A bill introduced in the House of Representatives Thursday would require the Department of Homeland Security to take a lead role in identifying and developing cybersecurity standards for systems that control critical infrastructure. The bill also would create a non-profit clearinghouse for the sharing of cybersecurity threat information between government agencies and the private sector. Unlike some other pending data-security proposals, the bill does not include provisions requiring businesses to establish comprehensive data-security programs or to provide breach notifications.
H.R. 3674, titled the “PRECISE Act” and introduced by Rep. Dan Lungren (R-Calif.), directs the Department of Homeland Security to identify and evaluate cybersecurity risks to critical infrastructure, including private infrastructure; to identify existing standards for mitigating those risks, or to develop such standards if necessary; to create market incentives to encourage the use of the identified performance standards; and to work with the relevant agencies to incorporate “the most effective and cost-efficient” of the identified standards into the regulatory regimes governing covered critical infrastructure. The bill defines “covered critical infrastructure” as facilities or functions in which a disruption could cause significant loss of life, major economic disruption, mass evacuations for an extended length of time, or a severe degradation of national security.
The PRECISE Act also incorporates provisions similar to those in a bill introduced Dec. 1 by Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.), the chairman and ranking Democrat of the House Intelligence Committee. The Rogers-Ruppersberger bill is designed to encourage voluntary information-sharing between and among the federal intelligence community and private businesses. The PRECISE Act includes similar provisions to encourage private-sector entities to share cyber threat information with a non-profit clearinghouse, which would be designated the National Information Sharing Organization.
Voluntary membership in the organization would be open to federal, state and local government agencies, private businesses, and academic institutions, and the organization would be directed to facilitate the sharing of classified information with cleared members of the organization. Information shared with the organization would be exempt from FOIA and state disclosure laws, and the information could not be used for regulatory purposes or in a lawsuit without the submitter’s consent. Information shared through the organization also could not be the basis for a civil or criminal action against the submitter for failure to warn or disclose.
The organization’s board would consist of five representatives from the Department of Homeland Security and other federal agencies, 10 representatives from the private sector, and two representatives from the “privacy and civil liberties community,” as well as the chair of the National Council of Information Sharing and Analysis Centers.