DHS rules in White House cyber plan

The federal government's IT systems would be under the watchful eye of the Homeland Security Department under proposed legislation sent by the White House to Congress May 12. However, DHS would have only limited authority to oversee the security of privately owned critical infrastructure.

The proposal, which administration officials characterized as a starting point for discussions with Congress and industry, clarifies the DHS role as the lead cybersecurity agency with “primary responsibility within the executive branch for information security,” including the power to mandate policies and activities for government systems.

It also creates a regulatory framework for non-government critical infrastructure that requires owners and operators to develop security plans, and would establish a national requirement for notifying people of data breaches.


Related stories:

White House cyber plan would expand role of DHS, private sector


The plans would be evaluated by accredited auditors and reviewed by DHS. If found wanting, the DHS secretary would discuss the shortcomings with the operators and “take other action as may be determined appropriate.” This action would not include shutdown orders, fines or other monetary penalties or civil penalties, however.

Administration officials said the proposed regulatory framework is an acknowledgment that government does not have all of the answers and that cooperation is likely to be more effective than regulation.

The proposal will likely be reconciled with similar cybersecurity legislation that has been introduced in both the House and Senate.

One element not included in the White House proposal that has been included in other introduced bills is formal establishment of an executive branch cybersecurity officer. President Barack Obama has named Howard A. Schmidt as White House cybersecurity coordinator, but that position does not require Senate approval.

Rather, under the Obama plan, authority for coordinating and overseeing federal information security policy would be given to DHS, which will “develop and conduct risk assessments for federal systems and, upon request, critical information infrastructure.” The proposal would authorize the department to deploy and operate intrusion detection and prevention systems, such as Einstein, on government systems and give the department access to all government traffic.

The department also would establish a cybersecurity center to facilitate information sharing and collaboration among agencies, state and local governments, the private sector and international partners. The center would organize activities under a cybersecurity response plan and disseminate threat information. This essentially formalizes the role now played by the U.S. Computer Emergency Readiness Team.

Under the regulatory framework for critical infrastructure, the department would designate core critical systems whose disruption would pose a threat to the national security or economy, which would be required to maintain approved cybersecurity plans. DHS would “identify specific cybersecurity risks that must be mitigated to ensure the security of covered critical infrastructure; and review and designate frameworks to address such risks.”

The frameworks would be created in consultation with industry standards organizations and used to evaluate security plans. DHS would establish an accreditation for third-party evaluators that would assess the programs, which would then be approved by DHS.

Another requirement for the private sector would be data breach notification. The provision would replace the current patchwork of 47 state laws for notifying individuals when personally identifiable information has been lost, stolen or otherwise exposed.

The requirements would apply to organizations handling the personal information of at least 10,000 individuals a year, and they would be required to personally notify potential victims in the event of a breach, “unless there is no reasonable risk of harm or fraud.” This could be achieved by use of industry best practices and standards such as cryptography to protect the exposed files.

Notification, by mail, e-mail or telephone, would have to be made within 60 days unless a 30-day extension is granted by the Federal Trade Commission for further investigation, or the Secret Service or FBI decides notification would impede a criminal investigation. Companies also would have to notify the Secret Service, FBI and FTC of large breaches.

The FTC would enforce this section, although states would be able to bring civil action for violations.

 

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Tue, May 17, 2011 slim

Sounds like more fed overreach - regulating critical infrastructure means there will be less of it (since the regulations measn it will be more expensive and more of a pain in the neck).

Mon, May 16, 2011

Hmm, there is a reason why continuous monitoring feeds are planned inputs into the Risk Management Framework. None of the current feeds into Cyber Scope take into account risk to mission, available resources or the fact that some data may be sneaker netted over and not be part of the network (ie mitagated). These risk considerations happen at the local level and looking at them at the federal level outside of the organization is just out of context. Secondly can anyone tell me why this mosaic of information on the highest federal vulnerabilities should not be held in a classified environment? This information should be on a need to know basis.

Mon, May 16, 2011

And just how would this new empire mesh with all the existing cybersecurity empires, especially DoD/NSA? It's all the same store. FedGov needs ONE agncy driving the train for everyone, or else everyone will keep proceeding merrily along their way.

Mon, May 16, 2011

Anyone ready for brown-outs?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above