The Cybersecurity Act of 2012 (S. 2105) was introduced to Senate on February 14, 2012 by Senators Lieberman, Collins, Rockefeller, and Feinstein. It has been faced with a growing stream of criticism. Forbes says the proposed legislation will "cost businesses and hurt [the] economy," while CSO Online reports that others fear it could create a "culture of compliance."
The Cybersecurity Act of 2012 would confirm the creation of a National Center for Cybersecurity and Communications within Department of Homeland Security (DHS) to co-ordinate cybersecurity threats at the national level. This change would give DHS the power to mandate security levels in industries deemed a part of critical infrastructure. In addition, the bill would amend the Federal Information Security Management Act (FISMA) in several ways, primarily changing reporting from compliance checks to a continuous monitoring environment.
This article on Forbes outlines how the change in risk-assessment, from business-led to DHS-led, is both unclear and dangerous, in terms of data security. The proposed change, they note, allows for too many opportunities for company data to be shared too widely or lost, having serious implications on those companies. There are other issues with letting DHS set performance requirements and regulations:
Moreover, numerous international technical working groups, standards setting bodies, and researchers are working continuously on solutions, protocols, and approaches to the multidimensional problem of cyber threats. Their work is published, incorporated into global standards and best practices, and adopted and deployed by organizations around the world. It is extremely unlikely that DHS regulations will keep pace with this work. Almost certainly, cybercriminals will develop exploits around these mandates, and U.S. companies will be more vulnerable because they will be meeting compliance requirements instead of deploying the latest technologies or approaches that will best help them to detect, deter, and combat current threats.
Most critics of the legislature agree that corporate security budgets would be spent on compliance rather than pro-active security programs.
What is your input on this particular bill?