CORRECTED: A previous version of this story misattributed a quote by Gregory Nojeim in the 7th paragraph, and also contained a typographical error in that paragraph.
The chairman of the House Homeland Security Committee’s cybersecurity panel said on Tuesday that he plans to introduce legislation next week that would codify the Homeland Security Department’s role as the lead federal agency in trying to protect against cyberattacks on the nation’s critical infrastructure.
But Rep. Dan Lungren, R-Calif., chairman of the Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee, said while he is planning to introduce the bill next week, he did not expect the subcommittee would have enough time to mark it up before the end of the year.
Lungren’s measure offers an alternative to legislation approved last week by the House Intelligence Committee that would require the director of national intelligence to outline a framework for the intelligence community to share with the private sector classified intelligence about cyberthreats. It would create the nonprofit National Information Sharing Organization for exchanging cyberthreat information between the government and private sector and provide technical support and assistance.
A House GOP task force, made up of representatives from the nine committees with jurisdiction over cyber issues, last month called for industry-friendly cybersecurity incentives to encourage greater cooperation on cybersecurity instead of a more regulatory approach proposed in the Senate.
At Tuesday’s hearing, Center for Democracy and Technology Senior Counsel Gregory Nojeim said his group is pleased that Lungren's draft bill formally puts a civilian agency in charge of cybersecurity instead of the Defense Department and encourages private-sector cooperation without requiring companies to meet government mandates. However, he voiced concern about the extent of information that companies would share with the government and encouraged the panel to ensure privacy would be protected.
“Civilian control promotes the transparency and trust that are essential to the program’s success,” Nojeim said. He added that given that the private sector controls 80 percent of the nation’s critical infrastructure, it’s important that companies have trust that the information they provide to the government will be used for the intended purpose. He said a civilian agency such as DHS can provide a more transparent process than the National Security Agency or another military agency.
The Center for Democracy and Technology has questioned the approach taken by the House Intelligence Committee’s bill, drafted by Intelligence Committee Chairman Mike Rogers, R-Mich. The bill would give private companies access to classified threat information but also encourages them to share information with the government. Nojeim said while his organization favors having intelligence agencies share more information about cybersecurity threats with the private sector, they are concerned that Rogers’ bill does not place limits on how much and what kind of information the private sector can share with the government.
“It’s important to limit that flow back,” Nojeim said, adding that the Lungren draft bill could be improved by including some limits on what data companies can share with the government.
Cheri McGuire, vice president of global affairs for security provider Symantec, agreed that DHS should be the lead agency. But after the hearing, she said her firm does not favor one bill over the other and is instead focused on ensuring the private sector has access to critical government information about cyber threats.
Lungren said he believes the Intelligence bill is complementary. “But we make very explicit who should be in the driver’s seat,” he said. “In the civilian capacity, it ought to be DHS. This is such an important issue. It should not be left vague.”