The House Homeland Security Committee has now released its own updated version of a cybersecurity bill. The text is (Lungren Substitute April 2012). This bill stands in pretty significant contrast to the Rogers-Ruppersberger bill which (in its amended form) has come under some criticism from the privacy and civil liberties community. Regarding this new offering from Congressman Lungren, I am told that the “cyber threat information” definition could still change and that FISMA language is still to come.
My assessment of the new version is that
- The new language in section 226 giving DHS the lead on cyber is arguably vaguer than before and, potentially, broader. Much of what is offered here will depend on how it is implemented if passed;
- In section 242 the bill moves away from the formal public-private partnership that had earlier been proposed. Instead it substitutes a government-managed Cybersecurity and Communications Integration Center, with a Board of Advisors from the private sector to help guide it. That seems to me an unusual construct. I wonder how it will interact with open-meeting and FACA type rules.
Section 248 of the bill creates a private right of action for handling personal information in violation of rules established by the Center and allows for punitive damages and attorney’s fees. Even with a “good faith” defense, this will be a trial lawyer’s dream.
This bill, putting DHS at the center of cybersecurity, comes from the House Homeland Security Committee. That is no surprise. What is particularly welcome, then, is Congressional recognition that, at this point DHS, does not have as deep a talent pool as it needs to do the mission assigned. The provisions of section 227 of the bill, authoring higher pay, benefits and retention bonuses is a welcome step. If we are going to have a civilian agency managing the government’s interaction with the cyber domain, we are wise to make sure it has the requisite intellectual capabilities.
[UPDATE: The dangers of blogging in near-real time are clear. Sometimes you get out of date information. When I posted this blog earlier this evening, I was using a draft that had been shared with me from a contact in the House. Almost immediately, Congressman Lungren’s staff was on the email to me with a correction — the version I was using was a discussion draft from a few days ago and the actual proposed amendment was now available. I’ve corrected the link above, and struck out the discussion of a private right of action which has been removed from the bill.]