The President's Cybersecurity Legislative Proposal Has No Teeth

On May 12, the White House announced its Cybersecurity Legislative Proposal to Capital Hill via a blog post by Cybersecurity Coordinator Howard Schmidt. I reviewed the section on critical infrastructure on my flight back from DC after speaking on this topic at the Cyber Security Strategies Summit. Predictably it's all bark and no bite. To wit:

If the Secretary determines, after conducting such a review, that the covered critical infrastructure is not sufficiently addressing the identified cybersecurity risks, the Secretary may:
(A) enter into discussions, or request another agency with sector-specific expertise to enter into discussions, with the owner or operator of the covered critical infrastructure on ways to improve the cybersecurity plan or the evaluation, which may include the provision of technical assistance;
(B) after discussions permitted in subparagraph (A), issue a public statement that the covered critical infrastructure is not sufficiently addressing the identified cybersecurity risks; and
(C) take such other action as may be determined appropriate by the Secretary;
except that the Secretary shall not, in enforcing the provisions of this Title, issue a shutdown order, require use of a particular measure, or impose fines, civil penalties, or monetary liabilities on the owner or operator of the covered critical infrastructure as a result of such review"
To put this in proper context, imagine that this proposal had to do with any other type of infrastructure: a bridge, an oil pipeline, your house. And let's say that the general contractor for that bridge project doesn't comply with the requirements. What happens then? He could get a stern talking-to (Section A); possibly get some publicity (Section B) which would probably land him a guest spot on Fox news as the little guy standing up to Big Brother's unreasonable demands that make it impossible for him to earn a living; or be subject to some other unidentified action (Section C).

Now here's what cannot happen to the builder of that bridge that you and thousands of others drive across twice a day:

  • He cannot have his project shut down for non-compliance. 
  • He cannot be fined for non-compliance. 
  • He cannot be held financially responsible if the bridge collapses and people are killed or injured. 
  • He cannot, essentially, be told what to do. 

This is clearly a ludicrous scenario for any type of physical infrastructure which is precisely why builders get fined, sued, or arrested and prosecuted if they don't comply with the law. However in the upside down world of "cyber", it's par for the course even when we're speaking about critical infrastructure (telecommunications, energy, financial services, water, and transportation sectors).

Let's move from the example of a bridge to one of a power plant. In the real world, the government regulates the construction of every aspect of a nuclear power plant or a hydro-electric dam except one: the protection of its networks. That's neither rational, nor responsible. The federal government must find a way to bring cyberspace into its existing authorities because if something is truly "critical", compliance cannot be voluntary or somebody doesn't know what "critical" means.