Internet providers likely critical under White House cyber policy

Internet service providers, banks, and hospitals could face federal regulation under the White House's cybersecurity proposals, top administration officials told the Senate on Tuesday.

Although the legislation proposed by the White House doesn't specifically outline what private sector industries could be considered "critical infrastructure" and thus subject to more government oversight, Greg Schaffer, Department of Homeland Security acting deputy undersecretary, told the Senate Judiciary Subcommittee on Crime and Terrorism that ISPs would likely be among those targeted for increased federal protection. More traditional infrastructure such as utilities and transportation are broadly accepted as vital services in need of government oversight.

Schaffer said financial services and health care providers could also be considered critical infrastructure in some circumstances.

"The administration proposal requires DHS, in consultation with appropriate agencies, to work with industry to identify the nation's core critical infrastructure and to prioritize the most important cyber risks to that infrastructure," Schaffer and cybersecurity officials from the Justice Department and the National Institute of Standards and Technology said in a joint statement.

They outlined the White House plan to protect such infrastructure, saying it calls for voluntary government assistance, information sharing, and transparency to ensure that critical infrastructure operators protect their systems.

"We are reaching critical mass, where our citizens are finally becoming aware of the threats that exist online, but a major catastrophe has not yet fallen on our digital shores," said Rep. Jim Langevin, D-R.I., who has proposed cybersecurity legislation and also testified at the Senate hearing.

"Inevitably, once such an event does occur, there will be strong and irresistible calls for broader measures that could overreact to a new threat. We must act now to implement sensible policies that enhance both security and privacy, before we are faced with a set of decisions that could fundamentally alter one of the most incredible tools of our time."

In a separate hearing of the Senate Banking, Housing, and Urban Affairs Committee, Sen. Robert Menendez, D-N.J., called for more regulations to require companies to tell their customers when they have been hacked.

"It seems to me there is a fiduciary responsibility by the entity to proactively tell their customer that has happened," Menendez said.

When more than 300,000 accounts at Citigroup were hacked earlier this year, Menendez said one of his staffers only discovered he was among the victims when his credit card was declined.

Leigh Williams, president of the BITS technology policy division of The Financial Services Roundtable, agreed that companies have a responsibility to notify their customers.

"I think that as soon as an institution understands what has occurred, they have an obligation to notify their regulators, under regulatory rules, and they have a fiduciary and a business responsibility to notify customers if there's any way those customers can begin to take action to protect themselves," Williams told the panel.