We have already seen tremendous fallout from recent cyber attacks on Target, the U.S. Office of Personnel Management, Sony Pictures, and J.P. Morgan. Now imagine that, instead of an email server or a database of information, a hacker gained access to the controls of a nuclear reactor or a hospital. The potential consequences are devastating: death, injury, mass property destruction, environmental damage, and major utility service and business disruption. Now what if there were a mechanism that would incentivize industry to create and deploy robust and ever-evolving cybersecurity programs and protocols in defense of our nation’s critical infrastructure?
In late 2014, Representative Michael McCaul (R-TX), Chairman of the House Committee on Homeland Security, proposed legislation that would surgically amend the SAFETY Act, which currently offers liability protection to sellers and users of approved anti-terrorism technologies in the event of litigation stemming from acts of terrorism. Rep. McCaul’s amendment would broaden this protection to cybersecurity technologies in the event of “qualifying cyber incidents.” The proposed legislation defines a “qualifying cyber incident” as an unlawful access that causes a “material level of damage, disruption, or casualties severely affecting the [U.S.] population, infrastructure, economy, or national morale, or Federal, State, local, or tribal government functions.” Put simply, under the proposed legislation, a cyber incident could trigger SAFETY Act protection without being deemed an act of terrorism.
The House Committee on Homeland Security plans to reconsider Representative McCaul’s 2014 amendment in the coming weeks. In anticipation, the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies held a hearing earlier this week to examine whether the SAFETY Act framework ought to be leveraged as a tool in our effort to prevent the next big cyber attack. As foreshadowed during the hearing testimony, we believe the time is right to seriously consider an extension of the SAFETY Act:
- Incentivize Cybersecurity Development: In its present form, the SAFETY Act has proven to be an effective tool to facilitate the development–and use–of anti-terrorism technologies. The protection has allowed companies to lean forward in innovation and deployment of anti-terrorism products and security programs, without the fear of unbounded liability. Although some cyber technologies are beginning to engage in the SAFETY Act program, those technologies are only protected in the case of an act of terrorism (which is a high bar–the Boston Marathon bombing was not declared an act of terrorism). This broadened scope of liability protections for proven cybersecurity technologies will incentivize providers of cybersecurity technologies to innovate, as the likelihood of requiring such protection is higher when, as with most cyber attacks, the perpetrator and his/her motives are not always known. Thus, the SAFETY Act can only reach its full cyber potential with an amendment. Furthermore, the SAFETY Act application process requires applicants to demonstrate the proven effectiveness of their technology, including the technology’s ability to adapt to evolving threats. Furthermore, an applicant must demonstrate to OSAI the continuous improvement of its technology in order to earn renewal of its protection. In other words, the SAFETY Act application process alone often compels an applicant to improve its technology.
- The Timing is Perfect: Not only is the country’s attention already focused on cybersecurity following high-profile cyber attacks, the Office of SAFETY Act Implementation (“OSAI”), which reviews all applications for protection has demonstrated the ability to evolve and address emerging technologies of increasing complexity and varying deployments. For instance, OSAI has recently granted protection to the Port Authority of New York/New Jersey for a sophisticated set of anti-terrorism technologies deployed at the World Trade Center and at multiple airports, and to four large sports stadiums for their multilayered security programs. Furthermore, waiting for a tragic cyber attack will ultimately make this effort more difficult, as the cybersecurity provider and insurance markets will dry up for fear of enterprise-threatening litigation.
- Complements Current Information-Sharing Bills: The attention from cyber attacks has sparked Congress to introduce information-sharing bills focusing on cybersecurity. Amending the SAFETY Act complements, and does not conflict with, these efforts. The amendment would broaden protection to include attacks that materially damage and severely affect the nation beyond information-sharing activities. It is also unclear whether the information-sharing bills as currently drafted would cover “downstream” suppliers of cyber technology to information-sharing companies, thus potentially eliminating some of their incentive to innovate. Working together, the information-sharing bills and an amended SAFETY Act would provide a “belt and suspenders” incentive regime, ultimately serving to improve the nation’s cyber profile.
- Stimulate the Cybersecurity Insurance Industry: The current market for cybersecurity insurance is quite limited, especially for key sectors, such as the energy, health, and financial industries. When available, such insurance is expensive and often contains significant exclusions. Amending the SAFETY Act to explicitly cover non-terror-based cyber incidents will expand the market, as sellers of cybersecurity technologies would be required to obtain certain levels of cybersecurity insurance in order to retain the protection offered by the SAFETY Act.
Markup if the amendment is expected by mid-September, and coalitions of industry are already forming in support of the amendment.