Since the start of the 112th Congress, there has been a heightened focus on cybersecurity. Congress has not passed new cybersecurity related legislation since 2002 when the Federal Information Security Management Act was enacted. In 2011, the Obama Administration announced its cybersecurity proposal, and a number of bills are currently active in both the House and Senate that focus on different aspects of cybersecurity and the mechanisms to protect private infrastructure and networks against cyber threats. One of the major philosophical differences between the various bills is which government entity should be responsible for cybersecurity – the Department of Homeland Security (DHS) or the National Security Agency (NSA). The Administration’s proposal favors DHS over NSA.
The most widely supported proposal is the bipartisan Cybersecurity Act of 2012 sponsored by Sens. Joe Lieberman (I-Conn) and Susan Collins (R-Maine). The hallmark of this Bill is the requirement that companies notify DHS of intrusions into their networks and the creation of mandatory compliance with industry specific cybersecurity standards. Senator John McCain (R-AZ) has a competing bill in the Senate, the Secure IT Act (S.2151), that focuses on self-regulation by the private sector rather than imposing government standards.
In the House, there are three notable active bills: (i) The Secure IT Act (H.R. 4263) , (ii) the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act “PRECISE Act” (H.R. 3674), and (iii) the Cyber Intelligence Sharing and Protection Act of 2011(H.R. 3523). The House Secure IT Act was introduced on March 27, 2012, and mirrors Sen. McCain’s version of the bill. The two other bills set cybersecurity standards for critical private networks and focus on information sharing mechanisms between the government (notably the NSA) and internet service providers so that threatening traffic can be blocked before causing harm.
Ultimately, it seems unlikely that any major cybersecurity legislation will pass during this session of Congress given the current election cycle. However, the recent activity on the Hill highlights to private industry areas where significant cyber improvements are warranted. Information sharing between government and the private sector, as well as compliance with certain baseline security standards for privately held infrastructure, are perhaps the most prominent topics. The potential for legislation, on top of existing requirements like the SEC’s cybersecurity disclosure guidance, demonstrate that for private industry, focusing on only the technical aspects of cybersecurity is likely to be insufficient. Companies will need to understand the evolving legislative and regulatory requirements with which they must comply and build compliance into their operations.