Cybersecurity is one of those funny things that is talked about, but nothing is really ever done about it. We can, and have implemented new safeguards on our infrastructure. It doesn't change the fact that there isn't a national standard at which all infrastructure owners must operate under.
The good news is that there was a cybersecurity bill making its way through Congress that was supported by both parties and it would have addressed that very issue. As Wired reports, however, the key word there is “was.” Senator John McCain came in with seven other Senators to slam the current bill and propose a new one.
At a hearing for the proposed bill, the Cybersecurity Act of 2012, McCain made clear his objections to the bill, including but not limited to, the power it gave to the Department of Homeland Security and not enough power being given to the National Security Agency:
General Keith Alexander, the Commander of U.S. Cybercommand and the Director of the NSA stated that if a significant cyber attack against this country were to take place there may not be much that he and his teams at either Cybercommand or NSA can legally do to stop it in advance. According to General Alexander, ‘in order to stop a cyber attack you have to see it in real time, and you have to have those authorities. Those are the conditions we’ve put on the table … Now how and what the Congress chooses, that’ll be a policy decision.’ This legislation does nothing to address this significant concern and I question why we have yet to have a serious discussion about who is best suited to protect our Country from this threat we all agree is very real and growing.
Additionally, if the legislation before us today were enacted into law, unelected bureaucrats at the DHS could promulgate prescriptive regulations on American businesses – which own roughly 90 percent of critical cyber infrastructure. The regulations that would be created under this new authority would stymie job-creation, blur the definition of private property rights and divert resources from actual cybersecurity to compliance with government mandates. A super-regulator, like DHS under this bill, would impact free market forces which currently allow our brightest minds to develop the most effective network security solutions.
McCain ended his comments by saying that he was going to introduce the new bill after the President’s Day recess.
The current bill that McCain wants to shoot down would make the government pick out which sectors of the nation’s infrastructure poses the most immediate risk and then give the DHS the authority to combat those problems.
The real kicker in the bill, however, is that it would require companies that own “critical infrastructure” to meet security standards created by the National Institute of Standards and Technology as well as the NSA. If they did not meet these standards, they would be slapped with civil penalties.
Those affected by these new standards would be allowed to come up with their own ways to meet the standards, but would be required to annually review their practices to confirm that they are meeting standards.
One part of the bill that is suspect is that it would allow these companies to self-certify themselves over the proposed standards. While they can hire a third party to perform the audit, self-certification would probably be the preferred method as it's easier and cheaper. It’s also ripe for incompetence since auditing yourself doesn’t get the best results.
We’ll have to wait for McCain’s bill to emerge before we can compare the two to see where each of their strengths lie. Once it does emerge though, you can bet that we’ll be on it to let you know what’s in it.
If Congressional hearings are your thing, you can watch the full three hour long committee meeting at the Senate's Web site.
If you prefer reading, the bill in its entirety can also be downloaded from the Senate's Web site.
As it stands now, however, would you be more comfortable with the NSA or DHS monitoring our nation’s cybersecurity? Let us know in the comments.