White House cyber plan would expand role of DHS, private sector

Connect with state & local government leaders
Join Our Community
Featured eBooks
A New Era of Social Media Regulation
Strengthening State and Local Cyber Defenses
Making AI Work for Government
Insights & Reports
Get to know Bedlock Safety
Presented By BedLock Safety
Download Now
Using AI-powered location intelligence, state and local governments can build a sustainable future
Presented By Nearmap
Download Now
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Cybersecurity legislation being proposed by the Obama administration favors public/private cooperation over regulation and gives DHS oversight of FISMA.

The Obama administration is proposing comprehensive cybersecurity legislation that would clarify the government’s role in protecting the nation’s critical infrastructure and favor public/private cooperation over regulation.

The proposal would give the Homeland Security Department oversight authority for the Federal Information Security Management Act, the primary framework for protecting civilian government IT systems, and establish a program to encourage owners and operators of critical infrastructure to implement cybersecurity.

“The nation cannot fully defend against these threats unless portions of existing cybersecurity laws are updated,” a senior White House official said in a briefing today.

Related stories:

Egypt's Internet blackout reignites kill switch debate

Lieberman's new cybersecurity bill forbids a kill switch

Officials from the White House and DHS emphasized that the proposal is a work in progress rather than a finished product. They described its introduction as the beginning of an extensive discussion among the administration, Congress and industry.

President Barack Obama has identified cybersecurity as crucial to national security and the economy, and he has taken a number of steps to improve the country’s cybersecurity posture, including appointing Howard Schmidt to be the White House cybersecurity coordinator and developing a cybersecurity incident response plan.

But authority for overseeing and enforcing the security of the nation’s public and private information systems remains fragmented, and technology has outstripped federal laws and regulation. A number of bills that would overhaul cybersecurity responsibilities were introduced during the last Congress and the current one.

One issue addressed in bills before Congress but not addressed in the White House proposal is the president’s authority to intervene during a cyber emergency. A White House official said the president already has sufficient emergency authority to act under existing rules, and, therefore, no specific authority is outlined in the proposal.

One of the biggest changes called for in the proposals would be a federal data-breach notification requirement when personal information held by companies is exposed. It would replace the current patchwork of 47 state notification laws, and it builds on the best elements of those laws.

“A nationwide standard for data-breach notification would make compliance much easier,” a Commerce Department official said.

DHS has long been identified as the lead agency for government cybersecurity. Although the Defense Department has established a Cyber Command for defending military IT systems and conducting cyber war, DOD officials have repeatedly said the department is not responsible for protecting civilian systems in the .gov domain and that it defers to DHS in those matters.

DHS’ role would be clarified in the legislation, which would give the department the FISMA oversight authority now exercised primarily by the Office of Management and Budget. The proposal would solidify the focus on continuous monitoring of IT security begun under OMB and establish clear guidelines for cooperation among DHS, DOD and other agencies.

The proposal would also make permanent DHS’ authority to oversee intrusion prevention for all civilian agencies using the automated Einstein II program, which now works in government systems and with Internet service providers that handle government traffic.

“This only applies to intrusion-prevention systems that protect government computers, and the proposal also codifies or adds strong privacy and civil liberties protections, congressional reporting requirements, and an annual certification process,” a written outline of the proposal states.

One of the most problematic areas of cybersecurity is the government’s role in protecting critical infrastructure that is owned and operated by private companies. The administration’s proposal would enable DHS to assist private-sector companies or state or local government agencies when such organizations ask for its help. The proposal also clarifies the type of assistance that DHS can provide.

DHS would have slightly more authority under a provision that requires it to work with industry to identify the core operators of critical infrastructure and prioritize the most important cyber threats and vulnerabilities for those operators. The operators would then develop their own plans for addressing the threats, which a third-party, commercial auditor would assess. A summary of the plans would be made public.

Although the proposal would not give DHS regulatory authority over the companies, DHS could modify or impose its own plans, working with the National Institute of Standards and Technology. Penalties for nonperformance could also be imposed.

“We do not believe that will be necessary,” a DHS official said, adding that the focus is more on incentives than regulation. “We don’t believe government has all the answers here.”

The proposal would give DHS more agility in recruiting and hiring critical security personnel, similar to the capabilities now enjoyed by DOD, and would expand personnel exchange programs with the private sector.

Individual and corporate privacy is also addressed in the proposal. Entities would be able to share information about cyber threats or incidents with DHS with immunity. The proposal would also mandate privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.

Sens. Joe Lieberman (I-Conn.), chairman of the Homeland Security and Governmental Affairs Committee; Susan Collins (R-Maine), the committee’s ranking member; and Tom Carper (D-Del.), chairman of the Federal Financial Management, Government Information, Federal Services and International Security Subcommittee, are the sponsors of a cybersecurity bill now before the Senate. In a joint statement, they said they look forward to working with the Obama administration on comprehensive cybersecurity legislation.

“The Senate and the White House are on the same track to make sure our cyber networks are protected against an attack that could throw the nation into chaos," the lawmakers said in their statement. "We both recognize that the government and the private sector must work together to secure our nation’s most critical infrastructure — for example, our energy, water, financial, telecommunications and transportation systems. We both call for risk-based assessments of the systems and assets that run that infrastructure. We both designate the Department of Homeland Security to lead this effort, with the assistance of other federal agencies. And we both encourage the government and the private sector to use and refine best practices honed over years of experience."

NEXT STORY: Bin Laden's lair gives intell teams a lot of data to decipher

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.