Obama cybersecurity plan ready for Congress

The Obama administration is proposing comprehensive cybersecurity legislation that would clarify the government’s role in protecting the nation’s critical infrastructure and favor public/private cooperation over regulation.

The proposal would give the Homeland Security Department oversight authority for the Federal Information Security Management Act, the primary framework for protecting civilian government IT systems, and establish a program to encourage owners and operators of critical infrastructure to implement cybersecurity.

“The nation cannot fully defend against these threats unless portions of existing cybersecurity laws are updated,” a senior White House official said in a briefing today.

Related stories:

Egypt's Internet blackout reignites kill switch debate

Lieberman's new cybersecurity bill forbids a kill switch

Officials from the White House and DHS emphasized that the proposal is a work in progress rather than a finished product. They described its introduction as the beginning of an extensive discussion among the administration, Congress and industry.

President Barack Obama has identified cybersecurity as crucial to national security and the economy, and he has taken a number of steps to improve the country’s cybersecurity posture, including appointing Howard Schmidt to be the White House cybersecurity coordinator and developing a cybersecurity incident response plan.

But authority for overseeing and enforcing the security of the nation’s public and private information systems remains fragmented, and technology has outstripped federal laws and regulation. A number of bills that would overhaul cybersecurity responsibilities were introduced during the last Congress and the current one.

One issue addressed in bills before Congress but not addressed in the White House proposal is the president’s authority to intervene during a cyber emergency. A White House official said the president already has sufficient emergency authority to act under existing rules, and, therefore, no specific authority is outlined in the proposal.

One of the biggest changes called for in the proposals would be a federal data-breach notification requirement when personal information held by companies is exposed. It would replace the current patchwork of 47 state notification laws, and it builds on the best elements of those laws.

“A nationwide standard for data-breach notification would make compliance much easier,” a Commerce Department official said.

DHS has long been identified as the lead agency for government cybersecurity. Although the Defense Department has established a Cyber Command for defending military IT systems and conducting cyber war, DOD officials have repeatedly said the department is not responsible for protecting civilian systems in the .gov domain and that it defers to DHS in those matters.

DHS’ role would be clarified in the legislation, which would give the department the FISMA oversight authority now exercised primarily by the Office of Management and Budget. The proposal would solidify the focus on continuous monitoring of IT security begun under OMB and establish clear guidelines for cooperation among DHS, DOD and other agencies.

The proposal would also make permanent DHS’ authority to oversee intrusion prevention for all civilian agencies using the automated Einstein II program, which now works in government systems and with Internet service providers that handle government traffic.

“This only applies to intrusion-prevention systems that protect government computers, and the proposal also codifies or adds strong privacy and civil liberties protections, congressional reporting requirements, and an annual certification process,” a written outline of the proposal states.

One of the most problematic areas of cybersecurity is the government’s role in protecting critical infrastructure that is owned and operated by private companies. The administration’s proposal would enable DHS to assist private-sector companies or state or local government agencies when such organizations ask for its help. The proposal also clarifies the type of assistance that DHS can provide.

DHS would have slightly more authority under a provision that requires it to work with industry to identify the core operators of critical infrastructure and prioritize the most important cyber threats and vulnerabilities for those operators. The operators would then develop their own plans for addressing the threats, which a third-party, commercial auditor would assess. A summary of the plans would be made public.

Although the proposal would not give DHS regulatory authority over the companies, DHS could modify or impose its own plans, working with the National Institute of Standards and Technology. Penalties for nonperformance could also be imposed.

“We do not believe that will be necessary,” a DHS official said, adding that the focus is more on incentives than regulation. “We don’t believe government has all the answers here.”

The proposal would give DHS more agility in recruiting and hiring critical security personnel, similar to the capabilities now enjoyed by DOD, and would expand personnel exchange programs with the private sector.

Individual and corporate privacy is also addressed in the proposal. Entities would be able to share information about cyber threats or incidents with DHS with immunity. The proposal would also mandate privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.

Sens. Joe Lieberman (I-Conn.), chairman of the Homeland Security and Governmental Affairs Committee; Susan Collins (R-Maine), the committee’s ranking member; and Tom Carper (D-Del.), chairman of the Federal Financial Management, Government Information, Federal Services and International Security Subcommittee, are the sponsors of a cybersecurity bill now before the Senate. In a joint statement, they said they look forward to working with the Obama administration on comprehensive cybersecurity legislation.

“The Senate and the White House are on the same track to make sure our cyber networks are protected against an attack that could throw the nation into chaos," the lawmakers said in their statement. "We both recognize that the government and the private sector must work together to secure our nation’s most critical infrastructure — for example, our energy, water, financial, telecommunications and transportation systems. We both call for risk-based assessments of the systems and assets that run that infrastructure. We both designate the Department of Homeland Security to lead this effort, with the assistance of other federal agencies. And we both encourage the government and the private sector to use and refine best practices honed over years of experience."

About the Author

William Jackson is a Maryland-based freelance writer.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group