House subcommittee criticizes White House cybersecurity proposal

Tools

The White House cybersecurity legislative proposal came under criticism from Republicans and Democrats during a May 25 hearing of the House Judiciary subcommittee on intellectual property, competition and the Internet.

The proposal, said subcommittee Chairman Bob Goodlatte (R-Va.), would lead to mandatory federal cybersecurity technical standards for operators of private sector-owned critical infrastructure. "Any regulations for cybersecurity would be outdated by the time they're finalized," Goodlatte said, adding that enforced standards would also hinder economic growth.

Ari Schwartz, senior internet policy advisor at the National Institute of Standards and Technology said that the proposal does not in fact call for adoption of technical standards. It would require covered critical infrastructure operators to adopt a framework of cybersecurity performance measures but then decide for themselves how to enact cybersecurity measures.

"There are no technical mandates and no technical standards within the framework whatsoever," Schwartz said. Schwartz apparently failed to convince Goodlatte, however. "Maybe we're engaged in semantics here, though. You call them performance measures, I call them technical standards," the congressman rejoined.

The information sharing portions of the proposal were also met with criticism. Section 246 of the proposal allows private sector entities to transmit information to the Homeland Security Department without liability or criminal penalty. "It basically says, 'if you do what we tell you to do,' then you are given immunity from any kind of liability," said the subcommittee Ranking Member, Mel Watt (D-N.C.). "That's pretty damn broad," he added, comparing the proposal language to retroactive immunity granted to telecom companies that performed warrantless wiretapping at the government's behest following passage of the Patriot Act in 2001.

James Baker, a Justice Department associate deputy attorney general, said companies would be restricted to providing cybersecurity-related information. "If they go off the reservation and do something that's not authorized, then they don't get liability protection," he said.

Rep. Darrell Issa (R-Calif.) questioned how voluntary information sharing would be under the proposal language.

"Your asking for cooperation with the force of your ability to make life miserable on private-sector companies behind closed doors is not a voluntary act. You can be very, very convincing," he said.

For more:
- go to the hearing webpage (prepared testimonies and webcast available)

Related Articles:
Reitinger: Cybersecurity bill applies 'light touch' to private sector regulation
White House unveils proposed cybersecurity legislation 
Online 'personas' at heart of privacy protection in identity ecosystem, says U.K. think tank