House bill favors private-government cooperation over regulation

National Cybersecurity and Critical Infrastructure Protection Act of 2013 to support country's major infrastructure sectors

Internet cyber security

A bipartisan bill introduced in the House aims to strengthen the cybersecurity of the nation's critical infrastructure through cooperation between government and the private sector instead of new regulations.

[Critical infrastructure risks still high]

The National Cybersecurity and Critical Infrastructure Protection Act of 2013 was introduced Wednesday by members of the House Homeland Security Committee.

The bill tries to bolster cybersecurity in the nation's 16 critical infrastructure sectors and the federal government, while prohibiting new regulatory authority at the Department of Homeland Security, according to a summary of the bill. The proposal also says the act would be "budget neutral."

Rather than use a regulatory stick to get the private sector to cooperate with government agencies, the bill establishes an "equal partnership between private industry and DHS (Department of Homeland Security), and ensures that DHS properly recognizes industry-led entities to facilitate critical infrastructure protection and incident response."

In addition, the bill codifies parts of the National Infrastructure Protection Plan supported by the private sector. The NIPP is mostly a voluntary public-private framework for protecting critical infrastructure and sharing cybersecurity data.

"A good first step, but it falls short as it provides support for information and knowledge sharing, but does not require it," said Murray Jennex, a professor of information systems security at San Diego State University, said of the bill. Jennex worked for several years as a consultant for the San Onofre nuclear power plant.

Creating an information-sharing bureaucracy without requirements is unlikely to be effective, Jennex said.

"From a knowledge management perspective, we know knowledge and information flow mostly through informal channels and not through bureaucracy, the exception to some degree is the nuclear industry where the bureaucracy was specifically directed to facilitate and require knowledge and information sharing following the Three Mile Island 2 nuclear event," he said.

In 1979, a cooling system malfunction caused partial melting of the core in Unit 2 of the Three Mile Island nuclear power plant near Harrisburg, Penn. The accident resulted in the escape of some radioactive gas, but there were no injuries or adverse health effects.

"I am afraid it will take something like an equivalent TMI 2 disaster before the act will go far enough to encourage fruitful and effective knowledge and information sharing," Jennex said.

[What the Internet of Things means for security]

Jacob Olcott, principal of the cybersecurity practice at Good Harbor Consulting, said he favored the bill's support for the National Cybersecurity Framework initiated by an executive order from President Barack Obama in February.

"It's important to see that this initiative has achieved bipartisan support," Olcott said.

The NCF, led by the National Institute of Standards and Technology, is an initiative to develop standards that define baseline cybersecurity measures. The NIST published a preliminary framework in October.

Olcott predicted that the section of the bill that would provide liability exemptions for companies that suffer damage in cyberattacks would be controversial.

"That should engender quite a bit of discussion, if the bill makes it to the House floor," he said.

Parts of the bill that would help national security include one that defines the language of cybersecurity in critical infrastructure, Jennex said.

"This is good and important as it aids in ensuring everyone understands what is being said," he said.

Copyright © 2013 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022