Lawmakers Give Qualified Praise to White House Cybersecurity Plan
The White House released its cybersecurity plan Thursday, and urged lawmakers to fortify the nation’s cybersecurity, critical infrastructure and federal networks. Notably absent from the proposal was any “kill switch” authority for the president to shut down Internet traffic during a cyberattack. Lawmakers applauded the White House move, but some said it was long overdue and made clear they wanted changes or provisions added from their own legislation. The plan was more than two years in development.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The Department of Homeland Security should lead the nation’s cybersecurity response, the report said, and lawmakers should expand DHS authority to address and modify the U.S. response to cybersecurity threats. The administration also suggested that DHS provide assistance to organizations victimized by cyberattacks and advocated better overall information sharing efforts between the public and private sectors.
The proposal seeks legislative changes in order to improve federal cybersecurity, it said. The plan specifically asks Congress to revise the Federal Information Security Management Act (FISMA), enhance intrusion prevention systems, increase federal cybersecurity recruitment and migrate to secure, cloud-based federal data storage. Any and all federal cybersecurity efforts must implement strong privacy protections and a cybersecurity framework that respects civil liberties, the White House said.
The proposal advocates greater corporate and federal transparency after data breaches and enhanced penalties for computer criminals. Critical infrastructure operators, which includes the electricity grid, the financial sector and U.S. transportation networks, should employ third-party commercial auditors to identify and prioritize the U.S. critical infrastructure vulnerabilities, the report said.
The White House proposal got a cautious nod from Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., and Sen. Olympia Snowe, R-Maine, sponsors of a cybersecurity bill that failed to move last year. Rockefeller and several other Senate committee chairmen sponsored a “broad placeholder” bill at the direction of Senate Majority Leader Harry Reid, D-Nev. (CD Jan 27 p10). Rockefeller called the White House proposal a “strong plan” that incorporates many elements of his bill with Snowe, such as close collaboration with business, and adds consumer protections for data breaches. Snowe said the “administration’s delay in providing critical input to the legislative process is regrettable,” but otherwise echoed Rockefeller’s comments. She said she told White House cyber coordinator Howard Schmidt Thursday morning that the administration must “come before Congress very soon to brief us on the reasoning behind its proposals.” Reid said separately that relevant Senate committees would “integrate their work” with the White House proposal in “coming weeks” and build on protections in legislation passed last Congress.
The White House proposal is a “welcome and necessary addition” to the Senate Homeland Security Committee’s work, said Chairman Joe Lieberman, I-Conn., Ranking Member Susan Collins, R-Maine, and Federal Financial Management Subcommittee Chairman Tom Carper, D-Del., in a joint statement. The Lieberman-Collins cybersecurity bill drew antipathy for a “kill switch” provision that was read as giving the President the authority to cut off Internet traffic in some circumstances, a provision later removed (CD March 8 p8). “The Senate and the White House are on the same track” with regard to protecting cybernetworks and critical infrastructure through public-private cooperation, “risk-based assessments” and the DHS lead on the matter, they said.
Congressional Cybersecurity Caucus co-founder Rep. Jim Langevin, D-R.I., also faulted the White House for having “moved slowly toward implementing” the recommendations from the Center for Strategic and International Studies’ Commission on Cybersecurity for the 44th Presidency, which Langevin co-chaired. The White House proposal, while echoing some provisions Langevin has championed, “still leaves some areas of concern,” he said: It neglects to designate a cyber director to handle interagency coordination or lead a National Office for Cyberspace, or even give DHS authority over cybersecurity policy. “Congress must revisit this issue,” Langevin said. He said he also wants the administration to weigh in “more heavily” on the U.S. military posture in cyberspace, a subject Langevin took up at Wednesday’s markup of the National Defense Authorization Act.
TechAmerica called the White House proposal “a clear step forward” for the public-private cyber partnership. It should promote an “outcome-based, layered security approach” adopted voluntarily by business and avoid a “one-size-fits-all, mandated approach to cybersecurity,” the group said. The proposal also needs to draw a “bright line between critical and non-critical infrastructure” and lay out the “implications” for that designation, and provide liability protections for companies operating at the government’s behest, TechAmerica said.
The Information Technology Industry Council gave the proposal a backhanded compliment. The White House showed “much-needed leadership” on cybersecurity by offering the proposal, though “any first draft won’t be perfect,” said CEO Dean Garfield. The group suggested that the proposal doesn’t yet promote “extensive collaboration” between business and government. “The cybersecurity debate of 2011 is much different” than in years past, “and it’s clear that policymakers need to carefully assess how we effectively adapt to emerging threats, technologies and business models,” Garfield said. Software and Information Industry Association President Ken Wasch thanked the administration for promoting collaboration, providing resources for R&D, embracing cloud computing, and blocking states from requiring “localized IT infrastructures” under the proposal.