The leadership of the Senate Homeland Security Committee will introduce a comprehensive cybersecurity bill on Tuesday that would allow firms to appeal whether new security regulations should apply to their sector.
The legislation would task the Department of Homeland Security with determining which sectors of the economy would be covered by new cybersecurity regulations, after risk assessments in consultation with the private sector, the intelligence community and others.
"Passing the bill is crucial for national security, but not if the provisions on critical infrastructure regulation are watered down. This will be a real test for this Congress," said James Lewis, senior fellow and director at the Center for Strategic and International Studies.
Examples of sectors considered likely to fall under the new regulations are utilities, water treatment plants and transportation providers. Some sectors, such as major financial institutions and telecom providers, may ask for exemptions based on a demonstrated ability to secure their systems.
After determining which firms are critical infrastructure, DHS would then, in consultation with the private sector, determine cybersecurity performance requirements for firms in the covered sectors.
"The performance requirements would cover only those systems and assets whose disruption could result in severe degradation of national security, catastrophic economic damage, or the interruption of life-sustaining services sufficient to cause mass casualties or mass evacuations," said a committee spokesman.
"The bill would only cover the most critical systems and assets in a given sector, and only if they are not already being appropriately secured. The focus is on the systems that are insecure not the ones that are doing well."
The question of enforcement has also been crucial to the debate, with firms fearing the impact of financial penalties or criminal liability for failing to secure their systems. The committee spokesman said the final penalties for firms that don't comply have yet to be determined.
"There would be a huge market incentive for designated sectors to meet the security standards. But if they don’t DHS and the AG would decide on penalties," said the spokesman.
Industry groups have argued the problem of cybersecurity is one of cost, so increasing incentives for firms to adopt better protections would be a more effective route. They have championed concurrent efforts in the House, which focus on encouraging information sharing more than new regulations.