In its original form, the act would have required that companies designated as critical infrastructure, such as utilities and financial institutions, comply with cybersecurity standards established by the government. The bill would also have given the Department of Homeland Security the power to inspect private facilities designated as critical infrastructure to ensure that the cybersecurity standards were being met.
However, S. 2105 faced overwhelming opposition in the Senate, leading the bill’s sponsor, Sen. Joe Lieberman (I-CT) to revise the measure. Now, the bill offers incentives for companies to comply with the standards, such as liability protection relating to cybersecurity breaches, but contains no requirements for businesses.
In a statement announcing the revised bill, Lieberman said: “This compromise bill creates a public-private partnership to set cybersecurity standards for critical American infrastructure, and offers the reward of some immunity from liability to those who meet those standards. In other words, we are going to try carrots instead of sticks as we begin to improve our cyber defenses. This compromise bill will depend on incentives rather than mandatory regulations to strengthen America's cybersecurity. If that doesn't work, a future Congress will undoubtedly come back and adopt a more coercive system.”
Illustration from OperationPaperStorm/flickr