The controversy around DHS to fine IT companies
November 21, 2010
Controversy is mounting rapidly over the Department of Homeland Security's new proposal to improve cybersecurity on almost all levels.
Some Democratic politicians are now proposing a very controversial approach to cybersecurity: fine IT firms and high technology companies $100,000 per day unless they comply with strict directives imposed by the U.S. Department of Homeland Security (DHS).
The proposal has many Internet security firms and almost the whole IT industry up in arms, in a broad swath that would cover almost everything.
The proposed new legislation introduced this week would allow DHS Secretary Janet Napolitano to levy those and other civil penalties on noncompliant companies that the government deems "critical," a broad term that could sweep in Web hosting companies, ISP and broadband providers, even software companies and search engines.
"This bill will make the United States more secure and better positions DHS--the 'focal point for the security of cyberspace'--to fulfill its critical homeland security mission," said Rep. Bennie Thompson (D-Miss.), the chairman of the House Homeland Security Committee.
Thompson's proposal comes after more than ten long years of heated, sometimes classified discussions in Washington, centering on how much authority the federal government should have to regulate network and computer security, and which agency should be in charge.
In a series of reports, three successive presidential administrations have taken strikingly similar approaches that favor self-regulation.
Skeptics say it's not clear that lawyers and policy analysts who will inhabit DHS' 4.5 million square-foot headquarters in the southeast corner of the District of Columbia have the expertise to improve the security of servers and networks operated by companies like AT&T, Verizon, Microsoft, and Google.
Large American companies already spend billions of dollars on computer security every year and the trend is growing fast.
"Congress is stepping forward to regulate something it has no idea how to regulate," says Jim Harper, a policy analyst at the free-market Cato Institute. "It's a level of bureaucracy that actually adds nothing at all."
DHS's own cybersecurity record is far from perfect. In 2005, government auditors concluded that DHS failed to live up to its cybersecurity responsibilities and may be totally unprepared for real emergencies. As recently as 2008, the head of the DHS said the agency still needed to develop a plan to respond to a cybercrisis.
Besides Thompson, the new bill, called the Homeland Security Cyber and Physical Infrastructure Protection Act (HSCPIPA), has other high-profile backers. Rep. Jane Harman (D-Calif.), chairman of the intelligence subcommittee, and Yvette Clarke (D-N.Y.), chairman of the cybersecurity subcommittee, are also co-sponsors.
No Republicans have signed on yet, at least not at the time this news story was published.
"Cyberattacks, whether originated by other countries or sub-national groups, are a grave and growing threat to our government and the private sector," Harman said. "This bill provides new tools to DHS to confront them effectively and make certain that civil liberties are protected."
Section 224 of HSCPIPA hands DHS explicit legal "authorities for securing private sector" computers. A cybersecurity chief to be appointed by Napolitano would be given the power to "establish and enforce" cybersecurity requirements.
HSCPIPA's process works like this: DHS draws up a list of regulated critical companies by evaluating the likelihood of a "cyberincident," existing vulnerabilities, and the consequences of an attack. DHS is supposed to consult with the NSA, other federal agencies, and the private sector to the "maximum extent practicable," but the other groups don't get a veto over the final list, and that's where some of the issues mount rapidly.
Harper, from the Cato Institute, says that private firms already have the right incentives on cybersecurity. HSCPIPA imposes "a layer of bureaucracy that seeks to replicate the incentive structure that technology firms already face," he says.
Any system or asset that is a component of the national information infrastructure--read broadly, that could be any major Web site or provider--is fair game for DHS regulation. Companies can appeal if they don't want to be on the "critical" list, but it means asking DHS to reconsider its original decision (no neutral party considers the appeal).
"With a little bit of imagination, you can pretty much pull anything into that," says Lauren Weinstein of People for Internet Responsibility. "Does Google represent critical infrastructure now? It's hard to see how any major Internet service or property could be assured of the fact that it would not be covered."
Once the list is complete, DHS has the authority to require those regulated tech companies to "comply with the new requirements" that it has levied. Those requirements include presenting "cybersecurity plans" to the agency, which has the power to "approve or disapprove" each of them.
After that, DHS "may conduct announced or unannounced audits and inspections" to ensure "full compliance."
"In the case of noncompliance," the legislation says, DHS "may levy civil penalties, not to exceed $100,000 per day, for each instance of noncompliance."
Some Internet security observers made a parallel between the food companies that supply airlines with meals for their passengers. If TAS and airport security officials in the U.S. and elsewhere tighthen up security in airports and especially on planes, and decide to fine airlines $100,000 per day for non compliance, does that mean the food caterers will also be fined $100,000 a day as well?
Source: The Department of Homeland Security.
You can link to the Internet Security web site as much as you like.