House Cybersecurity Legislation Could Strengthen DHS Oversight of Private Networks
Cybersecurity legislation introduced Wednesday in the House Homeland Security Committee would give the Department of Homeland Security additional oversight of government and private infrastructure. The bill, sponsored by Chairman Bennie Thompson, D-Miss., is too bureaucratic and could have serious implications for business, some Internet advocates said.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The bill will make the nation more secure and it “better positions DHS -- the focal point for the security of cyberspace -- to fulfill its critical homeland security mission,” Thompson said. The measure is backed by Reps. Jane Harman, D-Calif., and Yvette Clarke, D-N.Y. “This bill will protect our country from a growing risk of ‘hacks’ and better allow the Department to fulfill its duties of protecting our nation,” Clarke said.
The legislation calls for creation of a Cybersecurity Compliance Division that would require “covered critical infrastructures” to comply with requirements aimed at preparing, preventing and recovering from cyber incidents. It would require the division to work with network operators to create security plans to be applied to the operations of critical infrastructure. The division director could impose civil penalties up to $100,000 a day on companies that don’t comply with the requirements, the bill said.
The critical infrastructure covered would be determined by the director, the bill said. It includes systems or assets that, if disrupted, “would cause a national or regional catastrophe.” Networks in any of the 18 sectors that DHS has said run critical infrastructure, said a committee aide.
The definition is too broad, said Lauren Weinstein, co-founder of People for Internet Responsibility. “It appears that it could draw into its maw a wide variety of private sector enterprises,” he said. “The lack of specifics leads to concerns that there’s potential for overreaching and abuse and micromanaging.” The bill would only add a bureaucratic layer, said Jim Harper, director of information policy studies at the Cato Institute. The fine of $100,000 per day is astronomical, “especially considering that cybersecurity is something that infrastructure owners already will be doing,” he said. “They stand to lose money naturally if they get their cybersecurity wrong."
"The private sector arguably does a better job of securing infrastructure than the public sector,” said Lee Tien, senior staff attorney at the Electronic Frontier Foundation. “The public sector doesn’t really know what it’s doing,” and “the weaknesses in government systems don’t make anyone feel any better,” he said.
DHS would be required to “share relevant information regarding cybersecurity threats and vulnerabilities and any proposed actions to mitigate them,” the bill said. Information-sharing could come in the form of a broader alert, the committee aide said. It could be more of a situational awareness warning of worms or botnets, instead of providing details of specific attacks on specific companies, the aide said. Sharing information could create privacy problems, Weinstein said. “If you're AT&T or Time Warner, there’s a concern that too much information is requested, or that information that’s collected will be abused.”
Owning critical infrastructure is considered good, Harper said. “But if it means that you stand to be fined, people will argue that they don’t own the infrastructure and try to get away from this designation.” Cybersecurity should be left to experimentation for private owners “who are really responsible for this stuff,” he added.