CYBEREYE

White House's cyber plan is weak on enforcement

Can businesses be relied on to do the job on their own?

Cybersecurity legislation recently proposed by the Obama Administration is hardly revolutionary. Its main purpose is to bolster the security of the nation’s information infrastructure by more clearly defining roles and responsibilities both in government and the private sector.

This is fine, as far as it goes, but the proposal stops short of ensuring the security of privately owned critical infrastructure. The Homeland Security Department would be given limited regulatory authority over core critical infrastructure (“really critical” critical infrastructure), but the enforcement sections are long on carrot and short on stick.

In letters to the leaders of the House and Senate, Jacob J. Lew, director of the Office of Management and Budget, outlined what the proposed legislation would do.


Related coverage:

White House cyber plan would expand role of DHS, private sector 

Under cybersecurity plan, agencies would answer to DHS


“The Administration's proposal would protect individuals by requiring businesses to notify consumers if personal information is compromised and clarifies penalties for computer crimes, including mandatory minimums for critical infrastructure intrusions,” the letter says. “The proposal would improve critical infrastructure protection by bolstering public-private partnerships with improved authority for the federal government to provide voluntary assistance to companies and increase information sharing. It also would protect federal government networks by formalizing management roles, improving recruitment of cybersecurity professionals, and safeguarding the nation's access to cost-effective data storage solutions.”

What is just as significant is what the proposal does not do. It does not mention the cybersecurity coordinator, appointed in 2009 as the first item in the near-term recommendations from the Cyberspace Policy Review. By leaving this out of legislation, the position, now filled by Howard A. Schmidt, remains outside congressional oversight.

It also does not mention presidential authority to take action during a cyber emergency, the controversial “kill switch” provision included in a bill now pending in the Senate. The president already has plenty of emergency authority under existing telecommunications law, White House officials have said.

Finally, it gives DHS responsibility for ensuring that operators of covered critical infrastructure maintain adequate cybersecurity plans in line with industry consensus best practices and standards, but it does not say how this is to be enforced.

The plans would be vetted by accredited third-party auditors and approved by DHS. If DHS does not approve, it has a set of tiered options: Enter into discussions with the owner or operator; issue a public statement after discussions; and finally, “take such other action as may be determined appropriate.”

Except that DHS shall not, “issue a shutdown order, require use of a particular measure or impose fines, civil penalties, or monetary liabilities on the owner or operator of the covered critical infrastructure as a result of such review."

It probably is a good idea not to have DHS issue shutdown orders or to require that specific technology be used in a security plan. But with civil penalties, fines and monetary liabilities also off the table it is hard to see what leverage the department has beyond cajoling and issuing public statements.

This framework is a reflection that “we don’t believe government has all the answers here,” a DHS official said.

Industry officials point out that private sector companies have a vested interest in maintaining adequate security and that regulation should be kept at a minimum. But companies have always had that interest, and to date it has not translated into adequate security. Epsilon and Sony had vested interests in securing their infrastructures, yet both have suffered embarrassing and damaging breaches. Relying on a company to look after its own best interests is not an adequate policy for protecting the public’s interest.

Administration officials have said that the proposed legislation is not a finished product, but a starting point for discussions with Congress and the private sector. Should this ever mature into an actual bill, it should contain stronger provisions for enforcing critical infrastructure security.

Reader Comments

Thu, Jun 2, 2011

Cyber security is not the governments job. It's mine and your job to keep personal information safe and to seek out companies that have a proven track record of keeping data secure. The "Kill Switch" proposal is a bad idea. Imagine the economic holocast that would occur if such power was given to one person. The ability of the government to cut you off from information (North Korea does that to its citizens already), your bank accounts, buying and selling of the multibillion dollar product line of both online and retail outlets. No internet means businesses wouldn't be able to process credit card. No gas, food, entertainment, or anything else you can think of would be able to be purchased with ATM or credit cards. The stock market ramifications of $0 dollars earned on that day across the board would be the worst in all of history making the Great Depression seem like a plentiful feast. All this because of a government declared "National Emergency" or is it in the name of "National Security". I put my trust elsewhere. Oh yeah, How about in the name of "Jesus" for security. Now there's something you can really depend on.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above