Michael Chertoff, the former head of the U.S. Department of Homeland Security (DHS), recently remarked that cyber threats represent one of the most seriously disruptive challenges to national security since the onset of the nuclear age 60 years ago. Mr. Chertoff may be on to something. In its April 2012 monthly monitoring report, DHS announced that various companies in the national gas pipeline industry were apparently being targeted by cyber attacks. Between October 2011 and February 2012, DHS claimed that there were 86 reported attacks on U.S. computer systems controlling U.S. critical infrastructure.
To address these threats, several competing bills were recently introduced in Congresshowever, it is unlikely that the current bills will be enacted into law in the near future.
The Pending Legislation
The Cyber Intelligence Sharing and Protection Act (CISPA)
On April 26, 2012, CISPA (a Republican-sponsored measure) passed the U.S. House of Representatives. CISPA takes the approach of facilitating greater sharing of cyber threat information among government and industry. CISPA does not mandate any minimum cybersecurity standards for private enterprise. Pursuant to CISPA:
- Private companies may share cyber threat information with other entities, including the federal government.
- Private entities may use cybersecurity systems to identify and obtain cyber threat information.
- Private entities, acting in good faith, would be immune from lawsuits in federal or state courts in connection with certain actions taken pursuant to CISPA.
- Cyber threat information shared with the federal government could be used for purposes other than countering cyber threats.
