Cybersecurity bill gives DHS power to punish tech firms

Democratic politicians are proposing a novel approach to cybersecurity: fine technology companies $100,000 a day unless they comply with directives imposed by the U.S. Department of Homeland Security.

Legislation introduced this week would allow DHS Secretary Janet Napolitano to levy those and other civil penalties on noncompliant companies that the government deems "critical," a broad term that could sweep in Web firms, broadband providers, and even software companies and search engines.

"This bill will make our nation more secure and better positions DHS--the 'focal point for the security of cyberspace'--to fulfill its critical homeland security mission," said Rep. Bennie Thompson (D-Miss.), the chairman of the House Homeland Security Committee.
 
Thompson's proposal comes after a decade of heated, sometimes classified discussions in Washington centering on how much authority the federal government should have to regulate network and computer security, and which agency should be in charge. In a series of reports, three successive presidential administrations have taken strikingly similar approaches that favor self-regulation.

Skeptics say it's not clear that lawyers and policy analysts who will inhabit DHS' 4.5 million square-foot headquarters in the southeast corner of the District of Columbia have the expertise to improve the security of servers and networks operated by companies like AT&T, Verizon, Microsoft, and Google. (American companies already spend billions of dollars on computer security a year.)

"Congress is stepping forward to regulate something it has no idea how to regulate," says Jim Harper, a policy analyst at the free-market Cato Institute. "It's a level of bureaucracy that actually adds nothing at all."

DHS's own cybersecurity record is far from perfect. In 2005, government auditors concluded that DHS failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies; as recently as 2008, the head of the DHS said the agency still needed to develop a plan to respond to a "cybercrisis."

Besides Thompson, the new bill, called the Homeland Security Cyber and Physical Infrastructure Protection Act (HSCPIPA), has other high-profile backers. Rep. Jane Harman (D-Calif.), chairman of the intelligence subcommittee, and Yvette Clarke (D-N.Y.), chairman of the cybersecurity subcommittee, are also co-sponsors. No Republicans have signed on.

"Cyberattacks, whether originated by other countries or sub-national groups, are a grave and growing threat to our government and the private sector," Harman said. "This bill provides new tools to DHS to confront them effectively and make certain that civil liberties are protected."

Section 224 of HSCPIPA hands DHS explicit legal "authorities for securing private sector" computers. A cybersecurity chief to be appointed by Napolitano would be given the power to "establish and enforce" cybersecurity requirements.

HSCPIPA's process works like this: DHS draws up a list of regulated "critical" companies by evaluating the likelihood of a "cyberincident," existing vulnerabilities, and the consequences of an attack. DHS is supposed to consult with the NSA, other federal agencies, and the private sector to the "maximum extent practicable," but the other groups don't get a veto over the final list.

Any "system or asset" that is a "component of the national information infrastructure"--read broadly, that could be any major Web site or provider--is fair game for DHS regulation. Companies can appeal if they don't want to be on the "critical" list, but it means asking DHS to reconsider its original decision (no neutral party considers the appeal).

"With a little bit of imagination, you can pretty much pull anything into that," says Lauren Weinstein of People for Internet Responsibility. "Does Google represent critical infrastructure now? It's hard to see how any major Internet service or property could be assured of the fact that it would not be covered."

Once the list is complete, DHS has the authority to require those regulated tech companies to "comply with the requirements" that it has levied. Those requirements include presenting "cybersecurity plans" to the agency, which has the power to "approve or disapprove" each of them. DHS "may conduct announced or unannounced audits and inspections" to ensure "compliance."

"In the case of noncompliance," the legislation says, DHS "may levy civil penalties, not to exceed $100,000 per day, for each instance of noncompliance."

Harper, from the Cato Institute, says that private firms already have the right incentives on cybersecurity. HSCPIPA imposes "a layer of bureaucracy that seeks to replicate the incentive structure that technology firms already face," he says.