On Feb. 6th, 2012, the Washington Post reported on comprehensive cybersecurity legislation. According to the article, we're starting to get a rough picture of what the Senate's version of cybersecurity legislation will look like:
- DHS would have cybersecurity responsibility within the US.
- DHS would have the power to decide which companies to regulate
- "DHS would have the power to require better computer security" for those companies
- DHS would not regulate industries already under the protection of another agency
- There is NO internet kill switch provision
The article noted that DHS "would move gradually, taking on higher priority industries first."
You can find the Washington Post source article here.
***
Paul Rosenzweig put out another Lawfare blog post explaining cybersecurity legislation. This blog post highlighted cybersecurity legislation in the House. Again, the principle two bills sitting in the House are the Precise Act and CISPA.
Rosenzweig explained that the two bills differ with regard to who is in charge, private sector information sharing, and what information can be shared.
The Precise Act puts DHS in charge, creates a cyber threat information clearinghouse to facilitate information sharing, and authorizes that clearing house to "share only information necessary to describe a method of defeating technical controls on a system or network that corresponds to a cyber threat.'"
CISPA puts the Director of National Intelligence (and possibly the NSA) in charge, "authorizes private-to-private sharing among a defined class of cybersecurity providers", and allows for sharing of information that would protect a cyber system against "efforts to degrade, disrupt, or destroy" that system.
The post noted that both House bills are far less regulatory than any of the Senate alternatives.
You can find Mr. Rosenzweig's Lawfare blog post here.
You can also find an earlier Lawfare blog post (by Mr. Rosenzweig) on the Senate's cybersecurity proposals here.
***
Rep. Dan Lungren, co-sponsor of the Precise Act, wrote a blog post for The Hill explaining the Precise Act.
His big point: the federal government shouldn't look to provide or manage cybersecurity for US networks. Rather, the federal government should facilitate cybersecurity through information sharing. The Precise Act does just that.
***
Time suggests that the gulf between the Senate and House versions of cybersecurity legislation means that we might not see cybersecurity legislation pass this year.
Leave a Reply