Will “Voluntary Standards” Make for an Effective Cybersecurity Bill?
The debate over revisions to the Cybersecurity Act of 2012 has been fierce and, of course, mostly partisan. Recently, sponsors dropped a measure that would require critical private sector companies to adopt security standards, rather than making such measures voluntary. On the one side, critics say the bill is a step in the right direction for preventing cyberattacks; others feel it is too lax and wrought with problems.
One thing is clear, however. President Barack Obama does not take this topic lightly. Last week he published an op-ed in the New York Times in which he called the cyber threat to our nation, “one of the most serious economic and national security challenges we face.” He writes:
It doesn’t take much to imagine the consequences of a successful cyber attack. In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home. Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. And as we’ve seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill.
Frightening. And true.
An earlier version of the bill required companies who run the power grid, gas pipelines, water supply systems and other critical infrastructure to meet a certain level of security. Republicans opposed, so the newer, revised bill says companies can recommend their own security regulations and volunteer to have their security practices inspected by the government, making it, essentially, a bill that merely suggests that these companies take certain measures. A recent article on the Huffington Post site states:
The new bill “basically depends on the industry to make a good faith effort to improve security, and up until now they haven’t done anything,” said Joe Weiss, a security expert on critical infrastructure. “The question is, ‘Why would you expect all of a sudden for that to change?’”
James Lewis, a senior fellow at the Center for Strategic and International Studies, said, “The problem is the bill doesn’t give the government any new capabilities. You don’t need this bill. Nothing really changes.”
Without comprehensive, mandatory cybersecurity legislation, how can we hope to prevent such nationwide, debilitating events?