The Obama Administration outlined a national cybersecurity legislative proposal aimed building a public/private partnership in securing critical infrastructure while protecting civil liberties and privacy. The proposal seeks to provide the government with better tools to detect and prevent cyber attacks on federal networks, power grids, water systems, and other critical “wired” systems.
Under the proposal, the Department of Homeland Security (DHS) will implement intrusion detection and prevention systems to address such attacks. It would also establish a framework for protecting privacy and civil liberties by requiring new oversight, reporting requirements, and annual certification to ensure that cybersecurity technologies are used for their intended purpose and nothing more.
Some specifics of the plan:
National Data Breach Reporting. There would be a national law that requiring businesses to notify consumers when a data breach occurs with the potential for identity theft. The national law would supersede the 47 different state laws currently in effect.
Penalties for Computer Criminals. The proposal would apply the Racketeering Influenced and Corrupt Organizations Act (RICO) to cyber crimes, providing stronger measures against criminal organizations involved in cyber attacks.
Voluntary Government Assistance to Industry, States, and Local Government. Clarifies the assistance that DHS can provide to other government agencies and businesses that are under cyber attack.
Voluntary Information Sharing by Industry, States and Local Government. Provides immunity to industry, states and local governments when sharing cybersecurity information with DHS.
Critical Infrastructure Cybersecurity Plans. Requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would develop their own frameworks for addressing cyber threats. Then, each critical-infrastructure operator would have a third-party, commercial auditor assess its cybersecurity risk mitigation plans. Operators who are already required to report to the Security and Exchange Commission would also have to certify that their plans are sufficient.
DHS Authority. The proposal makes permanent DHS’s authority to oversee intrusion prevention systems for all Federal Executive Branch civilian computers. Internet Service Providers (ISPs) implement these systems on behalf of DHS, blocking attacks against government computers. The Attorney General currently reviews and provides immunity for those ISPs, as necessary, to provide that service, and the proposal streamlines that process.
Data Centers. The proposal prevents states from requiring companies to build their data centers in that state for delivering cloud services to the government, except where expressly authorized by federal law.http://
