* List specific industries that they plan to regulate.
* Gather reports on what, specifically, is needed in those industries (before going off to mandate it).
* Those reports, of course, should indicate performance metrics (as well as how to measure them) and dictate what levels of service the companies must provide and must NOT mandate specific means of achieving those mandates.
That's just for starters.
I'm sure I could think up more. The point is to avoid a "we have to do something!" mentality and think things through and figure out what good can and should be done before deciding that we need to hire a bunch of people who will soon work on justifying their existence and expanding their organizational mission.
The government already has some (somewhat toothless) regulation over grid operators (NERC and FERC).
The problem becomes, what if we're taken by surprise by some piece of infrastructure that nobody expected was critical, but that clearly is? How likely is that to happen? It's virtually guaranteed.
> The problem becomes, what if we're taken by surprise by some piece of infrastructure that nobody expected was critical, but that clearly is? How likely is that to happen? It's virtually guaranteed.
Well, such an event will either be an emergency or it will not be an emergency.
If it's an emergency, it's going to be far too late to bolt on some kind of half-ass emergency security and there's really nothing we can do anyhow. The notion that we could have some kind of oversight is, after all, not at all dependent on whether or not there's a list of industries in the bill. The same thing can (and will) happen if the agency makes up its own list with no public discussion at all. On that note, I'd like to quote something aristus wrote just over a week ago that's apropos: "Policies implemented under the gun have two unfortunate properties: they are wasteful and hard to change after the fact."
And there's nothing stopping them from consulting with that industry on proper security measures. If they're under attack by terrorists and they need help, well, who is going to refuse expert help? (This assumes the government hires real experts and not some congressman's golfing buddy... being able to refuse that "help" is a design feature.)
That leaves us considering the non-emergency case. If that happens, they can go back and amend the law after giving the problem consideration. The advantage this has over the new agency updating its internal list is that it has to go through public discussion. They can't just pass the buck off to an unelected agency with no accountability.
If the question is how can we prevent the attacks we will fail to prevent, we won't. After all, we will fail to prevent them.
The problem becomes what can we do to ensure every piece of infrastructure can be put back on-line in reasonable time. There is a lot of people dedicated to that task, even if, when asked whether their little feud is a piece of critical infrastructure, they may scratch their heads and say "what?".
* Gather reports on what, specifically, is needed in those industries (before going off to mandate it).
* Those reports, of course, should indicate performance metrics (as well as how to measure them) and dictate what levels of service the companies must provide and must NOT mandate specific means of achieving those mandates.
That's just for starters.
I'm sure I could think up more. The point is to avoid a "we have to do something!" mentality and think things through and figure out what good can and should be done before deciding that we need to hire a bunch of people who will soon work on justifying their existence and expanding their organizational mission.