Lungren Seeks to Increase Cybersecurity Coordination with New Clearinghouse Organization
The draft of a new House cybersecurity bill seeks to blend elements of the White House cybersecurity proposal with some recommendations from the House Republican Cybersecurity Task Force, in an effort to pass bipartisan cybersecurity legislation this session. The proposal, which will be formally introduced next week, would establish DHS as the lead agency to coordinate the response to national cyberthreats, create a new non-governmental organization to increase information sharing between the public and private sectors and emphasize voluntary incentives for private companies to secure U.S. networks.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The bill was authored by Dan Lungren, R-Calif., chairman of the House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, who said he was encouraged by the interest he has received in the bill during a subcommittee hearing Tuesday. “That is a good sign that while we certainly are not perfect we are at least moving forward with a concept in an area that needs to be developed,” Lungren said. The draft has already received preliminary endorsements from the leader of the House GOP Cybersecurity Task Force, a chief scientist for the U.S. Computer Emergency Readiness Team (US-CERT) and at least one major private sector Internet security company, Symantec.
The proposal would create a new, non-governmental authority called the National Information Sharing Organization (NISO) to coordinate and facilitate the exchange of cyber threat information between the government and approved private sector entities. The secretary of the Department of Homeland Security would appoint a 15-person board of directors consisting of 10 members from the private sector, four representatives from federal agencies and one DHS representative, the draft proposal said. Currently, US-CERT acts as a conduit for information sharing among the government, the private sector and other information sharing and analysis centers (ISACs).
Rep. Yvette Clarke, D-N.Y., was skeptical about the proposal and said she wanted more details about how NISO would operate. “I think it’s important that we look closely at the details of this quasi-governmental entity, to explore the real life implications of such a body and its actions, and how it would affect the [Department of Homeland Security’s] ability to enhance cybersecurity for our government agencies, our crucial infrastructure, and ultimately for our citizens,” Clarke said.
The chief scientist for US-CERT, Greg Shannon, told lawmakers Tuesday that he endorsed the legislation’s proposal for NISO and encouraged Lungren to offer increased funding and incentives for cybersecurity research and development projects. “We believe that a third-party, non-profit facilitator for the disclosure and dissemination of cybersecurity knowledge creates an excellent environment for all participants, both government and non-government to readily share information,” he said. Symantec Vice President-Government Affairs Cheri McGuire told committee members that the draft legislation is “a positive step forward in developing a national cybersecurity policy.”
The draft proposal also gives the DHS the lead in coordinating the nation’s response to cyberattacks, which was advocated earlier this year by the White House’s cybersecurity proposal (CD May 13 p10). Lungren’s proposal differs from HR-3523, the Cyber Intelligence Sharing and Protection Act, a bill introduced last week by House Intelligence Committee Chairman Mike Rogers, R-Mich., and Ranking Member Dutch Ruppersberger, D-Md.. Roger’s bill, which aims to increase cyberthreat information sharing between national intelligence agencies and the private sector, passed a House Intelligence Committee markup Friday by a 17-to-1 vote with Rep. Jan Schakowsky, D-Ill., voting in opposition.
Rep. Mike McCaul, R-Texas, agreed that DHS should be given the lead role and scorned Rogers’ attempt to give intelligence agencies more power over U.S. cybersecurity coordination efforts. “There was a bill that was passed in the intelligence committee that does not really specify which agency should be in charge of information sharing. Some would argue the [National Security Agency] is the best agency to conduct this. I tend to disagree with that assessment because civilian control is important,” McCaul said. “I personally think it should be DHS.” McCaul authored the Cybersecurity Enhancement Act, HR-2096, which aims to increase U.S. cybersecurity research and development by providing research grants and increasing federal IT training to bolster the government’s cybersecurity workforce.
Greg Nojeim, a senior counsel for the Center of Democracy and Technology, said Lungren’s bill “wisely cements the role of DHS as the lead federal agency for cybersecurity” rather than intelligence agencies or the Department of Defense. Nojeim recently threw cold water on Roger’s cybersecurity bill and raised concerns about the privacy implications inherent in the legislation’s broad language. Nojeim also endorsed the creation of NISO because “a privately run information sharing organization is more likely to have the necessary agility than a government-run agency.” But Nojeim said he was concerned about some of the information sharing provisions in the draft proposal and encouraged the committee to tighten them so the privacy of any private sector consumer information will be protected.
Lungren said he plans to formally introduce the legislation next week and indicated it may incorporate some changes based on comments in Tuesday’s hearing. Though Lungren said it’s unlikely that the proposed legislation will undergo a markup before the end of the year, he intends to accelerate debate on the legislation “because the issue is one that cannot wait.”