Analysis: New cyber bill dials back regulatory aspects of earlier versions

Five senators last week introduced a revised version of the Cybersecurity Act of 2012 as a last ditch effort at passing a cybersecurity bill before the August recess. The revised bill compromised on the most controversial sections regarding critical infrastructure.

“The version of the bill they are now considering significantly dials back the regulatory component,” said Rob Strayer, the director of the Homeland Security Project at the Bipartisan Policy Center. “It makes it strictly voluntary that companies have to comply with cybsecurity performance standards.”

Strayer worked on two reports for the BPC about the various cybersecurity bills Congress is considering: Cyber Security Task Force: Public/Private information sharing” and Cyber Security Legislation Privacy Protections are Substantially Similar.”

He told The Federal Drive with Tom Temin and Emily Kopp Monday that the new bill provides incentives for companies through limitations on liabilities from lawsuits for cybersecurity incidents. It also provides additional incentives to try and get companies to comply with the new cybersecurity standards without being required to.

“The only actual requirement in there seems to be in that for a significant cyber incident, a company that owns critical infrastructure assets would have to report that to the government,” Strayer said.

The new bill establishes a council to coordinate between various departments, which Strayer considered an “elegant” way to address cybersecurity.

“Many different departments have regulatory or some kind of oversight for different sectors of industry that have cybersecurity issues. And it keeps the Secretary of Homeland Security as the chair of this council and the secretary still writes the information sharing procedures and regulations that had been so controversial on the way,” he said.

Under this model, the Department of Homeland Security would set the rules for information reporting and sharing but not the cybersecurity practices that businesses would have to impose to keep themselves safe. Previously, DHS could also set the standards the businesses operated under.

Strayer said that the bill would go a long way toward securing industry networks. One thing that the most recent BPC called for that was lacking in the previous cybersecurity bills was the inclusion of emergency authorities.

“If there was an emergency over our critical infrastructure networks in our country, it’s unclear how the federal government would be able to require the private sector to take emergency steps to remedy that,” Strayer said. “That’s something we think should be thought out well in advance.”

This story is part of Federal News Radio’s daily Cybersecurity Update. For more cybersecurity news, click here.

RELATED STORIES:

Senators try compromise to get cyber bill passed