President Obama wants the Department of Homeland Security to work with the private sector to set security standards for critical parts of the nation's cyberinfrastructure like the power grid, according to detailed legislative guidance the White House sent to Congress on Thursday.
Government-certified private-sector inspectors would then verify that such systems are safe.
A white paper sent to Capitol Hill by the president’s cyberpolicy team includes specific recommendations designed to bridge differences between competing cybersecurity bills in Congress and speed a bill to the president’s desk by the end of the year, an administration official said.
PICTURES: Who is in the 'Gang of Six?'
Will Mitch Daniels Run? Ask His Wife
Baker Stuns With Abrupt Move From FCC to Comcast
PICTURES: Inside Bin Laden's Compound
Bin Laden Journal Reveals Planning, Possible Targets
Obama was the first president to devote a speech entirely to cybersecurity, and the new guidance represents the most detailed legislative advice ever offered to Congress on the subject.
The written advice does not address several key questions, such as the creation of a Senate-confirmable cybersecurity director who would report to the secretary of Homeland Security. That's something that the senators on the Homeland Security and Governmental Affairs Committee want included in any legislation. Nor does the White House indicate what it thinks about whether the President can temporarily control parts of the Internet during a major cyber crisis.
On a conference call with reporters, a White House official said that the President believes the extent of his emergency powers are sufficient and that no new laws are needed to clarify them.
The proposals, which were described to National Journal, cover a spectrum of issues, including civil liberties, data breaches, and hacking. The government’s ability to mitigate cyberhazards on private networks would increase, but it promises to create a robust system of privacy oversight to make sure that the government does not misuse the information. The attorney general would have to approve every instance where cyberinformation provided to the government would be used for criminal law enforcement.
Also, the government would codify immunity given to Internet service providers who help the government block malicious threats to government systems, preparing at the same time a regime to notify Congress and review the extent of the interactions between the government and the private sector.
The administration wants to standardize reporting of data breaches and would set mandatory minimum sentences for certain cybercrimes. In an effort to spread the use of cloud computing, the administration's proposal would forbid states from requiring companies to locate data centers in their states.
Because private companies might share personal details about customers or patients if the system that stores the data is corrupted or has been attacked and the company seeks government help, the administration wants Congress to come up with procedures DHS and the companies would use to minimize government access to those details. Before a company shares information with the government for non-law-enforcement purposes, it would have to remove identifying information to the best extent possible. Also, any information stored by the government would be limited to protecting against threats. DHS will not be able to apply its intrusion-detection systems to private computer networks, but will be able to share technical data upon request, and will also be able to share information with private ISPs about potential cyberthreats.
Sensitive to industry concerns about a market-stifling, central cyberpolicing mechanism, Congress has coalesced around the approach that the White House is endorsing. It would allow independent but government-certified inspectors to rule that critical infrastructure in the hands of private companies is secure. The government would set the standards through rulemakings and industry-led processes. To compel participation, however, the government would push to make the contracts it awards contingent, in part, on how well a particular company’s cyberassets are protected. If industry doesn't come up with stringent enough standards, "DHS has the residual authority" to come up with their own, a senior Homeland Security official told reporters.
Two Senate bills, one sponsored by the Commerce Committee and the other by the Homeland Security Committee, overlap significantly, with most of the differences having been soldered over. The House is taking a wait-and-see approach, allowing the Senate to write the first draft of any major bill. But it will likely act quickly once the Senate passes legislation. Members of Congress have been frustrated by the lack of engagement by the White House on several critical questions, including standards for basic cybersecurity, for cyberwarfare, and for privacy protections.
Civil-liberties and public-interest groups are certain to scrutinize the extent to which any information can be shared for any purpose, worrying that the government is trying to expand its ability to snoop on Americans' private Internet use. For its part, the White House insists that it only wants to harmonize cybercrime enforcement with other types of criminal investigations.
The FBI has complained that companies often won't share Web-based data because the laws are not clear and they fear lawsuits. From the perspective of civil-liberties advocates, however, the Internet is a fundamentally different type of domain and that privacy protections against government intrusions and corporate sharing of their data should be stronger than usual.
"The administration's proposal is laudable in that it tackles many tough issues in concrete terms -- but the organizational dimension is not one of them," said Nate Olson, deputy director for congressional affairs at the Project on National Security Reform.
"It does not say how we achieve genuine unity of effort, which for a mission as complex as cybersecurity is absolutely key. Leaving significant management authority in a single department, be it DHS or elsewhere, won't get the job done." Olson and others endorse "an accountable Senate-confirmed official who leads an interagency team empowered by Congress to direct the national mission with a singular focus."
The White House opposes any new position, two administration officials told National Journal.