Obama cybersecurity plan ready for Congress

The Obama administration is proposing comprehensive cybersecurity legislation that would clarify the government’s role in protecting the nation’s critical infrastructure and favor public/private cooperation over regulation.

The proposal would give the Homeland Security Department oversight authority for the Federal Information Security Management Act, the primary framework for protecting civilian government IT systems, and establish a program to encourage owners and operators of critical infrastructure to implement cybersecurity.

“The nation cannot fully defend against these threats unless portions of existing cybersecurity laws are updated,” a senior White House official said in a briefing today.

Related stories:

Egypt's Internet blackout reignites kill switch debate

Lieberman's new cybersecurity bill forbids a kill switch

Officials from the White House and DHS emphasized that the proposal is a work in progress rather than a finished product. They described its introduction as the beginning of an extensive discussion among the administration, Congress and industry.

President Barack Obama has identified cybersecurity as crucial to national security and the economy, and he has taken a number of steps to improve the country’s cybersecurity posture, including appointing Howard Schmidt to be the White House cybersecurity coordinator and developing a cybersecurity incident response plan.

But authority for overseeing and enforcing the security of the nation’s public and private information systems remains fragmented, and technology has outstripped federal laws and regulation. A number of bills that would overhaul cybersecurity responsibilities were introduced during the last Congress and the current one.

One issue addressed in bills before Congress but not addressed in the White House proposal is the president’s authority to intervene during a cyber emergency. A White House official said the president already has sufficient emergency authority to act under existing rules, and, therefore, no specific authority is outlined in the proposal.

One of the biggest changes called for in the proposals would be a federal data-breach notification requirement when personal information held by companies is exposed. It would replace the current patchwork of 47 state notification laws, and it builds on the best elements of those laws.

“A nationwide standard for data-breach notification would make compliance much easier,” a Commerce Department official said.

DHS has long been identified as the lead agency for government cybersecurity. Although the Defense Department has established a Cyber Command for defending military IT systems and conducting cyber war, DOD officials have repeatedly said the department is not responsible for protecting civilian systems in the .gov domain and that it defers to DHS in those matters.

DHS’ role would be clarified in the legislation, which would give the department the FISMA oversight authority now exercised primarily by the Office of Management and Budget. The proposal would solidify the focus on continuous monitoring of IT security begun under OMB and establish clear guidelines for cooperation among DHS, DOD and other agencies.

The proposal would also make permanent DHS’ authority to oversee intrusion prevention for all civilian agencies using the automated Einstein II program, which now works in government systems and with Internet service providers that handle government traffic.

“This only applies to intrusion-prevention systems that protect government computers, and the proposal also codifies or adds strong privacy and civil liberties protections, congressional reporting requirements, and an annual certification process,” a written outline of the proposal states.

One of the most problematic areas of cybersecurity is the government’s role in protecting critical infrastructure that is owned and operated by private companies. The administration’s proposal would enable DHS to assist private-sector companies or state or local government agencies when such organizations ask for its help. The proposal also clarifies the type of assistance that DHS can provide.

DHS would have slightly more authority under a provision that requires it to work with industry to identify the core operators of critical infrastructure and prioritize the most important cyber threats and vulnerabilities for those operators. The operators would then develop their own plans for addressing the threats, which a third-party, commercial auditor would assess. A summary of the plans would be made public.

Although the proposal would not give DHS regulatory authority over the companies, DHS could modify or impose its own plans, working with the National Institute of Standards and Technology. Penalties for nonperformance could also be imposed.

“We do not believe that will be necessary,” a DHS official said, adding that the focus is more on incentives than regulation. “We don’t believe government has all the answers here.”

The proposal would give DHS more agility in recruiting and hiring critical security personnel, similar to the capabilities now enjoyed by DOD, and would expand personnel exchange programs with the private sector.

Individual and corporate privacy is also addressed in the proposal. Entities would be able to share information about cyber threats or incidents with DHS with immunity. The proposal would also mandate privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.

Sens. Joe Lieberman (I-Conn.), chairman of the Homeland Security and Governmental Affairs Committee; Susan Collins (R-Maine), the committee’s ranking member; and Tom Carper (D-Del.), chairman of the Federal Financial Management, Government Information, Federal Services and International Security Subcommittee, are the sponsors of a cybersecurity bill now before the Senate. In a joint statement, they said they look forward to working with the Obama administration on comprehensive cybersecurity legislation.

“The Senate and the White House are on the same track to make sure our cyber networks are protected against an attack that could throw the nation into chaos," the lawmakers said in their statement. "We both recognize that the government and the private sector must work together to secure our nation’s most critical infrastructure — for example, our energy, water, financial, telecommunications and transportation systems. We both call for risk-based assessments of the systems and assets that run that infrastructure. We both designate the Department of Homeland Security to lead this effort, with the assistance of other federal agencies. And we both encourage the government and the private sector to use and refine best practices honed over years of experience."