It looks like cybersecurity is finally making its way to the full Senate. This, of course, comes only after a lot of concessions were made to the original Cybersecurity Act of 2012 (CSA) in order to make it bipartisan-friendly.
Too often, bills made bipartisan-friendly end up being similar to the way I drink my coffee: weak and without a lot of punch. Just enough to make it seem like it is working, but beyond that, there isn’t much there. And that’s the concern with the CSA revisions, that they have weakened the original bill so much that the bill is more show than action. Plus, it still might not pass opposition leadership.
Some of the notable changes in the revised legislation include a better specification of the term "cybersecurity threat" (which prevents broad interpretations and in some way pleases organizations fighting for privacy and free speech online), the swap of the word “required“ with “voluntary” when talking about participation of critical infrastructure owners in cybersecurity programs, and making the reporting of cyber security incidents related to the systems in question mandatory, since attacks against them can lead to catastrophic consequences.
Making participation to protect the critical infrastructure voluntary rather than required took the teeth out of the whole bill. Will industry really volunteer to do something they are not regulated to do? If history serves, probably not — even if it is in the best interest of the country and the infrastructure.
At what point will Congress understand the real threats involved by making cybersecurity a political battle. Battling a serious cyber threat has to be a collective fight. The idea of making it mandatory to report incidents is all well and good, but it is like shutting the barn door after the cows escaped. Reporting after the fact has already put others at risk when they could have been proactive through required cybersecurity programs.
I’m not alone in this thinking. From the Huffington Post:
The new bill "basically depends on the industry to make a good faith effort to improve security, and up until now they haven't done anything," said Joe Weiss, a security expert on critical infrastructure. "The question is, 'Why would you expect all of a sudden for that to change?'"
When an attack on the critical infrastructure happens — and sooner or later, it will — I suspect Congress will then spring into action to come up with rushed legislation that tries too hard, much like the post-9-11 legislation did. Senators, you have a chance now to create something that could be the start of better cybersecurity protection. Watering it down helps no one in the long run.