Rockefeller Cybersecurity Bill Draft Deletes Contentious Provisions
A draft revision of the cybersecurity bill offered by Sen. Jay Rockefeller, D-W.Va., in April significantly tones down some of the government control provisions that had alarmed industry (WID June 29 p3). Internet Security Alliance President Larry Clinton circulated to ISA members a working draft from staff of the Senate Commerce Committee, which Rockefeller heads, dated Aug. 19 that he said appears to be “substantially improved” over the original.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The original bill allowed the president to “order the limitation or shutdown of Internet traffic” to critical infrastructure networks, typically owned by the private sector, in addition to federal systems. The new working draft instead said the president may, in coordination with industry, “direct the national response to the cyber threat and the timely restoration of the affected critical infrastructure.” It also directs the president to, again in coordination with industry, “develop detailed cyber emergency response and restoration plans” for each sector.
In June comments about the original bill, the ISA said the inclusion of the original provision would lead it to oppose the entire bill, saying the idea was too vague and fraught with potential unintended consequences. At the very least, it said then, the bill should propose a study to see what can and should be done in a cyber-emergency and by who, as well as whether turning off the network would indeed be the best way of dealing with the problem.
The bill no longer designates the Department of Commerce as the “clearinghouse of cybersecurity threat and vulnerability information.” Instead, it directs the president or his designee to review the situation and then establish or designate the facility to serve as clearinghouse. Like the original, there are to be rules for how the federal government shares threat information and criteria for critical infrastructure owners to share threat and vulnerability information. The new draft adds additional requirements for rules about confidentiality and privacy protections for intellectual property and proprietary information and for protection or mitigation of civil or criminal liability arising from the information sharing.
Under the working draft, the National Institute of Standards and Technology would still establish “measurable and auditable” cybersecurity standards, though the draft language would instruct it to do so in consultation with agencies, regulators, industry and non-governmental organizations. Unlike the original bill, which contained more specific instructions on the types of measures to be developed, the draft now said the measures should cover “risk management metrics, measures and best practices detailing performance criteria, functional specifications, quality assurance, or other relevant considerations.”
The president or appropriate official is directed to require operators of critical infrastructure information systems to “periodically” report on the results of independent audits of their compliance with the standards. The original also called for critical infrastructure owners to demonstrate compliance, but also said the NIST director would enforce compliance.