Napolitano backs Senate cybersecurity bill, industry reporting requirement

By Aliya Sternstein

February 16, 2012

Pablo Martinez Monsivais/AP

This story was updated to clarify the agencies that would be required to share real-time threat information with companies.

Homeland Security Department Secretary Janet Napolitano told lawmakers the White House approves of new Senate computer security legislation that would require critical sectors to report network intrusions to the government.

The endorsement came during a House hearing Wednesday, the day before Napolitano was slated to testify on the measure, S. 2105, before its authors on the Homeland Security and Governmental Affairs Committee. The 205-page package -- a compromise bill among numerous competing measures -- would grant the federal government the power to address penetrations into private networks.

"The administration supports the bill that was introduced in the Senate this week," Napolitano said on Wednesday during a House Appropriations Homeland Security Subcommittee hearing on the department's funding request for fiscal 2013.

The information-sharing measures that she supports would involve businesses whose computers are vital to U.S. financial markets, power grids, transportation systems and other services that if disrupted could cause mass casualties, prolonged evacuations or catastrophic economic damage. Covered companies would have to inform the government about "significant cyber incidents" that jeopardize their systems. If they fail to notify Homeland Security or a sector-specific agency, the firms could be subject to civil penalties.

In return, DHS, the Defense Department and the Director of National Intelligence would be required to share relevant, real-time threat information with the companies.

Within the banking industry and stock exchanges, "right now, if we learn of a breach or are informed of a breach or intrusion, we immediately offer aid and response to repair, to patch, to mitigate, and we also look for whether there could be other systems around the country that could be affected by the same virus," Napolitano said.

"But there's no requirement for information exchange in that regard," she added. "We don't know that actually we get all the information we need from that critical piece of the economy."

Industry and partisan bickering this election year could punt passage of any cyber measure to 2013, private consultants say. Several of the legislation's underlying bills have lingered in the Senate for nearly two years. Meanwhile, the publicity surrounding criminal and nation-state hacks has spiked and the financial toll has reached an estimated $114 billion annually.

Cooperation with the private sector "can be more episodic than systemic and, given the given the size of the problem, we really need much more involvement by the private sector," Napolitano said.

The Pentagon recently handed Homeland Security control of a pilot program that shares classified threat intelligence with select defense contractors. The popularity of the program has sparked discussion of letting commercial companies in other critical sectors participate. The Senate proposal would do just that.

As for protecting its own computers, Homeland Security is working to speed installation of a governmentwide intrusion detection and prevention system that is behind schedule.

"This is an area of constant creativity by our adversaries," Napolitano said.

The detection part of the "Einstein" program -- that was scheduled for completion in 2011 -- has been deployed at 17 of the 19 covered agencies, she said. The department's budget proposal asks for $345 million to "expedite the deployment" of the prevention component, which is able to stop infiltrators in certain instances. Last year, Napolitano made a $234 million request to expedite the deployment of that system.


By Aliya Sternstein

February 16, 2012

http://www.nextgov.com/cybersecurity/2012/02/napolitano-backs-senate-cybersecurity-bill-industry-reporting-requirement/50652/