By Steve Elwart
A bill has been introduced in the U.S. House of Representatives that would be the start of a coordinated cybersecurity information sharing program.
The bill, named the “Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011,” or “H.R. 3674 The PrECISE Act,” would require the Department of Homeland Security to be the lead government agency in identifying and developing cybersecurity standards for systems that control critical infrastructure. The bill also would create a non-profit clearinghouse for the sharing of cybersecurity threat information between government agencies and the private sector.
Unlike some other bills working their way through the Congress, The PrECISE Act does not address the establishment of comprehensive data security programs or require notifications of a firewall breach.
What the bill does do is direct DHS to identify and evaluate cybersecurity risks to critical infrastructure and to determine the best mitigation strategies for combating a cyberattack. The bill defines “covered critical infrastructure” as facilities or functions in which a disruption could cause significant loss of life, major economic disruption, mass evacuations for an extended length of time or a severe degradation of national security. There are currently 18 Critical Infrastructure Sectors in the United States as established in Homeland Security Presidential Directive 7 (HSPD-7).
U.S. Rep. Peter T. King, R-N.Y., chairman of the Committee on Homeland Security, said, “The risk of cyberattack by enemies of the United States is real, is ongoing, and is growing.”
Recent attacks on computer systems for financial institutions, power grids, industrial plants and Internet providers have prompted calls for Congress to do more to protect the nation’s vital assets.
Under the bill, DHS would be responsible for:
- Coordinating protection of government systems and critical infrastructure.
- Developing and coordinating a national cyber incident response.
- Facilitating information sharing and dissemination.
- Integration of government and private sector operational information.
“Congress and the administration have been dithering over cybersecurity for years,” said Stewart Baker, a former assistant secretary for policy at the Homeland Security Department and a partner at the Steptoe & Johnson LLP law firm in Washington. “In that time, American companies have been robbed blind. This does underline, if any underlining is necessary, that we need a strong cybersecurity bill.”
The PrECISE Act also incorporates provisions similar to another bill introduced in the House that has been designed to encourage voluntary information-sharing between and among the federal intelligence community and private businesses. The PrECISE Act would establish a non-profit clearinghouse, which would be designated the National Information Sharing Organization, or NISO.
The clearinghouse is a key part of the legislation for the private sector. In the past, there have been concerns about information sharing that has made the private sector reluctant to report security breaches.
First, there has been the problem of where to report. Responsibility for cybersecurity is spread across several agencies, including Department of Homeland Security, Department of Energy, FBI, Secret Service, National Security Agency and the Postal Service. All of the agencies have different reporting requirements and formats. Private industry has been asking the federal government for one agency with reporting responsibility so that there isn’t needless reporting to multiple agencies with identical information. The clearinghouse would be the central location for this information.
Also, private industry has been concerned about competitors and hackers using the Freedom of Information act and state disclosure laws to access any central database to get information that could be used to hone an attack on the nation’s infrastructure.
The other concern in the private sector to information sharing was any reporting of incidents and ways to mitigate the threat being construed as a violation of antitrust laws. This bill would exempt this type of information exchange.
The House bill would also exempt information reported on an attempted or actual breach from being released into the public domain without the submitter’s consent, although government can issue sanitized warnings to industry and the public. Also, the information submitted by the private sector could not be used by government as a reason to mandate regulations.
NISO would be member-funded, but $10 million in federal money would be authorized for the first three years of operation. The organization’s board would consist of five representatives from the Department of Homeland Security and other federal agencies, 10 representatives from the private sector, and two representatives from the “privacy and civil liberties community,” as well as the chairman of the National Council of Information Sharing and Analysis Centers.
For privacy advocates, having a voice on the board advocating privacy concerns is an important part of the bill. The Center for Democracy and Technology spoke in favor of the draft bill, although that support was tempered by several privacy and data security-related concerns.
There are calls within the private sector to back the legislation because of the fear that if the private sector does not cooperate in reporting and defending against cyberattack voluntarily, there will almost surely be government mandates.
“Protecting critical infrastructure won’t happen spontaneously – there is no business case for it and the market will never deliver,” said James Lewis, director of the technology and public policy programs at the Center for Strategic and International Studies, in an email. “That’s why we need legislation or we’ll wake up some day to find that the lights don’t work.”
Steve Elwart, P.E. is the senior research analyst with the Koinonia Institute and a Subject Matter Expert for the Department of Homeland Security. He can be contacted at firstname.lastname@example.org.