New House Bill Taps DHS to Handle Infrastructure Security

 

Lungren said his bill would "make very explicit who should be in the driver's seat" when it comes to securing critical infrastructure. "In the civilian capacity, it ought to be DHS. This is such an important issue. It should not be left vague," he said.

The bill offers an alternative to the Rogers-Ruppersberger legislation approved last week by the House Intelligence Committee that would allow government agencies to share classified intelligence about cyber-attacks and threats with the private sector. Lundgren's bill would create a nonprofit National Information Sharing Organization to coordinate cyber-intelligence sharing between critical infrastructure operators, private companies, educational institutions and government agencies. NISO's board would be made up of 10 private-sector individuals representing critical infrastructure stakeholders and five federal officials, selected by the Secretary of Homeland Security.

 The fact that the bill puts a civilian agency in charge of cyber-security instead of the Defense Department is reassuring, Gregory Nojeim, a senior counsel for the Center for Democracy and Technology, said in his congressional testimony. While praising the absence of the "kill switch" for the Internet in which the government could shut down access online, Nojeim is still concerned about the extent of information that companies would share with the government. He recommended limits on the types of data that could be shared.

In the MIT report, researchers acknowledged that cyber-attackers will succeed at some point. "Perfect protection from cyber-attacks is not possible," they wrote. "It is thus important for the involved government agencies (i.e., NIST, DOE, FERC, and DHS), working with the private sector in a coordinated fashion, to support the research necessary to develop best practices for response to and recovery from cyber-attacks on transmission and distribution systems, so that such practices can be widely deployed," the researchers added.

Fears about an attack on critical infrastructure have been around for years, but recently gained more attention as weaknesses in the supervisory control and data acquisitions systems monitoring infrastructure and other industrial control systems were identified. Just recently, an FBI official told attendees at a security conference in London that cyber-attackers had remotely breached the critical infrastructure of three U.S. cities but had not done anything malicious.

A 2011 report from the Electric Power Research Institute found that about $3.7 billion in investment would be needed to protect the grid from cyber-attacks, according to MIT researchers.

"Despite alarmist rhetoric, there is no crisis here. But we do not advise complacency," the researchers wrote.