There does not appear to be any limitation on what can be deemed critical.
And the government gets to decide cybersecurity standards:
Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.From Cnet:
Probably the most controversial language begins in Section 201, which permits the president to "direct the national response to the cyber threat" if necessary for "the national defense and security." The White House is supposed to engage in "periodic mapping" of private networks deemed to be critical, and those companies "shall share" requested information with the federal government. ("Cyber" is defined as anything having to do with the Internet, telecommunications, computers, or computer networks.)I do not care who the president is, he should not have that much power without significant limitations on when he can use it. In a *defined* emergency, I could see a requirement to disconnect a network from the internet. What are the limits on "shall share"? Is it just network routing information, or does it include the data on the computers themselves? Reading the bill, I do not see a limit here, either.
A lot of the bill makes sense for how the government deals with its own computers, but the control of computers and networks "deemed critical" is frightening. It may not be misused, but I don't want to rely on the good nature of future administrations, even if I trusted this one.
(HT to Walls of the City )