The White House unveiled proposed cybersecurity legislation Thursday, weighing in on a topic that saw no less than 50 proposals in the last session of Congress.
White House Cyber Coordinator Howard Schmidt posted a blog explaining the legislation, emphasizing its collaborative approach to dealing with business.
"This is a milestone in our national effort to ensure secure and reliable networks for Americans, businesses, and government; fundamentally, this proposal strikes a critical balance between maintaining the government’s role and providing industry with the capacity to innovatively tackle threats to national cybersecurity. Just as importantly, it does so while providing a robust framework to protect civil liberties and privacy," Schmidt wrote.
Schmidt acknowledged a fact many other observers highlighted: The Obama administration has been largely silent on the topic of cybesecurity directly since the release of its Cyberspace Policy Review about two years ago.
The crux of the legislation deals with information sharing. The White House would take a largely hands off approach to businesses, but it would require them to inform consumers when they may have suffered a breach of their personal information.
The United States has 47 different state laws dealing with notification mandates, Schmidt noted, so the White House bill would consolidate those into one standard.
Cyber criminals would face tougher penalties under the bill, which would apply an existing law — the Racketeering Influenced and Corrupt Organizations Act — to cyber crimes.
The legislation would empower the Department of Homeland Security (DHS) to render fast consulting to private sector companies suffering from a cybersecurity problem. It would protect the proprietary information of those companies while codifying the ability of DHS to help with cyber intrusions.
Recognizing that private companies likely are going to be the first to encounter new cyber threats, the legislation would provide companies that share information on new viruses and the like to DHS with immunity. DHS must protect such information to ensure it does not infringe on individual privacy and civil liberties, under the proposal.
The proposal addresses the necessity of private companies, as owners of 85 percent of critical infrastructure, to protect their systems. It would set up a program whereby DHS would identify the most important operators of critical infrastructure and prioritize cybersecurity threats for them. Companies would then develop their own means of dealing with those threats. The corporate solutions would face a third-party audit to verify their cybersecurity risk mitigation plans. DHS would work with companies that have insufficient plans to bring them up to an acceptable level.
DHS also would gain flexibility to hire cybersecurity experts and the authority to exchange experts with industry.
Generally, members of Congress welcomed direction from the White House on cybersecurity matters.
Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine), and Tom Carper (D-Del.), who have introduced the most prominent legislation in the Senate, hailed the White House proposal.
"The White House cybersecurity proposalreleased today is a welcome and necessary addition to the work we have been doing for the past several years to safeguard the American people from a cyber 9/11," Lieberman, Collins, and Carper said in a joint statement. "We know that private sector and government systems are probed daily by hackers, criminals, foreign nations, and terrorists and are frequently compromised. We also know that we need stronger defenses against these intrusions.
"The Senate and the White House are on the same track to make sure our cyber networks are protected against an attack that could throw the nation into chaos. We both recognize that the government and the private sector must work together to secure our nation’s most critical infrastructure, for example, our energy, water, financial, telecommunications, and transportation systems. We both call for risk-based assessments of the systems and assets that run that infrastructure. We both designate the Department of Homeland Security to lead this effort, with the assistance of other federal agencies. And we both encourage the government and the private sector to use and refine best practices honed over years of experience."
Rep. Mac Thornberry (R-Texas), who has been designated as the majority leader for producing cybersecurity legislation in the House, was silent on the issue Thursday.
But Rep. Bennie Thompson (D-Miss.), who has introduced a cybersecurity bill (HR 174), welcomed the involvement of the White House on the issue.
Stewart Baker, former DHS assistant secretary for policy, said the legislative proposal attacked the wrong problems in its requirements to collect data and impose privacy requirements on business while neglecting the true challenge in actual evaluations of corporate cybersecurity plans.
"I would call this weak tea, except the tea bag doesn’t seem to have actually touched the water," said Baker, now a partner at the law firm Steptoe and Johnson LLP. "The privacy and business groups that don’t want us to do anything serious about the cybersecurity crisis have captured yet another White House. This is disappointing considering the attention the crisis got during the Presidential campaign and at the start of the administration.
"At a time when foreign governments and criminals don’t just collect information on Americans, but have the ability to turn on the cameras and microphones in our homes while recording our keystrokes, the administration’s proposal shows no sense of urgency. It tells even critical industries on which our lives and society depend that they will have years before anyone from government begins to evaluate their security measures," Baker said in a statement to Homeland Security Today.
"It appears that the administration also wants to impose harsh new rules on companies who share information with the government while they’re under attack. If they don’t do an adequate job of scrubbing personal data from the data they share, they’ll face additional liability under this proposal," Baker lamented. "This seems to mean that, in the midst of a desperate battle with foreign-government-sponsored hackers, a US company that badly needs help from its government would first have call in its lawyers and IT team to scrub any data the US government gets to see. It is quite possible that this proposal will actually yield less sharing about attacks in the future than we have today. That’s not progress."
The US Chamber of Commerce, which represents many American businesses, tentatively embraced the White House involvement in crafting cybersecurity legislation but stressed the need for voluntary collaboration between industry and government.