The House Homeland Security Committee subcommittee on Cybersecurity began hammering out the details of its legislative proposal on Tuesday morning as lawmakers from both parties focused on finding consensus.
Cybersecurity has become a rare opportunity for bipartisan cooperation as both parties increasingly recognize the importance of safeguarding the nation's computer networks from attack. The hearing continued in that cordial vein and featured substantive discussion of how to improve the draft proposal.
Chairman Dan Lungren (R-Calif.) said the Department of Homeland Security should be tasked with overseeing civilian cybersecurity efforts, which aligns him with other bipartisan efforts at comprehensive legislation.
Ranking member Yvette Clarke (D-N.Y.) agreed, but emphasized that DHS must have enough authority to ensure critical infrastructure providers have adequate protections. She praised the bill's inclusion of several elements of the White House proposal, including increased funding for cyber R&D and enhanced personnel authority for DHS to hire cyber experts.
Lungren's legislation would establish the National Information Sharing Organization (NISO), a quasi-governmental entity that would serve as a clearinghouse for the exchange of information on cyber threats. It differs from a bill recently passed by the House Intelligence Committee, but observers predicted the two can be reconciled.
The NISO would be a nonprofit with an initial board of directors selected by the secretary of Homeland Security made up of 10 private-sector individuals and five federal officials. The private-sector officials would represent the various critical infrastructure stakeholders and serve three-year terms with regular elections held by NISO.
The government would contribute only 15 percent of NISO's annual costs, with the bulk of the expenses handled by the private sector. Congressional Research Service analyst Kevin Kosar noted the structure is unusual but not unheard of in the federal government.
Greg Nojeim of the Center for Democracy & Technology called the legislation "a good start in many ways," thanks to its light regulatory touch without enforcing government mandates, and praised the absence of a "kill switch" for the Internet.
But Nojeim recommended the addition of privacy protections to define what information can be shared with NISO and ensure the data is only used for cybersecurity and not other purposes.