The Senate Homeland Security Committee has introduced the broad cybersecurity legislation promised late last year by Senate majority leader Harry Reid (D-NV). But contrary to the fears of many—or perhaps because of them—the bill's scope is tightly restrained, excluding the vast majority of commercial systems and Internet infrastructure itself from coverage.

In many ways, the 205-page Senate bill, called the Cyber Security Act of 2012, incorporates many of the aspects of the House's cybersecurity bill, introduced in December. If enacted, it would grant a new authority to the Department of Homeland Security to oversee government information security measures, and to set "cybersecurity performance requirements" for companies and organizations that own systems DHS designates as "critical infrastructure." It also sets standards for government network security, and creates a clearinghouse for sharing information about security threats. But it steers clear of establishing new regulation over the wider Internet, and specifically excludes regulation of commercial software and network services from coverage—perhaps because legislators want to avoid the backlash encountered over SOPA and PIPA.

In its provisions providing for the DHS to designate systems as critical infrastructure, the bill specifically spells out that the DHS may not put security requirements on "a system or asset based solely on activities protected by the First Amendment to the Constitution of the United States; an information technology product or service based solely on a finding that the product or service is capable of, or is actually, being used in covered critical infrastructure; a commercial information technology product, including hardware and software; or any service provided in support of [commercial hardware or software]."

The exclusions in the final draft are a response to concerns voiced by the tech industry, including Juniper Networks' Vice President of Government Affairs Bob Dix, that the bill as it had appeared in early drafts could have given the government authority to take over cloud providers and privately owned networks. In an interview with The Hill, Dix called some of the proposed powers in early drafts of the legislation "very scary."

David LeDuc, the Software and Information Industry Association's senior director for public policy, told Ars in a phone interview that the SIIA is "very pleased to see that [the committee] has made significant progress" on the bill since an early draft was circulated about six months ago, and that "they've have done a very good job of making sure the bill isn't too prescriptive for IT companies." But LeDuc said that one lingering concern is that even with the exemption of IT companies, the regulatory framework created by the bill could still end up affecting the industry. "Even in carving out the IT sector, it's hard to accomplish the goal of regulating the critical infrastructure sector without passing that on to IT," he explained.

The bill still does give DHS a broad new set of powers and responsibilities over industries that fall under the header of "critical": those with infrastructure that, if attacked, could interrupt critical services, damage the economy, or threaten national security. While it puts enforcement in the hands of the agencies that already regulate specific industry sectors, it gives DHS the ability to designate a wide swath of industry as "critical" and place new security requirements on it, and authorizes DHS to step in when other agencies fail to enforce standards adequately. Companies with infrastructure tagged as critical by DHS would need to meet whatever security "performance requirements" are set by the agency, and report any significant cyber incidents affecting covered critical infrastructure.

But the bill would also allow critical infrastructure companies to figure out how to best meet DHS's security standards and to "self-certify" their compliance annually. And the bill gives organizations a protection from litigation, protecting them from punitive damages for outages or incidents triggered by a cyber-attack if they are deemed to have met DHS's standards.