Another day, another cybersecurity bill. The Homeland Security Cyber and Physical Infrastructure Protection Act of 2010 has been introduced by House Homeland Security chairman Bennie Thompson along with Reps. Jane Harman and Yvette Clark. According to the one-pager they’ve put out (I can’t find the bill) the Act would:
Require DHS to determine which private assets should be designated “covered critical infrastructure” although there would be a reconsideration process for a firm to challenge such a designation.
Require DHS to develop cyber security standards that would be enforceable on private sector networks determined to be critical infrastructure.
Authorize DHS to recommend (Safety Act) liability protection for firms that comply with the standards.
Some questions come to mind: Is there any limit to what can be designated “critical infrastructure”? What evidence is there that the private sector is under-providing security for its networks? What exactly are the performance metrics that would be used to measure compliance? And what is the evidence that federal standards will be more effective than those developed by industry individually or collaboratively in industry groups? Again, as far as I can tell the bill is not cyber available yet, but if other bills in the House and Senate are any indication, these questions haven’t really been considered.
One thing that I think is new in this bill is liability protection for firms that comply with DHS security regulations. I’m afraid this can’t be good for firms’ incentives to innovate.