White House unveils proposed cybersecurity legislation
The White House delivered cybersecurity legislation to lawmakers May 12 that proposes a voluntary assistance and information sharing framework between government and industry. The proposal comes after months of the Obama administration keeping mostly silent over a slew of cybersecurity proposals already introduced in Congress.
But where previous attempts at cybersecurity legislation have focused largely on securing the .gov space and critical infrastructure, the White House proposal is more comprehensive--drawing FISMA reform, personnel considerations, data breach disclosure and cybercrime provisions into a single piece of legislation.
"This proposal strikes a critical balance between maintaining the government's role and providing industry with the capacity to innovatively tackle threats to national cybersecurity. Just as importantly, it does so while providing a robust framework to protect civil liberties and privacy," said National Cybersecurity Coordinator Howard Schmidt, in a blog post on WhiteHouse.gov.
While the proposal is lengthy and detailed, a senior administration official said during a press call made on condition of anonymity that it is not prescriptive, adding that "government doesn't have all the answers all the time."
One detail the White House proposal has yet to hammer out: The degree to which the private sector will be affected by the bill. The proposal calls for critical infrastructure operators to prioritize cyber threats, develop a framework for addressing those threats and have a third-party auditor assess implementation.
A senior Homeland Security Department official said during the call that although the legislation defines "critical infrastructure," DHS hasn't determined the "most critical of critical infrastructure" to which the framework and auditing requirements would apply.
"There will be some criteria identified in the proposal, things such as risk, consequences from attack, other sorts of things and the secretary would, through a regulation process develop a set of additional criteria with strong input from the private sector to identify who actually fell within that regime. So that has not been defined yet, that criteria will be fully defined in the future," said the DHS official. The definition will likely not be sector-specific, he added, meaning it could cut across any sector of critical services to which the nation depends.
In addition, the White House proposal focuses on consumer protections by including national data breach reporting requirements and federal penalties for cybercriminals. The legislation also aims to ramp up the defense of government networks by infusing cyber expertise into agency management, better recruiting and retaining cybersecurity professionals, relying on automated systems and continuous monitoring, and by embracing cloud computing.
White House officials indicated these adjustments within the federal government will also mean changes to FISMA--and greater oversight of FISMA by DHS--as well as changes to the Federal Acquisition Regulation.
Analysts have been quick to spot similarities between the White House proposal and other attempts at cybersecurity legislation.
"If you look at the Rockefeller-Snowe and Lieberman-Collins bills there's a lot of the same concepts in some of the provisions that do seem to be a part of this effort," said Jessia Herrara-Flanigan, partner at Monument Policy Group. "In some ways [this proposal has] parts of those two bills on steroids."
"The Senate and the White House are on the same track to make sure our cyber networks are protected against an attack that could throw the nation into chaos," said Sen. Joe Lieberman (I-Conn.), Sen. Susan Collins (R-Me.) and Tom Carper (D-Del.) in a joint statement.
Napolitano: Cybersecurity policy should set goals without being prescriptive
US CERT authorities remain fuzzy
Cybersecurity legislation awaiting White House response
Senator presses Napolitano on cybersecurity bill
Private sector official condemns mandatory cybersecurity information sharing
FBI-led national cyber threat information sharing stymied by 'need to know'