Stuxnet Spectre Hovers over Cybersecurity Act of 2012

With recent attacks on critical infrastructure here and abroad the unspoken elephant in the room thanks to Stuxnet, the bipartisan Cybersecurity Act of 2012 was introduced late last week that would require companies to cooperate with the federal government to reinforce their network defenses.

 Sponsors of the bill include Sens. John "Jay" Rockefeller IV, D-W. Va.; Joe Lieberman, I-Conn.; Susan Collins, R-Maine; and Dianne Feinstein, D-Calif.

In consultation with the Secretary of Homeland Security, any entity that owns or operates “critical infrastructure” and in coordination with other U.S. intelligence agencies will be required within 90 days of passage of the bill to submit a “top-level assessment of the cybersecurity threats, vulnerabilities, risks, and probability of a catastrophic incident across all critical infrastructure sectors.”

Obviously, none of the four sponsoring senators have ever worked in IT or in security or they might know that such a requirement is a tall order in just 90 days, unless a CSO and CIO issue an all-hands-on-deck alert and devote most of those 90 days to complete an assessment.

The assessment must determine also which sectors of the infrastructure “pose the greatest immediate risk in order to guide the allocation of resources for the implementation of this Act,” according to the bill -- in effect, asking for the CSO to take out his crystal ball and look deep into the future, and woe unto him who makes a mistake. However, the bill does not designate any specific security strategy or products; rather, leaving it to industry experts working in conjunction with government intelligence agencies.

Pushback on the bill is coming from a number of sources.

The U.S. Chamber of Commerce Executive Vice President R. Bruce Josten sent his concerns to Senate Majority Leader Harry Reid, D-Nev., according to SC Magazine.

In his letter to Reid, Josten warned of “new regulations and compliance mandates” that cost companies money and force them to allocate funds where they are not needed.

While it may be true that no price is too high to keep our country secure, the truth is security is always prioritized -- not just by private industry but by government as well -- against a plethora of other considerations including budgets, cost and, let's face it, profits.

Even more pushback came from the Electronic Freedom Foundation. Lee Tien, a senior staff attorney with the nonprofit organization, said the bill would require companies to hand over data about cyberthreats, which could include personal data, giving the government access to data it has no right to, according to SC.

The bill also lists what criteria it would use to designate any company part of the “critical infrastructure" of the United States. Included among those entities would be those who are in control of “any asset” the interruption of which would cause a disruption in “life-sustaining services, including energy, water, transportation, emergency services, or food.”

As we all know brevity is not Congress’s forte, as the bill is 207 pages long. If you happen to be the CSO of a designated critical infstructure entity, I’m sure it will be fascinating reading.