As Raffaela noted earlier today, there appears to be some momentum gaining for the proposed Whitehouse-Kyle compromise legislation on cybersecurity -- at least if a letter from Senators Snowe and Warner constitutes momentum. To date, I do not believe that anyone has seen a proposed text of the Whitehouse-Kyl compromise (by the way, that's Senator Sheldon Whitehouse of Rhode Island, not the White House). All that is available is a 6-page conceptual outline of the proposal. But that outline gives us a good sense of where the two Senators would go. It would:
- Continue the idea of having the Department of Homeland Security develop cybersecurity standards -- what the proposal now calls Baseline Performance Goals (BPGs).
- Eliminate any mandate to adopt BPGs but apply a series of incentives (or, some might say pressure) for critical infrastructure providers to adopt BPGs voluntarily.
- CI providers would then be able to self-certify their adoption of BPGs and (possibly after an audit) get a Cybersecurity Protection Program (CPP) certificate that entitles them to liability protection.
- The liability protection would take the form of a bar on punitive damages; a limitation on non-economic damages; and a rebuttable presumption of non-liability for the effects of an external cyber attack.
- The liability exemption will not be available to anyone who acts with gross negligence (or, worse, willful misconduct).
- Further incentives to adopt BPGs and get a CPP certificate will come from government procurement preferences and the publication of a DHS-determined "tiering" list that, presumably, identifies those who are better or worse protected.
The concepts have, at first glance, some appeal. Certainly the elimination of a mandate is a step toward compromise. I confess to remaining skeptical about the capability of government to identify BPGs that are not outdated as soon as developed and the liability protection that is offered looks like pretty weak tea to me. My guess is that the real hammer will come from the importation of BPG/CPP considerations into Federal procurement and that their adoption in that realm will drive acceptance.
As always, it is difficult to predict what, if anything will happen next, but I feel pretty comfortable guessing that the window for cybersecurity legislation is rapidly closing. If there is no action in July before the big August recess there is precious little likelihood of movement this year.