A bill sponsored by the outgoing head of the House Committee on Homeland Security would give the Department of Homeland Security direct regulatory authority over a wide array of resources, including the Internet and even software companies. The bill, introduced November 17, was referred to the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology on November 23.
The cybersecurity bill would allow DHS to designate some unspecified commercial infrastructure as “critical” and give it authority to fine firms up to $100,000 per day if DHS decides they have failed to respond adequately to cybersecurity directives.
Rep. Bennie G. Thompson (D-MS) sponsored H.R. 6423, the Homeland Security Cyber and Physical Infrastructure Protection Act of 2010. Thompson was the Committee’s chair in the 111th Congress, to be replaced in the 112th by Rep. Peter King (R-NY).
‘Enormous Discretion’ for DHS
Gregory Nojeim, senior counsel at the Center for Democracy and Technology, said, “It gives the Director of the Cyber Security Compliance Division enormous discretion to decide what is critical infrastructure, and it doesn’t specify measurable criteria for making that determination. As a result, the entities on which these massive civil penalties may be imposed are indeterminate, and the conduct that would trigger these massive penalties is not yet defined, at least in the legislation.”
Paul Rosenzweig, visiting fellow at The Heritage Foundation, said of the bill, “The premise is the idea that we can define by regulation good security practices. I tend to think that’s overly optimistic in a dynamic environment like the Internet.”
Nojeim said, “I think the initial issue is who has to take steps. And that is kind of put off into the future by giving this new DHS officer the authority to define what is covered critical infrastructure, and without providing a lot of guidance.”
‘Right to Appeal’ Doubted
Noting the bill gives “an owner or operator of the system or asset an opportunity to appeal the determination that they are critical,” Nojeim said, “That right to appeal is not meaningful unless there are verifiable criteria used to make the initial determination, and unless the appeal is heard by an independent body, such as a court. Without that, the right to reconsideration isn’t meaningful,” he said.
“I’m skeptical of the government’s ability to pick winners and losers” when it comes to security practices, Rosenzweig said, “or important places and not important places. Because I’m skeptical of that, I tend to think it is unlikely that [regulation] is the right approach.”
Nojeim agreed: “I think the way to look at this legislation is as a starting point for additional discussion, showing where some members of the Homeland Security Committee will be when the House reconvenes in January.”
Rosenzweig said Thompson was setting a “marker for what he thinks right now.”Rosenzweig also said how well the bill advances toward passing “would depend on Thompson’s relationship with Peter King.”
Loren Heal ([email protected]) writes from Neoga, Illinois.
On the Internet:
“Homeland Security Cyber and Physical Infrastructure Protection Act of 2010,” Rep Bennie Thompson: http://thomas.loc.gov/cgi-bin/bdquery/z?d111:HR06423:@@@C.