The White House on Thursday unveiled a long-delayed legislative proposal for cybersecurity that, among other things, calls on industries critical to the nation’s economy and security to create plans — vetted by the government — for securing their computer systems.
At the same time, the proposal places penalties on companies that fail to scrub personal identifying information from certain data shared with the government.
In a nationally televised speech in May 2009, President Obama proclaimed computer networks a strategic national asset and said protecting them is a matter of national and economic security.
The White House has sought to develop a proposal for cybersecurity legislation that would satisfy security hawks and privacy advocates. Most notably, it has sought to win the support of the private sector, which owns and operates most of the nation’s networks.
Among other measures, the new package would create a federal data breach notification law, clarify penalties for computer crimes and set minimum penalties for intrusions into critical systems. It drew cautious praise from key lawmakers, who mostly stressed their relief at finally having something from the White House; Senate Majority Leader Harry M. Reid (D-Nev.) and other lawmakers had urged Obama in July to provide his administration’s views on cybersecurity legislation.
Sen. John D. Rockefeller IV (D-W.Va.), chairman of the Senate Commerce Committee, said Thursday that the proposal mirrors elements of a bill that he and Sen. Olympia J. Snowe (R-Maine) introduced last year. It included a similar measure that called on critical networks, such as energy providers, to develop plans. As with the White House proposal, it provided for an independent, third-party auditor to assess the adequacy of the provider’s network security plan.
Under the White House measure, a summary of the provider’s plan must be made public. If the plan fails to reduce computer network risks, the Department of Homeland Security can modify it. The proposal would also require the provider to report to DHS any “significant cybersecurity incident.” The administration would have the ability to publicly name companies that fail to achieve adequate cybersecurity.
“We worked long and hard to come up with a framework that would enable industry to figure out the best way to protect itself,” said a senior DHS official, who spoke on the condition of anonymity because of White House rules.
Phil Bond, president and chief executive of TechAmerica, an industry group, said consultation with industry is key because cyber threats evolve so rapidly that “a mandatory, one-size-fits-all” approach would be counterproductive. He said industry wants to see protection against lawsuits for companies that are attempting to comply with rules and standards.
Kristin Lord, vice president and director of studies at the Center for a New American Security, said the administration is trying to persuade “critical infrastructure providers to do the right thing by holding out the implied threat of regulation.”
But Stewart Baker, a former DHS assistant secretary for policy, called the package “weak tea.” The proposal, he said, “shows no sense of urgency. It tells even critical industries on which our lives and society depend that they will have years before anyone from government begins to evaluate their security measures.”
Rep. Jim Langevin (D-R.I.), cofounder of the Congressional Cybersecurity Caucus, has proposed more direct regulation of industry but, an aide said, is open to a compromise. In a statement, Sens. Joseph I. Lieberman (I-Conn.), Susan Collins (R-Maine) and Thomas R. Carper (D-Del.) said the White House was “on the same track” as the Senate. Both designate DHS to lead the effort to protect critical infrastructure, they said.
To encourage a fuller understanding of the scale of cyber breaches, Rockefeller on Thursday urged the Securities and Exchange Commission to clarify corporate disclosure requirements so that companies know they must report significant computer network breaches in their annual filings.