The Great Cybersecurity Carve Out?

As Leroy Jetson’s dog Astro used to say: “ruh roh.” The most critical (no pun intended) portion of the soon-to-be-introduced (and newly renamed) Lieberman-Collins-Rockefeller-Carper (“LCRC”) cybersecurity bill (hearings scheduled for Thursday – bill text to be introduced “soon”) will be the Title defining critical cyber infrastructure and setting up a new regulatory system to establish standards and manage compliance.  As with any new regulatory program, get it right and good things happen; get it wrong and they don’t.  If the bootleg draft copy of the Title that I saw last week is any indication, there is already reason for concern. The draft of the LCRC bill  starts from a reasonable premise – it limits the authority to regulate to cybersecurity systems to “covered critical infrastructure” and then defines that terms as a system or asset where “damage or unauthorized access to that system or asset could result in –

(i) the interruption of life-sustaining services, including energy, water, transportation, emergency services, or food, sufficient to cause –

 (aa) a mass casualty event comparable to the consequences of a weapon of

mass destruction; or

(bb) mass evacuations of a major population center or a large geographic area in the United States;

 (ii) catastrophic economic damage to the United States including:

(aa) failure or substantial disruption of a United States financial market;

 (bb) incapacitation or sustained disruption of a financial system; or

 (cc) other systemic, long-term damage to the United States economy.

 (iii) severe degradation of national security or national security capabilities, including intelligence and defense functions."

 To be sure, the definition will need fleshing out.  Is our agricultural system critical under this definition?  I can’t tell. But what is far more concerning than the ambiguity of the definition is the great “carve out” that gives a direct waiver from coverage to a particular subset of the economy.  The bill’s text provides that: “The following commercial items shall not be designated as covered critical infrastructure:

(a) a commercial information technology product, including hardware and software; and

(b) any service provided in support of a product specified in subparagraph (a), including installation services, maintenance services, repair services, training services, and any other services provided in support of the product. “

In other words, the entire architecture of the Internet is excluded from regulation.  Oracle, Cisco, Intel, Hewlett-Packard, Facebook – none of them are covered because all of them are (or at least they seem to me to be) “commercial information technology” products.  At least as drafted it looks like the entire regulatory burden will fall on the end-users – people in the financial industry, the electric utility industry and such – rather than on any of the Internet service providers. For the life of me I can’t really understand why.  Perhaps Congress is gun shy after the SOPA/PIPA debate.  Perhaps this is just public choice theory at its best.  Perhaps there is some technical reason that I am unaware of.  But my instinct is that if you are writing a bill about securing the Internet then …. Well, the bill ought to actually address the Internet itself and not just those who use it.