Infrastructure protectionBill would allow DHS to impose cybersecurity standards

Published 6 February 2012

A bill before Congress would significantly increase the power of DHS to monitor the cybersecurity practices of industries and services which are part of the U.S. critical infrastructure

A bill before Congress would significantly increase the power of DHS to monitor the cybersecurity practices of industries and services which are part of the U.S. critical infrastructure. Even though not all the details of the bill have been disclosed, industry sources already criticize it is too reaching.

Those portions of the bill which were made public define which companies are part of the U.S. critical infrastructure sector by referring to companies with systems “whose disruption could result in the interruption of life-sustaining services, catastrophic economic damage or severe degradation of national security capabilities.”

The Washington Post reports that the purpose of the bill is to allow DHS to examine whether or not the computer systems and networks of industries which are part of the U.S. critical infrastructure are sufficiently secure against hackers and malware. If DHS determines these cyber systems are not secure enough, then the agency will be allowed to require upgrades and improvements to security.

The bill was written largely by the Senate Commerce, Science and Transportation Committee and the Senate homeland panel, and observers note that there one thing notably missing from the bill: a “kill switch” – that is, a provision which would give the president authority to shut down Internet traffic to compromised Web sites during a national emergency.

The U.S. Chamber of Commerce and tech companies oppose the bill, preferring voluntary industry self-regulation and consultation with the government instead of a new set of cybersecurity laws.

Stewart Baker, a former assistant secretary at DHS, is not impressed with complaints by the industry and says the government must get involved to force companies to take cybersecurity more seriously. He said that concerns about federal involvement are ingenuous in light of the fact that computer breaches over the past several years offer evidence that hackers and other governments, such as China and Russia, are already inside many industry networks.

“[Critical infrastructure companies] already have governments in their business, just not the U.S.,” Baker said. “For them to say they don’t want this suggests they don’t really understand how bad this problem is.”