WASHINGTON – Senate sponsors of legislation to protect the nation’s most important cyber networks from malicious activity described their bipartisan bill Wednesday as a full partnership with industry, narrowly tailored, and designed to avoid duplication, overlap, or reinvention of the wheel.
The Senators – Joe Lieberman, ID-Conn., Susan Collins-R-Maine, Jay Rockefeller, D-W.Va., and Dianne Feinstein, D-Calif. – also announced additional supportive comments from industry and security experts on the process by which the bill was developed as well as its contents. The regional electric utility Pepco Holdings, the information-security firm Vanguard Integrity Professionals, and the internet technology management firm CA Technologies wrote to the Senators complimenting them on their carefully constructed bill.
In a “Dear Colleague” letter to all Senators, the co-sponsors of the Cybersecurity Act of 2012, S. 2105, wrote that the bill proposes the least amount of regulation possible to ensure the safety of the American people. The bill, the Senators wrote, is “premised on the fundamental principle that companies should secure their own systems according to their own expertise and security needs, with government support as needed. Based on voluminous constructive input from Members on both sides of the aisle, and also from industry stakeholders and security experts, we have ensured that the approach to securing critical infrastructure is narrowly tailored to cover only our country’s most vital systems, to avoid duplicative requirements, and to prevent the government from mandating specific security measures.”
Pepco Holdings wrote that “we face daily international and unintentional cyber, physical, and human threats to our critical infrastructures. To address these threats, we invest an extensive amount of time, resources, and capital to secure our critical assets to provide the greatest level of assurance and reliability to our customers. The efforts you and your staff have made to include us in your deliberations on cyber security and the opportunity this has afforded us to work collaboratively with you to craft solutions to these challenges are deeply appreciated. We also appreciate the approach you’ve taken to acknowledge and include limited regulations on critical infrastructures currently covered under existing prescriptive cyber security standards and oversight by regulatory authorities.”
Vanguard, saying it “strongly supports” the legislation, wrote: “Title I provides the first steps to ensure that minimum levels of IT security are in place to protect appropriate parts of the critical infrastructure in the private sector. We believe in particular that Section 106(b) and Section 105(e) will result in the wider adoption of appropriate minimum information security
standards and implementation of minimum levels of security configuration controls, which may reduce the need for redundant audits and assessments against multiple different standards, and therefore will enable more attention be paid to implementing appropriate security policies and configuration controls.”
CA Technologies said in its letter: “Many provisions of S. 2105 reflect an understanding of the need for balance, flexibility, resilience and the speed of innovation in today’s cybersecurity environment. The bill’s focus on major critical infrastructure systems that can have significant consequences for our economic and national security; its emphasis on risk-based security measures; its recognition that active collaboration with the IT and other sectors through the use of existing information sharing and analysis organizations, such as the IT-ISAC, will enhance cybersecurity resilience and information sharing; and its provisions on research and development, FISMA reform, law enforcement and international cooperation are important markers. We appreciate the collaborative process that has informed the development of this critical legislation and are committed to continue working with you and other Senators as the bill moves through the legislative process.”