Reuters published an article today indicating that the US Senate plans to draft up a bill to tackle cyber security in 2012:

The Senate will take up cybersecurity legislation next year to fight online fraud, espionage and intellectual property theft whether or not Republicans and Democrats reach agreement on a comprehensive bill, Senate Majority Leader Harry Reid wrote on Wednesday.

In a letter to Republican leader Mitch McConnell, Reid said that lawmakers have been working on various bills for two years and on a comprehensive bill for six months. Meanwhile, the U.S. government and businesses regularly see their cyber defenses breached and losses mount.

A cyber task force in the U.S. House of Representatives, which is dominated by Republicans, issued a report in October also urging legislation.

Their recommendations were similar to ideas being considered by Democrats. For example, the Republican task force said that regulation may be warranted to protect critical infrastructure like power and water plants.

Reid's office has been overseeing the drafting of a comprehensive cybersecurity bill, but progress has been slow.

U.S. lawmakers have considered several cybersecurity bills in recent years, but failed to pass any despite a growing sense of urgency following high profile hacks of Google, Lockheed Martin Corp, Lockheed Martin Corp, the Pentagon's No. 1 supplier, Citigroup, the International Monetary Fund and others.

Among the many obstacles to cyber legislation are overlapping jurisdictions in Congress and disagreement over how big a role government should play in regulating and protecting private networks.

Given the current US government’s (in)ability to (a) get anything done when it involves both parties working together, and (b) creating legislation that actually accomplishes anything, I am not optimistic about this bill (on the other hand, they haven’t called me to testify either.  I am not expecting a call).

A month ago, I wrote another article wherein the SEC formally asked large companies to reveal when they were hit by cyber attacks since this could affect investors’ decisions to value a company.  I wonder if that will be wrapped into this cyber bill?

If so, how much protest would this bring from public corporations?  Why should public companies be forced to disclose this, but private companies not?  After all, it is a cyber security bill, shouldn’t all large companies have to abide by the rules if it affects the public?

Secondly, what does the bill actually accomplish?  In the article, it talks about cyber attacks on large companies like Google and Lockheed Martin.  Presumably, all of these companies are implementing better security policies as a result of these attacks.  Is the government going to start dictating minimum security levels?  While this is a good idea, I doubt that the government is going to tell private companies anything that will be helpful here for three reasons:

  1. Government doesn’t have the expertise to say what the minimum security policies are.
  2. Even if they did provide something, most companies will go beyond what is required to protect their own best interests.
  3. Whatever legislation the government comes up with, any policies would be out of date within a year. 

On the other hand, I am curious to see what legislation the Senate comes up with.  Maybe they should say that large companies must do penetration testing (and defend against SQL injection attacks at a minimum), must implement privacy controls when it comes to user data (and divide them up into classifications like Microsoft has), must have access controls in place (similar to the requirements of FISMA), and so forth.  Those make sense.

Thanks a lot, China.  You’ve ruined the fun for the rest of the hackers.