House bill favors private-government cooperation over regulation

A bipartisan bill introduced in the House aims to strengthen the cybersecurity of the nation's critical infrastructure through cooperation between government and the private sector instead of new regulations.

[Critical infrastructure risks still high]

The National Cybersecurity and Critical Infrastructure Protection Act of 2013 was introduced Wednesday by members of the House Homeland Security Committee.

The bill tries to bolster cybersecurity in the nation's 16 critical infrastructure sectors and the federal government, while prohibiting new regulatory authority at the Department of Homeland Security, according to a summary of the bill. The proposal also says the act would be "budget neutral."

Rather than use a regulatory stick to get the private sector to cooperate with government agencies, the bill establishes an "equal partnership between private industry and DHS (Department of Homeland Security), and ensures that DHS properly recognizes industry-led entities to facilitate critical infrastructure protection and incident response."

In addition, the bill codifies parts of the National Infrastructure Protection Plan supported by the private sector. The NIPP is mostly a voluntary public-private framework for protecting critical infrastructure and sharing cybersecurity data.

"A good first step, but it falls short as it provides support for information and knowledge sharing, but does not require it," said Murray Jennex, a professor of information systems security at San Diego State University, said of the bill. Jennex worked for several years as a consultant for the San Onofre nuclear power plant.

Creating an information-sharing bureaucracy without requirements is unlikely to be effective, Jennex said.

"From a knowledge management perspective, we know knowledge and information flow mostly through informal channels and not through bureaucracy, the exception to some degree is the nuclear industry where the bureaucracy was specifically directed to facilitate and require knowledge and information sharing following the Three Mile Island 2 nuclear event," he said.

In 1979, a cooling system malfunction caused partial melting of the core in Unit 2 of the Three Mile Island nuclear power plant near Harrisburg, Penn. The accident resulted in the escape of some radioactive gas, but there were no injuries or adverse health effects.

"I am afraid it will take something like an equivalent TMI 2 disaster before the act will go far enough to encourage fruitful and effective knowledge and information sharing," Jennex said.

[What the Internet of Things means for security]

Jacob Olcott, principal of the cybersecurity practice at Good Harbor Consulting, said he favored the bill's support for the National Cybersecurity Framework initiated by an executive order from President Barack Obama in February.

"It's important to see that this initiative has achieved bipartisan support," Olcott said.

The NCF, led by the National Institute of Standards and Technology, is an initiative to develop standards that define baseline cybersecurity measures. The NIST published a preliminary framework in October.

Olcott predicted that the section of the bill that would provide liability exemptions for companies that suffer damage in cyberattacks would be controversial.

"That should engender quite a bit of discussion, if the bill makes it to the House floor," he said.

Parts of the bill that would help national security include one that defines the language of cybersecurity in critical infrastructure, Jennex said.

"This is good and important as it aids in ensuring everyone understands what is being said," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitygovernment

More about IslandTechnologyTMI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place