Cyber security bill reintroduced: Much ado about nothing?

By | July 23, 2012

Posted in: Network Security Trends

The latest iteration of a federal cyber security bill removes just about every objection anyone could raise, and puts almost no requirements on the private sector to strengthen security. The bill is designed to win Republican support, but at a price that removes federal control over security in the private sector.

The bill is easy to support, and just as easy to ignore. It removes the civil liberties objections of the notorious CISPA legislation, which would have given the federal government unprecedented power to secure information about individual citizens without warrant. The Obama administration, which came out strongly in favor of passage, is keeping its fingers crossed so it can point, at long last, to the passage of federal legislation come November. But what does it mean for security?

It replaces the DHS cyber security czar with a multi-agency council to be chaired by the secretary of Homeland Security, concentrating in particular on coordinating risk assessment in critical infrastructure. This takes some of the pressure off private companies, especially those in already heavily regulated industries. These companies, opponents of previous legislation maintain, already have more than enough regulation. What they need is support, leadership and someone who will listen to them.

The bill would also allow private industry to recommend actions to mitigate risks. It also takes a carrot rather than a stick approach to cyber security for critical infrastructure companies. These companies would be able to engage in a voluntary program that they can participate in through self-assessment or third-party certification. Participation could give them liability protection, security clearance and assistance.

It would also require critical infrastructure companies to report cyber security incidents.

Finally, the bill would promote information-sharing between the private sector and the federal government, without some of the nastier threats to civil liberties in CISPA. This point removes civil liberties advocates’ objections.

So, what’s next? If history is any guide, nothing. Capitol Hill has been trying to pass cyber security legislation for years and hasn’t even been able to agree on federal data breach disclosure law to replace the 40-plus state laws. While there is little left to object to and little enough to recommend this law, I am not optimistic that it will do anything but wither and die in the few months remaining between now and November.

You May Also Be Interested In: