Draft legislation that proposes the establishment of a so-called National Information Sharing Organization will be the subject of a hearing to be held Tuesday by the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.
The not-for-profit National Information Sharing Organization would share cyber-threat information among various government and private-sector constituencies and would consist of representatives from federal, state and local governments, businesses representing the nation's critical infrastructure as well as from seven specific sectors - including banking and healthcare - and the privacy and civil liberties communities.
The draft legislation wouldn't grant the Department of Homeland Security direct authority over other agencies or the operators of the nation's critical infrastructure, mostly owned by the private sector, but would provide DHS responsibilities to coordinate cybersecurity activities among government and private-sector entities.
In testimony to be delivered at the hearing, Cheri McGuire, representing the Business Software Alliance, says a reason the government is reluctant to share real-time actionable information is because there is no mandate to do so. "The mandate within the structure of the NISO that the government must share information is a strong step in the right direction," says McGuire, vce president of global government affairs and cybersecurity policy at security vendor Symantec. "However, questions remain about how we will continue to utilize the existing entities under the proposed NISO framework."
Other provisions of the draft legislation would have the secretary Homeland Security:
- Develop and conduct risk assessments of federal information systems, and on request, the nation's critical IT infrastructure in consultation with other agencies heads and the private owners of the critical IT systems.
- Designate a lead cybersecurity official to provide leadership to the department's cybersecurity activities.
- Acquire, integrate and facilitate the adoption of new cybersecurity technologies and practices to keep pace with emerging terrorist and other cybersecurity threats and developments.
- Lead nationwide cybersecurity awareness and outreach initiatives.
- Establish, in coordination with the National Institute of Standards and Technology and other appropriate agencies, benchmarks and guidelines for making critical infrastructure information systems more secure at a fundamental level, including through automation, interoperability and privacy-enhancing authentication.
- Coordinate development of national cybersecurity incident response and restoration plans based on applicable law that describe the specific roles and responsibilities of governmental and private entities during cyber incidents.
- Conduct exercises and simulations to support the national response to terrorism and other cybersecurity threats and incidents and evaluate the national cyber-incident response plans.
Other aims of the draft bill, offered by subcommittee Chairman Daniel Lungren, R-Calif., would bolster cybersecurity employment within the federal government and foster research and development into new technologies and methods to secure government IT and the nation's critical information infrastructure.
Witnesses scheduled to testify before the congressional panel include Cheri McGuire of Symantec, Greg Shannon of Carnegie Mellon University's Computer Emergency Readiness Team, Gregory Nojeim of the Center for Democracy and Technology and Keven Kosas of the Congressional Research Service.