The owners and operators of covered critical infrastructure shall have flexibility to implement any security measure, or combination thereof, to satisfy the security performance requirements described in subparagraph (A) and the Director may not disapprove under this section any proposed security measures, or combination thereof, based on the presence or absence of any particular security measure if the proposed security measures, or combination thereof, satisfy the security performance requirements established by the Director under this section.
Phillips reiterated this point with TPMDC: “There is not a ‘kill switch.’” When asked what measures might be envisioned by the legislation, she said, “A software patch, or a way to deny traffic from a certain country. All these measures were be developed with the private sector, not imposed on it.”
In addition to the measures that allow companies to come up with their own ways to mitigate the risks to their companies (and customers) from cyber attacks, and the requirement that they use the least disruptive means possible and attempt to mitigate larger impacts, the legislation also only allows the President to impose the state of emergency for 30 days, with a potential extension of 30 days. Under current law, he is allowed to shut down any and all telecommunications infrastructure for as long as he likes.”