The White House on Thursday sent Congress a formal proposal for cybersecurity legislation to help Senate lawmakers craft a passable bill from 50-some measures currently pending in both chambers.
The long-awaited framework would formally grant the Homeland Security Department oversight of cybersecurity operations within civilian federal agencies -- a role it has played in practice since last summer. Given the dearth of cyber experts in civilian agencies, the proposal would give DHS the same flexibility the Pentagon currently has to rapidly hire skilled professionals at competitive salary levels, Obama administration officials told reporters during a Thursday conference call.
The guidelines, which were expected to be released later on Thursday, largely rely on industry's know-how and willing compliance to certify their systems are safe and ask for federal assistance when attacked.
The proposal is silent on several sticking points, including cyberwarfare, classified information and the criteria for so-called critical infrastructure -- or systems that, if disrupted, could wreak havoc on national security. Such networks would be subject to greater regulation under a key Senate bill sponsored by the leaders of the Homeland Security and Governmental Affairs Committee. The White House framework also stays clear of a dispute over whether the president should have the power to hit a "kill switch," shutting down the Internet during emergencies.
The guidelines were prompted by a request from Senate Majority Leader Harry Reid, D-Nev., and chairmen of the committees with jurisdiction over computer security for input from President Obama on the various congressional proposals, White House officials said. The HSGAC and commerce panels passed comprehensive cybersecurity legislation about a year ago, while numerous other congressional panels and individual members have introduced their own piecemeal measures. The executive branch took about a year to reach consensus on which provisions agencies would support and what new ones they would propose.
The proposal would make so-called intrusion prevention systems a permanent fixture in the federal government, according to a fact sheet. As opposed to intrusion detection systems, which flag attacks and alert the appropriate responders, prevention software can actively respond by blocking intrusions. The guidelines say DHS should have the authority to supervise all such programs, including the existing "Einstein" tool. Internet service providers also would have to use the applications for any government traffic they manage.
The White House plan touches on one security element of a growth area in government IT: cloud computing. The practice allows organizations to access computer power, storage and software stored on the Internet by a third-party provider, rather than build on-site server farms. Administration officials are concerned that state protectionist measures are hampering the cloud industry, so the proposal would block state governments from requiring that companies in their states build data centers there, unless authorized by federal law, the fact sheet stated.
The guidelines would enable industry to obtain immediate assistance from Homeland Security in responding to an intrusion, if they wish, officials said. Currently, when organizations ask DHS to review logs to determine when a hacker attacked, the department's ability to intervene is slowed by legal uncertainty. To protect individuals, if a firm or local government wants to share such information with DHS, the organization must first strip out identifying information that is irrelevant to the infraction, according to the fact sheet.
Companies and local governments would be granted immunity for sharing information with the federal government about new computer viruses and cyber events that have compromised their systems. Should entities choose to provide such information, their customers' privacy would not be violated, according to the proposal.
White House officials said their proposal focuses on transparency and incentives to ensure companies managing networks for critical infrastructure in industries like energy and banking are accountable for service continuity. The draft bill directs Homeland Security and the private sector to jointly figure out which operations are the most critical and prioritize the most important threats to those services. An outside commercial auditor would assess the company's plans for mitigating such vulnerabilities.
On the consumer side, the proposal would require that businesses notify customers of certain data breaches to reduce the risk of identity theft. Sony recently took heat for not immediately telling customers that perpetrators had infiltrated the company's online gaming and music networks. The administration's plan would loop together a patchwork of 47 state laws on data breach reporting.
Many in the legislative branch and business community applauded the White House plan on Wednesday.
"The Senate and the White House are on the same track to make sure our cyber networks are protected against an attack that could throw the nation into chaos," HSGAC Chairman Joe Lieberman, I-Conn., ranking Republican Susan Collins, R-Maine, and Federal Financial Management Subcommittee Chairman Tom Carper, D-Del., said in a joint statement. The Senate and the administration "both recognize that the government and the private sector must work together to secure our nation's most critical infrastructure, for example, our energy, water, financial, telecommunications and transportation systems. We both call for risk-based assessments of the systems and assets that run that infrastructure."
The trio agreed with the administration that Homeland Security should take the lead in safeguarding civilian cybersecurity. Other lawmakers, particularly in the House, say the Defense Department, with its established expertise and deep pockets, should play a larger role in guarding U.S. networks. Currently, the Pentagon can monitor only the .mil domain and many civil liberties advocates would like to keep it that way.
Commerce Committee leaders also largely praised the proposed measure. "The White House has presented a strong plan to better protect our nation from the growing cyber threat," Chairman John D. "Jay" Rockefeller, D-W.Va., said in a statement. "I look forward to continuing to work with the White House, and my colleagues in the House and Senate, to pass a comprehensive cybersecurity bill this year."
Ranking member Sen. Olympia Snowe, R-Maine, said, "While the administration's delay in providing critical input to the legislative process is regrettable, it is my understanding that the administration proposal parallels many of the objectives, particularly pertaining to modernizing the public-private partnership, that Sen. Rockefeller and I have advocated."
Officials with trade group TechAmerica generally supported Obama's framework but said they had lingering questions about the flexibility the proposal grants firms to tailor their security strategies.
"The administration's proposal is a clear step forward in the process and we hope that it strikes the right balance between accountability and innovation in this shared responsibility between the public and private sectors," TechAmerica President Phil Bond said in a statement.
"We encourage Congress and the administration to draw a bright line between critical and noncritical infrastructure," Bond said. "Industry and government need to work together to make the right determinations for what is critical, and what the implications are for that designation."
Should the government require firms to take certain actions, the law must provide liability protections to shelter companies from any unanticipated consequences, he said.
Given that the Senate has been pursuing cybersecurity legislation in a bipartisan fashion, and both parties in the House last year actually passed elements of the White House proposal, the expectation is that a law could be enacted this year.
Disagreements over engagement in cyberwar or the job of the Pentagon's National Security Agency and the new U.S. Cyber Command likely will be worked out in separate legislation. Pending House defense and intelligence authorization bills, for instance, address cyberwarfare and require the development of systems for detecting unauthorized activities on classified networks.
But talks on the civilian-oriented bill may take months, especially since all sides appear to want industry involved in the vetting process. One item overlooked in the White House proposal that Congress wants -- the creation of a Senate-confirmed cyber czar -- may take some time to negotiate. And Congress has never considered some of the information-sharing measures the White House introduced on Thursday.