The latest in what has become a long line of legislation introduced in the House and the Senate in 2010 that attempts to address the country’s computer security shortcomings is a new measure brought forward by Rep. Bennie Thompson that would, among other things, allow the to force certain private network operators to adhere to some specific “performance-based standards” for securing their networks.
Thompson’s cybersecurity bill includes a provision that would establish a new office within DHS to enforce compliance with federal security standards and regulations. The proposed Cybersecurity Compliance Division in DHS would be charged with overseeing “the establishment of performance-based standards responsive to the
particular risks to the .gov domain and critical infrastructure
networks.” It’s unclear what exactly those standards would address and who would have the authority to designate which networks are included in the rather vague term of critical infrastructure networks.
The bill also would require “DHS to work with network operators, to develop tailored
security plans that meet risk-based, performance-based standards,
similar to the current chemical security law.”
“From a security and good-government standpoint, the way to deliver
better cybersecurity is to leverage, modify, and enhance existing
structures and efforts, rather than make wholesale bureaucratic changes.
This bill will make our nation more secure and better positions DHS –
the ‘focal point for the security of cyberspace’ – to fulfill its
critical homeland security mission,” Thompson (D-MS) said in a statement.
DHS has been designated as the federal government’s lead agency for computer security, although the department has faced a number of major hurdles in recent years in assuming that role. DHS has not had any authority to enforce security regulations or standards with other federal agencies, and its intelligence gathering capabilities have been limited by the reticence of private companies to share data on attacks, threats and vulnerabilities.
Thompson’s bill, dubbed the “Homeland Security Cyber and Physical Infrastructure Protection Act of 2010,” seeks to address that weakness by requiring DHS to share threat intelligence and protect proprietary information. It’s not made plain whether DHS is meant to share intelligence only within the federal government or whether some level of data can be made available to outside organizations.
In many case, private companies have seen no benefit in sharing their own intelligence with DHS or other federal agencies because there was no data flowing the other way. For Thompson’s proposed bill to succeed in practice, it likely would need some provision to give organizations an incentive for sharing threat intelligence with DHS in return.