What’s going on with the Cybersecurity Act of 2012?

This week we have witnessed a heated debate between US Senators who showed opposite opinions on the Cybersecurity Act of 2012, a bill aimed at regulating a number of important aspects related to defending critical infrastructure from cyber attacks.

The bill is sponsored by the independent Connecticut senator Joe Lieberman, chairman of the Senate Homeland Security Committee, and four of his Democratic colleagues, and it focuses on building a public-private partnership that would enable a higher level of protection for critical infrastructure in this day and age where cyber attacks are omnipresent.

The Cybersecurity Act of 2012 was first introduced back in February, but because of harsh criticism from both politicians and civil society organizations, the bill was pulled back to be rewritten.

The Electronic Frontier Foundation (EFF) – the digital rights advocacy and legal organization based in San Francisco – analyzed the February proposal and identified a number of privacy-related issues and problems that would empower the rise of a digital Big Brother.

The initial bill was based on over three years of legislative preparations and countless hours of consultations between the members of the Senate, but it seems a couple of extra months were needed to make the proposed law more acceptable to a larger number of decision makers.

Some of the notable changes in the revised legislation include a better specification of the term “cybersecurity threat” (which prevents broad interpretations and in some way pleases organizations fighting for privacy and free speech online), the swap of the word “required” with “voluntary” when talking about participation of critical infrastructure owners in cybersecurity programs, and making the reporting of cyber security incidents related to the systems in question mandatory, since attacks against them can lead to catastrophic consequences.

The bill’s sponsors hoped to come to a bi-partisan consensus on the proposal, but even with all the revisions a number of initial critics are still against it.

One of the most vocal critics of the bill is the Senate Armed Services Committee ranking member John McCain. As the majority of USA’s critical infrastructure is owned by the private sector, he is against any type of State intervention in things like setting up security-related standards.

The bill’s sponsors are trying to push for a vote on the legislation as soon as possible – Senator Lieberman even said that the bill won’t survive if the Senate doesn’t consider it before the upcoming August recess. In a floor speech, Mr. McCain clearly objected to this pressure and added a remark that “it is not the right way to move forward with little or no opportunity for debate and amendments”.

President Barack Obama showed his clear support for the Cybersecurity Act of 2012 in an op-ed piece published a week ago in The Wall Street Journal. In the article titled “Taking the Cyberattack Threat Seriously,” the President considers a worst case scenario related to an attack on critical infrastructure and stresses that “the United States of America have the opportunity – and the responsibility – to take action now and stay a step ahead of their adversaries”. Mr. Obama closed his piece by urging the Senate to pass the Cybersecurity Act of 2012.

The United States are constantly targeted with cyber attacks, but the situation for the current administration became even more complicated after New York Times’ David E. Sanger, while announcing his new book “Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power,” confirmed that the USA and Israel are behind the Stuxnet worm. Stuxnet, as you probably know, was used for sabotaging the Iranian nuclear facility in Natanz – a move that supposedly regressed the country’s nuclear weapon production program up to three or four years.

In the information security and military circles, the phrase cyber war and its integral components are still undefined, but this acknowledgement of the USA standing behind the Stuxnet worm could be understood as an “official” start of a cyber war between these countries.

Parts of critical infrastructure are legitimate targets in non-kinetic warfare, so a fresh and updated set of security rules and methods could be a good thing for organizing their protection. Even if the Cybersecurity Act of 2012 is not the optimal solution, it is at least a positive step forward.