On February 14, a bipartisan group of senators introduced to the U.S. Senate the Cybersecurity Act of 2012, under which the Department of Homeland Security (DHS) would assess the risks and vulnerabilities of critical infrastructure systems and develop security performance requirements for the systems and assets designated as covered critical infrastructure. The bill is sponsored by Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (I-CT), committee ranking member Susan Collins (R-ME), Commerce Committee Chairman Jay Rockefeller (D-WV), and Select Intelligence Committee Chairman Dianne Feinstein (D-CA). As explained in the statement announcing the measure, “[t]he bill envisions a public-private partnership to secure those systems, which, if commandeered or destroyed by a cyber attack, could cause mass deaths, evacuations, disruptions to lifesustaining services, or catastrophic damage to the economy or national security.”

Title I of the bill provides the key provisions of the critical infrastructure protection obligations that would be imposed by the bill. Under Title I, DHS, in consultation with entities that own or operate critical infrastructure, the Critical Infrastructure Partnership Advisory Council, the Information Sharing and Analysis Organizations, and other appropriate state and local governments, is required to conduct an assessment of cybersecurity threats, vulnerabilities, and risks to determine which sectors pose the most significant risk. Once the sectors have been prioritized based on risk, DHS, along with the other agencies and organizations, must conduct a cybersecurity risk assessment of the critical infrastructure in each sector. These risk assessments must consider the actual or assessed threat, the threatened harm to health and safety, the threat posed to national security, the risk of damage to other critical infrastructure, the risk of economic harm, and each sector’s overall resilience, among other factors. In conducting these assessments, DHS is called upon to cooperate with owners and operators of critical infrastructure.

Please see full alert below for more information.