The chairman of the House Homeland Security Committee Wednesday unveiled a new piece of cybersecurity legislation, intended to enforce performance-based security standards on federal networks and certain critical infrastructure in the private sector.
Rep. Bennie Thompson (D-Miss.) modeled his bill after the Chemical Facility Anti-Terrorism Standards (CFATS) law, which requires chemical plants to submit plans to prevent terrorists from blowing up volatile chemicals. The bill, known as the Homeland Security Cyber and Physical Infrastructure Protection Act of 2010, would task the Department of Homeland Security (DHS) with inspecting compliance for cybersecurity standards.
"From a security and good-government standpoint, the way to deliver better cybersecurity is to leverage, modify, and enhance existing structures and efforts, rather than make wholesale bureaucratic changes. This bill will make our nation more secure and better positions DHS -- the 'focal point for the security of cyberspace' -- to fulfill its critical homeland security mission," Thompson said in a statement.
The bill would create a new DHS Cybersecurity Compliance Division to carry out inspections of cybersecurity plans and activities for covered private sector networks. Private companies would enact risk-based plans if DHS determined they were covered critical infrastructure, but businesses would have the opportunity to challenge that designation as well.
In a manner similar to the CFATS chemical security law, operators of critical cyber infrastructure would submit security plans to DHS for review. In return, DHS would share relevant threat intelligence to information technology networks and protect corporate proprietary information.
Reps. Jane Harman (D-Calif.) and Yvette Clarke (D-NY), who chair cybersecurity subcommittees, co-sponsored the bill.
"Cyber attacks, whether originated by other countries or sub-national groups, are a grave and growing threat to our government and the private sector. This bill provides new tools to DHS to confront them effectively and make certain that civil liberties are protected," Harman said in a statement.
Added Clarke, "This bill will provide the DHS with the authority and resources needed to adequately protect our nation's cyberspace and infrastructure. I believe the security of our cyber infrastructure is connected to our national security. This bill will protect our country from a growing risk of 'hacks' and better allow the department to fulfill its duties of protecting our nation."
Thompson argued DHS has not had adequate authority to ensure national cybersecurity despite being designated the lead agency for doing so in 2003 under Homeland Security Presidential Directive 7.
The intent of the bill is somewhat similar to legislation in the Senate introduced by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine), and Tom Carper (D-Del.), the Protecting Cyberspace as a National Asset Act (S. 3480). The Senate bill, however, would boost congressional oversight of White House cybersecurity activities by requiring Senate confirmation of a cybersecurity coordinator. Thompson's bill does not deal with White House authorities.
Both bills would authorize DHS to inspect cybersecurity plans and activities at key private sector companies deemed important to the US economy.