“We will be carefully watching how this unfolds on the floor and will be calling on you to fight anti-privacy amendments and support ones that we expect will further limit the government’s authority,” she said, according to PhysOrg.