Revised Cybersecurity Act of 2012 Again Goes Before U.S. Senate
Modernizing Authentication — What It Takes to Transform Secure Access
A reworked version of a proposed and controversial federal cyber-security law is again going before the U.S. Senate, but this time, the so-called Cybersecurity Act of 2012 might have enough changes and comprises to make it more palatable for all sides.
Senate debate on the revised legislation will begin July 31, several months after an earlier version was withdrawn due to criticism of some of its language and policy related to digital privacy and personal freedoms.
"This revised legislation would establish a robust public-private partnership to improve the cybersecurity of our nation's most critical infrastructure, which is mostly owned by the private sector," according to a summary of the bill. "Industry would develop voluntary cybersecurity practices and a multi-agency government council would ensure these practices are adequate to secure systems from attacks."
The bill "was developed in response to what defense and intelligence leaders have called an existential threat to our country," according to the legislation. "Our critical infrastructure is increasingly vulnerable to cyber threats, and can be manipulated or attacked by faceless individuals using computers halfway around the globe. The destruction or exploitation of critical infrastructure through a cyber attack, whether a nuclear power plant, a region s water supply, or a major financial market, could cripple our economy, our national security, and the American way of life. We must act now."
Several critics of the earlier version of the legislation say they are more comfortable with the new version of the bill, though they still question whether such a law is ultimately needed.
"The bill is a step in the right direction of protecting online rights, but still has major flaws that allow for nearly unlimited monitoring of user data or countermeasures (like blocking or dropping packets)," wrote Mark Jaycox and Rainey Reitman of the Electronic Frontier Foundation privacy group in a blog post. That "overly broad" language is contained in Section 701 of the bill, they wrote, and is being addressed by an amendment that would remove this specific language.
"We remain unconvinced that a cybersecurity bill is necessary at this time, and we're committed to fighting to ensure user privacy isn't sacrificed in the rush to pass a bill," they wrote. "While the most recent version of the bill has strong privacy protections, Section 701 continues to pose a real threat to the rights of users to communicate privately."
The American Civil Liberties Union said the new version of the bill better addresses key privacy concerns that the group had with the previous version.
"Senators have unveiled significant privacy amendment" in the new legislation, wrote Michelle Richardson, legislative counsel for the ACLU in Washington, in a blog post, including that "companies who share cybersecurity information with the government give it directly to civilian agencies, and not to military agencies like the National Security Agency."
"The single most important limitation on domestic cybersecurity programs is that they are civilian-run and do not turn the military loose on Americans and the Internet," Richardson added.
The revised bill would also "restrict the government s use of information it receives under the cyber info sharing authority so that it can be used only for actual cybersecurity purposes and to prosecute cyber crimes, protect people from imminent threat of death or physical harm, or protect children from serious threats," Richardson wrote.
The bill would also "require annual reports from the Justice Department, Homeland Security, Defense and Intelligence Community Inspectors General that describe what information is received, who gets it, and what is done with it," Richardson wrote, as well as "allow individuals to sue the government if it intentionally or willfully violates the law."