Cybersecurity Act of 2012 - Cybersecurity Collides with Real-World Risk with American Lives at Stake
How do you feel about the Cybersecurity Act of 2012?
Every time I see a headline like "Experts urge stronger cyber regulation bill" I'm fairly sure there's a story someone purposefully didn't elaborate on. In this case there is an interesting push and pull between government regulation and the need to force organizations critical to national infrastructure to protect themselves from cyber attacks.
I always find topics of regulation interesting because as my good friend Ken Swick said on Twitter: "Isn't that up to the owner(s) to decide their risk and how much to spend on mitigating it? Being wrong can be expensive!"
I suppose the right to take on risk should always fall to the owner except when lives are in question... at least that's my viewpoint. That appears to be the viewpoint of this legislation too - but they are taking it to a level of definition I'm just entirely uncomfortable with.
According to the AP article - "The legislation would limit the number of industries subject to regulation to those in which a cyber attack could cause 'an extraordinary number of fatalities' or a 'severe degradation" of national security.' OK, I get the notion of severe degradation of national security, that makes sense to me - but what exactly does "an extraordinary number of fatalities" mean?
I mean, I'm with one of the 'experts' the article quotes... just how many people have to have their lives in danger before they are subject to this legislation? I'm fairly sure any nuclear facility would be covered by this legislation, or any major dam projects near cities or largely populated area... but what about a power company out in the middle of Montana or Nevada serving 10,000 people?
Can you just imagine the push-back from companies that run all sorts of critical infrastructure that serves "moderate amounts of people" which will be going to court to keep this legislation from affecting them?
Alright, perhaps I'm painting the wrong picture here. Perhaps no one will argue once the government labels your infrastructure company as under this legislation or not (just how and who will be doing this, I'd love to know)... and perhaps swine will sprout wings and politicians will be honest from now on. In other words... uhh, no.
So once again, we're left with somewhat arbitrary and unclear language that will likely be enforced by human beings who have differing opinions. Is it better than letting the nation's critical infrastructure go feral and leaving it to its own devices? Probably... or maybe not?
I think one of the most poignant quotes from the article is this one by James Lewis, a cybersecurity expert & senior fellow at the Center for Strategic and International Studies:
"By using "terms like mass casualties, mass evacuations, or effects similar to weapons of mass destruction, we are essentially writing target lists for our attackers," said Lewis, also in prepared testimony. 'They will attack what we choose not to defend.' "
Either way, I honestly don't see this as anything more than a chance to create some new regulatory-agency office, hire a bunch of new auditors, attorneys, and "experts"... and waste more time arguing the finer points of the English language in court rather than actually making critical infrastructure more risk-averse.
More on the topic
Cross-posted from Following the White Rabbit