Under the new comprehensive cyber security legislation proposed by the Obama administration, there would be less regulation and more private sector and government working together for a solution.
The proposal would give the Homeland Security Department oversight authority for the Federal Information Security Management Act, the primary framework for protecting civilian government IT systems, and establish a program to encourage owners and operators of critical infrastructure to implement cyber security.
“The nation cannot fully defend against these threats unless portions of existing cyber security laws are updated,” a senior White House official said in a briefing today.
Officials from the White House and DHS emphasized the proposal is a work in progress rather than a finished product. They described its introduction as the beginning of an extensive discussion among the administration, Congress and industry.
President Barack Obama has identified cyber security as crucial to national security and the economy, and he has taken a number of steps to improve the country’s cyber security posture, including appointing Howard Schmidt to be the White House cyber security coordinator and developing a cyber security incident response plan.
But authority for overseeing and enforcing the security of the nation’s public and private information systems remains fragmented, and technology has outstripped federal laws and regulation. A number of bills that would overhaul cyber security responsibilities are circulating through Congress.
One issue addressed in bills before Congress but not addressed in the White House proposal is the president’s authority to intervene during a cyber emergency. A White House official said the president already has sufficient emergency authority to act under existing rules, and, therefore, no specific authority is in the proposal.
One of the biggest changes called for in the proposals would be a federal data-breach notification requirement when personal information held by companies suffers exposure. It would replace the current patchwork of 47 state notification laws, and it builds on the best elements of those laws.
“A nationwide standard for data-breach notification would make compliance much easier,” a Commerce Department official said.
DHS has long been the lead agency for government cyber security. Although the Defense Department has established a Cyber Command for defending military IT systems and conducting cyber war, DOD officials have repeatedly said the department is not responsible for protecting civilian systems in the .gov domain and that it defers to DHS in those matters.
DHS’ role would become much clearer in the legislation, which would give the department the FISMA oversight authority now exercised primarily by the Office of Management and Budget. The proposal would solidify the focus on continuous monitoring of IT security begun under OMB and establish clear guidelines for cooperation among DHS, DOD and other agencies.
One of the most problematic areas of cybersecurity is the government’s role in protecting critical infrastructure owned and operated by private companies. The administration’s proposal would enable DHS to assist private-sector companies or state or local government agencies when such organizations ask for its help. The proposal also clarifies the type of assistance that DHS can provide.
DHS would have slightly more authority under a provision that requires it to work with industry to identify the core operators of critical infrastructure and prioritize the most important cyber threats and vulnerabilities for those operators. The operators would then develop their own plans for addressing the threats, which a third-party, commercial auditor would assess. A summary of the plans would be public.
Although the proposal would not give DHS regulatory authority over the companies, DHS could modify or impose its own plans, working with the National Institute of Standards and Technology. Penalties for nonperformance could also come into play.