[Congressional Record (Bound Edition), Volume 156 (2010), Part 13] [Extensions of Remarks] [Pages 18032-18033] [From the U.S. Government Publishing Office, www.gpo.gov]H.R. 6423, THE ``HOMELAND SECURITY CYBER AND PHYSICAL INFRASTRUCTURE PROTECTION ACT 0F 2010'' ______ HON. BENNIE G. THOMPSON of mississippi in the house of representatives Thursday, November 18, 2010 Mr. THOMPSON of Mississippi. Madam Speaker, illegal penetrations or ``hacks'' of computer networks have become an increasingly serious homeland security issue. Not only do they threaten the personal fortunes and identities of our citizens but also the effective functioning of our government, our infrastructure, our economy, and our national security. As Americans at all levels of society--from their personal lives to their professional work--grow increasingly reliant on computers and those computers become ever more connected, the scope of this security vulnerability continues to expand at a dizzying rate. Over the past year or so, there has been an active Congressional debate about what should be done to address this significant homeland security vulnerability. The introduction of the ``Homeland Security Cyber and Physical Infrastructure Protection Act of 2010,'' is intended to refocus the debate away from Presidential Internet shut-down authority and other ``what ifs'' and back to the central Federal cybersecurity challenge--the mismatch between the Department of Homeland Security's, DHS, designation, since 2003, as the ``focal point for security of cyberspace,'' and the authorities conferred to DHS to fulfill its cybersecurity mission with respect to networks operated by Federal civilian agencies and critical infrastructure. The ``Homeland Security Cyber and Physical Infrastructure Protection Act of 2010,'' seeks to enhance DHS' cybersecurity capacity [[Page 18033]] by authorizing the DHS Office of Cybersecurity and Communications and creating a new Cybersecurity Compliance Division to oversee the establishment of performance-based standards responsive to the particular risks to the (1) .gov domain and (2) critical infrastructure networks, respectively. This bill is designed to require DHS to work with network operators to develop tailored security plans that meet risk-based, performance-based standards, as is being done in DHS' Chemical Facility Anti-terrorism program. ``Homeland Security Cyber and Physical Infrastructure Protection Act of 2010,'' is focused on providing the Department of Homeland Security, DHS, with the resources and authority that it needs to fulfill its Federal responsibility as the protector of our Nation's cyberspace. Specifically, the bill seeks to give DHS the resource and authority needed to strengthen the cybersecurity of (1) Federal government networks--the ``.gov'' domain--and (2) critical infrastructure in the private sector. From a security and good-government standpoint, the way to deliver better cybersecurity is to leverage, modify, and enhance existing structures and efforts, rather than make wholesale bureaucratic changes. To that end, my bill authorizes a cybersecurity operation within the Department of Homeland Security that not only runs parallel to the Department's infrastructure protection work but also leverages, modifies, and enhances existing cybersecurity structures and programs. My bill specifically directs DHS to issue risk-based, performance-based cybersecurity standards for computer networks for systems in the .gov domain and those within the private sector that are within designated critical infrastructure. For DHS' efforts to succeed, there needs to be ``buy-in'' on the front end and compliance on the hack end. The bill fosters ``buy-in'' from the operators of the civilian Federal networks by establishing a working group comprised of Federal agencies, and chaired by the Secretary of Homeland Security, that is responsible for establishing risk-based, performance-based standards and corresponding remedies, including penalties, for non-compliance with these standards. Similarly, to foster ``buy-in'' for risk-based, performance-based standards for the critical infrastructure firms, DHS is directed to develop the standards in consultation with a wide range of stakeholders--from the Intelligence Community to the heads of sector- specific agencies to councils representing the interests of private sector companies--and subject the standards to the notice and comment regulatory process. With respect to compliance, my bill directs DHS to look at approaches to foster compliance--such as liability protection under the Safety Act--and grants DHS the authority to delegate enforcement to another Federal department that has an existing regulatory authority over that sector. In some cases, delegation will prevent private sector firms from being subjected to redundant and overlapping regulations. To ensure compliance, civilian Federal networks will be regularly monitored by DHS to ensure that each agency is in compliance with the standards adopted by the Federal agency working group. The bill requires DHS to report infractions and corresponding remedies to the Office of Management and Budget, who, in turn, is required to execute the corresponding penalty or remedy. My bill also includes a number of provisions to improve the reporting of cyber incidents, the sharing of information on cyber threats, the capacity of DHS to hire 500 additional cyber professionals and the level of cybersecurity research and development activities. Taken together, the ``Homeland Security Cyber and Physical Infrastructure Protection Act of 2010,'' will make our Nation more secure and better position DHS--the ``focal point for the security of cyberspace,'' under Homeland Security Presidential Directive 7--to fulfill its critical homeland security mission. I urge Members to join me and cosponsor this important, common-sense homeland security legislation. ____________________