Facing a growing flood of computer-based threats to the nation, the Obama administration on Thursday unveiled new proposals intended to press Congress to pass new cybersecurity laws.
There's little question that Congress needs leadership on the issue. With 50 cyber-related bills in the last session of Congress, Senate majority leader Harry Reid (D) of Nevada and a half dozen Senate committees wrote the president, asking for his take on cybersecurity legislation.
Response to the plan has been mixed, with one cybersecurity veteran dismissing it as showing "no urgency," while another argued that it was a step in the right direction. What no one disputes is the need for prompt congressional action.
"I'm relieved that they have finally come up with a position, since there's now a much better chance we'll see movement in Congress," says Michael Assante, former chief security officer for the North American Electric Reliability Corporation. "I've been disappointed we've been holding our breath so long on what standards will emerge. We've definitely suffered damage – and the longer we wait the more trouble we're in."
Under the plan:
- Penalties for computer criminals would be toughened.
- Companies would be required to report theft of customer information under a single federal standard.
- Government would be empowered to assist companies hit by cyberattacks, while companies would receive protections so they can share threat information with government.
- The Department of Homeland Security (DHS) would be put squarely in charge of protecting federal agencies.
- Perhaps most important, the plan claims to boost cyber-protection for "critical infrastructure" industries like utility companies that operate the power grid or water companies that control water supplies. Such industries would be mandated to set standards and then have independent auditors to measure how well they measure up. If the standards were too lax, the DHS would have latitude to toughen them.
"Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life – have suffered repeated cyberintrusions, and cybercrime has increased dramatically over the last decade," the White House said in a statement. "It has become clear that our nation cannot fully defend against these threats unless certain parts of cybersecurity law are updated."
But critics say the proposal gives industry too much latitude to set up its own cybersecurity plans.
The White House proposal "shows no sense of urgency," Stewart Baker, a cybersecurity expert and former assistant secretary for policy at DHS said in an e-mailed statement. "It even tells critical industries on which our lives and society depend that they will have years before anyone from government begins to evaluate their security measures."
He noted that foreign governments and criminals not only can collect private and financial information, they can now turn on a computer's camera or microphone while recording keystrokes of Americans in their own homes. That threat level deserves a more robust response, he says.
Other experts, though, say the Obama administration laid out exactly what is needed: a market-based approach that won't scare companies but will "incentivize critical industries" to set up "learning" security programs that are able to respond to an ever-changing threat.
That is key, Mr. Assante says. It only takes a few months for cybercriminals to figure out ways to defeat new standards that were perhaps years in the making. What's needed is a "learning" system that's flexible and involves companies in voluntarily moving in the right direction.
To do this, the government will have to watch performance like a hawk and remain tightly engaged in the process, says Assante. The White House's proposal for regular audits of industry-set standards is basically good, he suggests, but much depends on how well those audits are run.
"What they're going for here is a hybrid model," he says. "Yes, it's a business-friendly model. It says: 'We give you the latitude because you're the experts. So we'll backstop you.' The problem is that open processes like this can go wrong easily if they're corrupted by vendors."