House action on DHS cyber oversight conflicts with Senate proposal

A House panel on Wednesday approved a bipartisan bill that would make the Homeland Security Department responsible for gauging the security of private networks.

In a concession to industry, the measure would not give DHS permission to penalize companies or network operators who fail to comply with the department's protection guidelines.

A forthcoming Senate package appears to have more teeth than the one the House Homeland Security Subcommittee on Cybersecurity passed. "The Senate is expected to vote on a comprehensive bill within the next three weeks," said Leslie Phillips, spokeswoman for Sen. Joe Lieberman, I-Conn., chairman of the Homeland Security and Governmental Affairs Committee.

She said the chamber's legislation will "focus on critical infrastructure with insecure networks, require them to meet risk-based performance standards and provide the government with a number of enforcement mechanisms if they fall short."

The author of the House measure, Rep. Dan Lungren, R-Calif., on Wednesday called his legislation, H.R. 3674, the "least intrusive" of the cyber bills under consideration. The White House last spring presented Congress with a legislative proposal that calls for propping up "an auditing regime to ensure compliance with their cyber standards," Lungren said.

Under the committee's bill, DHS would not have the power to fine or otherwise punish covered critical infrastructure companies that fail to follow the standards, according to a committee aide.

Rhode Island Democrat Rep. Jim Langevin, a co-sponsor, said in a statement: "For the industries upon which we most rely, government has a role to work with the private sector on setting security guidelines and ensuring they are followed."

The House committee's legislation also would set up a nonprofit organization to mediate the sharing of cyber threat information between federal agencies and critical U.S. industries, such as the power, banking and health-care sectors. The proposed National Information Sharing Organization strives to address privacy concerns about Internet service providers being forced to share customer communications with the government.

According to the measure, a network operator would have to provide express consent before the quasi-governmental organization can share the company's information with a federal agency. And private data disclosed to NISO, or the government, cannot be used for purposes other than cybersecurity-related activities, prosecuting individuals suspected of cybercrimes, or reports to Congress.

The bill also would authorize the government to share classified threat intelligence with cleared private sector personnel. The exchange would work similarly to the way classified information is currently shared with defense industrial base contractors in a DIB Cyber Pilot program recently transferred from the Pentagon to DHS. But now, all critical sectors would be privy to the classified information.

A competing bill adopted by the House Intelligence Committee has been criticized for allowing the feds to peer into citizens' personal information -- a concern that committee says is unfounded.

Under the Homeland Security committee measure, companies that choose to divulge breaches through NISO would not be held liable for a failure to notify authorities or customers, committee aides said.

The bill, known as the PrECISE Act, or the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act, also would create a lead cybersecurity official within DHS to oversee all these activities. The existence of this new post, aides said, would not prevent other committees or the executive branch from establishing a White House-level cyber coordinator, such as the cyber czar role held by Howard Schmidt.

Action on the measure followed remarks by Director of National Intelligence Jim Clapper on Tuesday that his office has been challenged by the difficulty of "identifying past or present security breaches . . . and accurately distinguishing between cyberespionage intrusions and potentially disruptive cyberattacks."

He added that spies and cyber infiltrators from China, Russia and Iran "will remain the top threats to the United States in the coming years," noting that "Iran's intelligence operations against the United States, including cyber capabilities, have dramatically increased in recent years in depth and complexity."