Bill Could Give Homeland Security Power Over Tech Giants

Some members of Congress, concerned about shoddy cybersecurity at government and critical technology websites, are proposing that the Department of Homeland Security should have the power to force private networks to secure themselves more effectively.

But several cybersecurity experts say a broadly worded bill that has been referred to the House Committee on Homeland Security could impact many ordinary tech firms that merely play a role in infrastructure. If the bill becomes law, even firms like Apple, Microsoft and Google could come under DHS's thumb, says Michael Gregg, chief operating officer of the cybersecurity firm Superior Solutions.

"They are stepping forward to regulate a potentially huge amount of the Internet," Gregg told "It's up to DHS to decide who they want to fall under this umbrella. I have little doubt that large tech companies such as AT&T, Verizon, Microsoft, Google, Apple and Cisco could all find themselves being heavily regulated."

Representatives from those firms declined to comment on the pending regulations. But given DHS' record on security, Gregg said they should have reservations about granting the agency such sweeping oversight.

"Just consider the recent DHS / TSA body-scanner fiasco," he said. "The thought of DHS in charge of cybersecurity will strike fear in most U.S. tech companies."

The Homeland Security Cyber and Physical Infrastructure Protection Act of 2010 (HR 6423, proposed by Rep. Bennie G. Thompson, D-Miss.) would empower DHS to set security standards for the networks at various private facilities and would authorize penalties against any websites it deems to have lax security.

The bill would create a new department within Homeland Security, called the Office of Cybersecurity and Communications, and a new Cybersecurity Compliance Division that would measure and rate how effectively certain private companies respond to network security risks.

The bill's goal is to muscle better security onto .gov websites and critical infrastructure sites, including ports and power plants, to limit the country's vulnerability to cyber espionage, said Thompson.

"Cyber attacks, whether originated by other countries or sub-national groups, are a grave and growing threat to our government and the private sector. This bill provides new tools to DHS to confront them effectively and make certain that civil liberties are protected,” Thompson said.

But the bill could end up regulating utilities and telecoms and a wide array of software firms, said Jeff Bardin, a chief security strategist and a cyberterror expert with XA Systems.

"Anything that critical infrastructures depend upon -- which is pretty much all information security companies, major and minor Internet hubs, the networks, database companies, software companies, etc." could fall under the umbrella of HR 6423, he told "It could run the gamut depending upon interpretation."

Josh Daymont, CEO of information security company Securisea, agrees that the bill is broad. But he said there would likely be different levels of regulations for different organizations -- and Microsoft or AT&T wouldn't be scrutinized in the same manner as a nuclear power plant.

"It wouldn't necessarily follow that those [tech] companies would be treated the same as a nuclear power plant or water company -- they might well have restrictions, but perhaps a less stringent set of rules than, say, a nuclear plant."

An aide for the House Committee on Homeland Security said the bill wasn't intended to be as broad as industry experts fear it may be -- and pointed out that there would be medium for voicing concerns.

"In those cases where a company wants to challenge its designation, the bill calls for DHS to make a reconsideration process available," he added.

The committee aide noted that the private sector won't be included in the panel establishing the rules, however. "For the private sector regulations, the bill provides for an open regulatory process with notice and comment," he told

But Gregg argued that even with the help of the private sector, DHS isn't in the best position to offer cybersecurity advice.

"The real problem is that DHS and other government agencies don’t have a great record of protecting their own critical assets," he told "As recently as 2008, DHS did not have its own cyber crisis plan. Also in 2008, a DHS [internal phone system] was hacked using an attack vector that was at least 10 years old," Gregg said.

The power to regulate private networks comes from Homeland Security Presidential Directive 7, which was established in 2003 to identify and prioritize critical infrastructure and to protect it from terrorist attacks.

The regulation has been in use for a while, but it hasn't been used to enforce standards, Bardin told

"The new bill just takes it to the point that forces things to be done. Before it was a public-private relationship based upon cooperation and collaboration. Now it could be a forced march to compliance. Cooperation and collaboration only goes so far when it is not economically in a company's best interest to change a product or behavior," he said.

But the real concern lies in the breadth of the bill, Bardin agreed. Any technology company that sells to key infrastructures could potentially be regulated by it, said Bardin. He cited a laundry list of technology companies that could be affected, including Oracle, Symantec, EMC, Cisco, HP, Dell and others.

"Just some of the big boys, and the list is endless ..." he said.