Bill Would Foster Cyber-Threat Info Sharing
Public-Private Group Would Promote Best Infosec PracticesTen Republicans and one Democrat have sponsored a House bill that's aimed to protect the nation's critical infrastructure, including the financial services systems, healthcare, electric grid and water facilities.
See Also: Meeting the Mandate: A Proactive Approach to Cybersecurity Compliance and Incident Reporting
Known as the the Precise Act, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011, or HR 3674, would require the Department of Homeland Security to conduct an evaluation of cybersecurity risks to critical infrastructure and determine the best mitigation methods.
The legislation also would establish the National Information Sharing Organization, or NISO, a private-sector-controlled, not-for-profit organization to facilitate best practices, provide technical assistance and enable the sharing of cyber-threat information across critical infrastructure and with the federal government, while safeguarding privacy and civil liberties, according to its sponsors.
"By providing a trusted information sharing structure, we will provide critical infrastructure owners and operators the timely access to actionable cybersecurity information necessary to protect their own networks and facilities," says one of the bill's chief sponsors, Rep. Dan Lungren, the California Republican who chairs the House Homeland Security's Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.
The bill defines critical infrastructure as systems that if destroyed or disabled would result in a significant number of deaths, cause mass evacuations, major disruptions of the economy or significant disruption to national security.
The bill designates three major missions for the NISO:
- Facilitate the exchange of cyberthreat information, best practices and technical assistance among its membership.
- Help a common operating picture built from information contributed by technically sophisticated members such as the government, Internet service providers and other members with access to large amounts of network-related information.
- Serve as a catalyst for cooperative research and development of member driven research projects.
NISO members would pay for its operation, though the bill provides for the federal government to kick in $10 million during its first three years to get it going.
To encourage information sharing, which would be voluntary, the bill exempts shared information from being unveiled under the Freedom of Information Act and state disclosure laws. Plus, shared information cannot be used in a lawsuit except by written consent of the organization submitting the information to the NISO. Disclosed information cannot be used for regulatory purposes. Providing the information to the federal government through the NISO process would relieve the submitter of any liability for failure to warn or failure to disclose.
Exchange of information between public sector members of the NISO would not be considered a violation of antitrust laws. Government employees or individuals working with the NISO found to have disclosed protected cyber-threat information obtained in the course of their official duties face penalties that could include fines and prison time.
Besides Lungren, the bill is sponsored by Homeland Security Committee Chairman Peter King, R-N.Y., and eight other Republican representatives: Michael McCaul of Texas, Gus Bilirakis of Florida, Candice Miller and Tim Walberg of Michigan, Billy Long of Missouri, Tom Marino of Pennsylvania, Bob Turner of New York and Steve Stivers of Ohio. The lone Democratic sponsor is Jim Langevin of Rhode Island, who co-founded the House Cybersecurity Caucus with McCaul.