The Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act, known by the acronym Precise, also would authorize the Department of Homeland Security to coordinate IT security efforts among the federal government's non-defense and non-intelligence agencies as well as the operators of the critical infrastructure. The legislation also would establish mechanisms to foster the sharing of cyber-threat information among federal, state and local governments and businesses operating the nation's critical IT infrastructure.
The Precise Act, approved by the House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, goes to the full Homeland Security Committee for consideration. The measure, HR 3674, is one of several cybersecurity bills winding their way through the House of Representatives. The Senate is expected to take up a more comprehensive cybersecurity bill in the coming days or weeks.
Subcommittee Chairman Dan Lungren, R-Calif., the bill's chief sponsor, says he understands the reservations many of the private-sector owners of critical infrastructures have about further regulation but adds that some regulation is necessary. Lungren contends the Precise Act would be less intrusive than legislation before the Senate, which would have DHS regulate cybersecurity across various sectors, and President Obama's plan, which would establish an audit regime to ensure compliance with cyber standards.
The Precise Act would call on industry regulators to adopt existing cyber standards necessary to mitigate agreed upon cybersecurity risks. "This concept does not address every risk, only those critical to our country, and it does it in the least disruptive manner," Lungren says. "In my view, the alternatives, including preserving the status quo of voluntary action, are no longer acceptable."
Rep. Jim Langevin, D-R.I., points out that the legislation represents a bipartisan compromise between those who favor tougher regulations and those who oppose any new rules on businesses operating critical IT. "We know voluntary guidelines simply have not worked," says Langevin, one of the bill's cosponsors. "For the industries upon which we most rely, government has a role to work with the private sector on setting security guidelines and ensuring they are followed."
The legislation would establish the National Information Sharing Organization, or NISO, that would facilitate the exchange of vital cyber-threat information, best practices and technical assistance among its private-sector and government members; create a common operating picture of the network enabled by its most sophisticated members, Internet service providers and the government; and promote cooperative research and development projects driven by NISO members.
Karen Evans, who served as chief information officer under President Bush, questions the need for NISO. "We have looked at this problem/challenge over and over again and we as nation just need to start to move forward," she says. "Creating another organization seems like it will slow down process not necessarily enhance it."
Larry Clinton, president of the industry trade group Internet Security Alliance, says the bill's emphasis on using market incentives as opposed to overt regulation to promote cybersecurity is a positive step. But Clinton says he doubts the bill would become law as written, citing opposition by four ranking Republican lawmakers who oppose expanding DHS's regulatory powers.