The National Cybersecurity and Critical Infrastructure Protection Act of 2013 was recently introduced into the House this past week. While I applaud the attempt to push cybersecurity awareness, I have concerns with the bill at a very high level. Granted, I haven’t fully read all 56 pages yet but here is my first concern. The following sectors are going to be classified as critical infrastructure.
(2) Commercial facilities.
(4) Critical manufacturing.
(6) Defense Industrial Base.
(7) Emergency services.
(9) Financial services.
(10) Food and agriculture.
(11) Government facilities
(12) Healthcare and public health.
(13) Information technology.
(14) Nuclear reactors, materials, and waste.
(15) Transportation systems.
(16) Water and wastewater systems.
(17) Such other sectors as the Secretary determines appropriate.
Don’t get me wrong, I agree with a lot of this. And classifying sectors for the purpose of information sharing isn’t a bad idea. There could be some unintended consequences of pushing this information security measure though.
First, if everything is critical, nothing is critical. It seems these sectors would include a vast majority of the business ventures in the US. We don’t have the time or resources to apply information security controls to everyone and everything. There’s always going to be an element of risk. We need to be careful that we’re not trying to eliminate all risk.
The second is that once something is deemed critical infrastructure, it will be very easy to regulate it in the future. Much in the same way Business Associates are now regulated under HIPAA, many of these sectors could come under the scope of say the Federal Information Systems Management Act, FISMA with one small change to a bill in a future legislative session.
On one hand this bill is too general and on another it’s too specific. Sounds crazy but think about it. Do you really want your local deli to have to follow information security guidelines similar to a bank just because they got swept into the Food & Agriculture sector? Think something crazy like wouldn’t happen? Just think about how many unintended consequences laws like the Affordable Care Act (Obamacare) have had.