White House's cyber plan is weak on enforcement
Can businesses be relied on to do the job on their own?
Cybersecurity legislation recently proposed by the Obama Administration is hardly revolutionary. Its main purpose is to bolster the security of the nation’s information infrastructure by more clearly defining roles and responsibilities both in government and the private sector.
This is fine, as far as it goes, but the proposal stops short of ensuring the security of privately owned critical infrastructure. The Homeland Security Department would be given limited regulatory authority over core critical infrastructure (“really critical” critical infrastructure), but the enforcement sections are long on carrot and short on stick.
In letters to the leaders of the House and Senate, Jacob J. Lew, director of the Office of Management and Budget, outlined what the proposed legislation would do.
White House cyber plan would expand role of DHS, private sector
Under cybersecurity plan, agencies would answer to DHS
“The Administration's proposal would protect individuals by requiring businesses to notify consumers if personal information is compromised and clarifies penalties for computer crimes, including mandatory minimums for critical infrastructure intrusions,” the letter says. “The proposal would improve critical infrastructure protection by bolstering public-private partnerships with improved authority for the federal government to provide voluntary assistance to companies and increase information sharing. It also would protect federal government networks by formalizing management roles, improving recruitment of cybersecurity professionals, and safeguarding the nation's access to cost-effective data storage solutions.”
What is just as significant is what the proposal does not do. It does not mention the cybersecurity coordinator, appointed in 2009 as the first item in the near-term recommendations from the Cyberspace Policy Review. By leaving this out of legislation, the position, now filled by Howard A. Schmidt, remains outside congressional oversight.
It also does not mention presidential authority to take action during a cyber emergency, the controversial “kill switch” provision included in a bill now pending in the Senate. The president already has plenty of emergency authority under existing telecommunications law, White House officials have said.
Finally, it gives DHS responsibility for ensuring that operators of covered critical infrastructure maintain adequate cybersecurity plans in line with industry consensus best practices and standards, but it does not say how this is to be enforced.
The plans would be vetted by accredited third-party auditors and approved by DHS. If DHS does not approve, it has a set of tiered options: Enter into discussions with the owner or operator; issue a public statement after discussions; and finally, “take such other action as may be determined appropriate.”
Except that DHS shall not, “issue a shutdown order, require use of a particular measure or impose fines, civil penalties, or monetary liabilities on the owner or operator of the covered critical infrastructure as a result of such review."
It probably is a good idea not to have DHS issue shutdown orders or to require that specific technology be used in a security plan. But with civil penalties, fines and monetary liabilities also off the table it is hard to see what leverage the department has beyond cajoling and issuing public statements.
This framework is a reflection that “we don’t believe government has all the answers here,” a DHS official said.
Industry officials point out that private sector companies have a vested interest in maintaining adequate security and that regulation should be kept at a minimum. But companies have always had that interest, and to date it has not translated into adequate security. Epsilon and Sony had vested interests in securing their infrastructures, yet both have suffered embarrassing and damaging breaches. Relying on a company to look after its own best interests is not an adequate policy for protecting the public’s interest.
Administration officials have said that the proposed legislation is not a finished product, but a starting point for discussions with Congress and the private sector. Should this ever mature into an actual bill, it should contain stronger provisions for enforcing critical infrastructure security.