Rep. Terry on DHS Setting Industry Cybersecurity Standards: "Hell, No!"

Rep. Lee Terry (R-Neb.), co-chair of the House
Cybersecurity Working Group, is definitive about his opposition to
government-enforced industry cybersecurity standards.

He
said Friday that the House is not looking to reinvent the wheel, but wants to
do cybersecurity "a little different" from the way it is being
handled in two Senate bills.

Asked
whether the Department of Homeland Security, which features in both Senate bills,
was the right vehicle for monitoring cybersecurity, Terry had a succinct
answer: "Hell, no!" Terry said industry "has to be nimble, they
have to be quick." He did not add candlesticks to the hurdles government
should not put in front of industry, but did say that having to communicate
with or through DHS defeats the purpose of making them nimble.

He
was speaking to C-SPAN for its Communicators series.

He
described the Senate efforts as "close," but wasn't handing out
cigars in either case. He said the Energy & Commerce Committee is looking
at them, but said it was working on its own take. In addition to co-chairing
the E&C's cybersecurity task force -- with Communications Subcommittee
ranking member Anna Eshoo (D-Calif.), Terry was also on the House Speaker's
cybersecurity task force.

A
House cybersecurity bill backed by cable operators was introduced last November
by House Intelligence Committee Chairman Rep. Mike Rogers (R-Mich.).
That bill allows the government to share certain cyberthreat intelligence with
private entities, like ISPs."

Terry
said everyone is pretty much on board with that bill, but that the committee
was still "building on that."

Whatever
it eventually looks like, Terry said he was confident a bill could be passed
this year. He pointed out that House Speaker John Boehner had made it a
priority and that the President also wanted "something."

Terry
said the House bill he is working on is looking to "break down
barriers" to empower the private sector's first line of defense, which
includes ISPs and backbone providers. He said the philosophy is different from
either the Senate Democratic,
which has the Department of Homeland Security overseeing industry standards, ora Republican bill, the latter which -- backed by Sen. John McCain (R-Ariz.),
Terry said, still "creates a little bit of government involvement."
Instead, he suggested, the House is "trying to facilitate communications
as opposed to create something new."

He
said that most task force members feel that the development of standards for
protecting critical infrastructure should come from industry. "One you
start setting standards and you are empowering a government agency to develop
definitions of "critical," then you are locking those entities into a
long process, and by the time they develop a standard, everyone has gone by
them." He said it would be counterproductive to involve the government
agencies in that decision-making process.

Terry
said he thought a cybersecurity bill would be simple, essentially eliminating
antitrust barriers to facilitate communications and simply say: "Go after
it."

Cybersecurity
legislation by its nature also implicates privacy, and Terry said legislation
would need to insure that if ISPs are looking into packets for viruses or
botnets, they should only be able to convey that information and no more. He
said resolving some of the privacy issues would be creating an industry
clearinghouse where the government could also share information on any threats
it had identified. Terry said that the government should be able to tell
industry about the code, but that if industry finds it during a packet search,
the government doesn't need to know that [The Democratic Senate bill, backed by
Sen. Joe Lieberman (I-Conn.), would allow sharing in both directions].
"We're going to have to set limits on that," he said. "We can't
allow the tracking of an individual computer users' records," he said.

Rep.
Jim Langevin (D-RI), co-founder of the House Cybersecurity Caucus, who also
appeared on the Communicators, said he suported giving DHS oversight authority,
and thought there should be even more government involvement, including a
cybersecurity coordinator in the White House.

He
said he did not want any more government involvement than was necessary, but
suggested that given the current level of protection and the importance of
protecting critical infrastructure, like the electric grid, meant more
government involvement was needed. Langevin, giving a shout out to the
Lieberman bill, said that information sharing needs to go both ways.

Langevin,
who is on the House Intelligence Committee, is a co-sponsor and backs the
Rogers bill, which he said he hopes would be getting a House vote soon.
"We have to get something done, he said.

And
why does Langevin think the government needs to get more involved in setting
and enforcing industry standards? "The owners and operators of our
critical infrastructure, in particular the electric grid sector, after not
moving fast enough to adopt robust cybersecurity tools, in many ways because
they are putting profits ahead of the safety and security of the American
people. It think that is wrong and we are going to press them harder."

John Eggerton

Contributing editor John Eggerton has been an editor and/or writer on media regulation, legislation and policy for over four decades, including covering the FCC, FTC, Congress, the major media trade associations, and the federal courts. In addition to Multichannel News and Broadcasting + Cable, his work has appeared in Radio World, TV Technology, TV Fax, This Week in Consumer Electronics, Variety and the Encyclopedia Britannica.