The House of Representatives has actually dragged cybersecurity back into the spotlight.
Long-time readers will recall that rather important challenge of securing the US national infrastructure (power supplies, the grid, transportation -- all those good things) against cyberattack is something Congress has repeatedly shelved.
Back in May, 2010, Robert McGarvey was telling us that the government just wasn't taking cybersecurity seriously: "The clock is ticking."
By the beginning of 2012, the Senate had crafted a bill based on a series of cybersecurity goals set out by the White House. Immediately, there was a demand to slow the process down. Sure enough, the Cybersecurity Act 2012 never made it to a vote, not least because a group of Senators, led by John McCain (R. Ariz.), tabled an alternative proposal: "Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act." Yes, that's the SECURE IT Act, and guess what became of it?
Nothing -- and that's how matters stood late last year.
This history is relevant, because it explains why some of us sigh and roll our eyes when we hear that the House of Representatives is giving it the old college try. Leading members of the House Homeland Security Committee introduced the "bipartisan" National Cybersecurity and Critical Infrastructure Protection Act of 2013 earlier this month. (Everyone is going to call it NCCIP.)
Rep. Patrick Meehan
Representative Patrick Meehan (R. Pa.) reassures us that:
The bill will help us responsibly coordinate our cyberdefenses and strengthen civilian leadership of their while protecting Americans' privacy and civil liberties.
I'd be concerned that a cybersecurity bill commanding genuine bipartisan support is likely to do little -- or nothing at all. Let's take a look. Here are the key provisions. It will:
- Strengthen institutionalized information sharing (through the National Cybersecurity and Communications Integration Center)
- Strengthen several plans, including the National Infrastructure Protection Plan, and the National Cybersecurity Incident Response Plan
- "Improve resiliency" of various systems and networks
Okay, enough red tape. Let's cut to the chase. The bill will establish a partnership between the DHS and the private sector. This involves "voluntary consensus...industry best practices," and so on (Section 201).
In other words, it's the approach McCain and other Senators favored in 2012. The private sector knows what it's doing; let's leave it to look after the nation's infrastructure. Sure, have a little federal oversight, but not too much.
No rigid security benchmarks, no sanctions for not meeting them; in other words, for the significant elements of the infrastructure in private hands, no teeth.
The only good news: This is the House of Representatives, so the legislation probably won't pass.
— Kim Davis , Senior Editor, Internet Evolution