Modeled after the Chemical Facility Anti-Terrorism Standards Act, which requires chemical plants to submit plans to secure facilities from terrorist attack, Thompson’s bill would require similar plans from critical infrastructure firms.
The bill, the Homeland Security Cyber and Physical Infrastructure Protection Act (HR6423), would also require DHS to share threat intelligence on networks and corporate proprietary information. Thompson said the bill would give the DHS the authority it needs to fulfill its mandate as the lead US cybersecurity agency.
The bill would leave it up to DHS to decide which firms would be covered by the regulations, although companies would have the opportunity to challenge DHS’s decision.
Giving DHS the authority to determine which firms are covered has prompted some industry experts to warn that the department could spread a wide cybersecurity net. Michael Gregg, chief operating officer of Superior Solutions, told Fox News that the requirement to submit cybersecurity plans could even cover Microsoft, Apple, and Google.
Under the proposed legislation, a Cybersecurity Compliance Division would be set up under DHS’s Office of Cybersecurity and Communications that would inspect cybersecurity plans and activities for covered private networks. The division would also have the authority to “develop and publish, for covered critical infrastructure sectors or subsectors, risk-based and performance-based regulations”, according to the bill.
Thompson said the bill is similar to cybersecurity legislation in the Senate, which would give the president the power to shut down industries or impose measures on companies to combat cybersecurity threats. The Senate bill would also establish an Office of Cyber Policy in the White House. Thompson’s bill, however, does not address White House authority.