Now That the Cyber Security Act of 2012 Was Defeated, What is Next?
Congress has a lot of important work to do in this “lame duck” session including the important task of avoiding the “fiscal cliff” (which I have previously spoken about). Just as important is developing and passing legislation to marshal government and private resources to help prevent critical networks (belonging to both the Government and industry) from being hacked.
Unfortunately that will not happen this legislative session.
Though backed by most of the Senate democrats, the Cyber Security Act of 2012 failed to muster enough support in order to avoid a filibuster. Highlights from the Cyber Security Act include the following:
- Creation of a council that will evaluate the greatest cyber security vulnerabilities;
- Creation of a private-public partnership that will create voluntary standards;
- Promotion of adoption of cyber security standards with shielding of punitive liability if compliant with standards; and
- Increasing the sharing of information between the private sector and public sector.
Private industry balked at the “voluntary” standards fearing that they would become mandatory in the rule-making process or down the road. Watchdog groups balked at the sharing side of the bill fearing that it would further erode civil liberties. More information from the Senate’s website is available here.
Nevertheless, this bill appeared to be a good start down the long inevitable road that will be required to travel down to help ensure our nation’s cyber infrastructure is secure. As stated in the memorandum from the bill’s sponsors:
The destruction or exploitation of critical infrastructure through a cyber attack, whether a nuclear power plant, a region’s water supply, or a major financial market, could cripple our economy, our national security, and the American way of life. We must act now.
The Government through the regulatory process is already increasing regulations on government contractors. DOD, GSA, and NASA released proposed rules (FAR Case 2011-020; Docket 2011-0020) applicable to government contractors aimed at shoring up the Government’s computer systems. If adopted, these rules would amend the Federal Acquisition Regulation (the FAR) to protect contractor information systems that connect with Government systems. We’ll have more details about this in a blog post later this week.
For businesses operating outside of the Government space, there is open talk that President Obama will issue an Executive Order that will incorporate much of the Cyber Security Act of 2012. This news comes on the heals of news that the President recently signed a secret directive aimed at thwarting cyber attacks. According to The Washington Post, this initiative, which was supposed to remain classified, would allow the Government to be more aggressive in thwarting cyber attacks. In addition, DOD is preparing new rules of engagement as they relate to cyber attacks.
We will be following this closely. Also, I will be speaking at GovSec (“The Cyber and Data Security Rules of the Road”) on May 15, 2013 regarding this very issue.
This post was written by Eric S. Crusius, Esq.