President Obama wants the Department of Homeland Security to work with the private sector to set security standards for critical parts of the nation's cyberinfrastructure like the power grid, according to detailed legislative guidance the White House sent to Congress on Thursday.
Government-certified private-sector inspectors would then verify that such systems are safe.
A white paper sent to Capitol Hill by the president’s cyberpolicy team includes specific recommendations designed to bridge differences between competing cybersecurity bills in Congress and speed a bill to the president’s desk by the end of the year, an administration official said.
PICTURES: Who is in the 'Gang of Six?'
Will Mitch Daniels Run? Ask His Wife
Baker Stuns With Abrupt Move From FCC to Comcast
PICTURES: Inside Bin Laden's Compound
Bin Laden Journal Reveals Planning, Possible Targets
Obama was the first president to devote a speech entirely to cybersecurity, and the new guidance represents the most detailed legislative advice ever offered to Congress on the subject.
The written advice does not address several key questions, such as the creation of a Senate-confirmable cybersecurity director who would report to the secretary of Homeland Security. That's something that the senators on the Homeland Security and Governmental Affairs Committee want included in any legislation. Nor does the White House indicate what it thinks about whether the President can temporarily control parts of the Internet during a major cyber crisis.
On a conference call with reporters, a White House official said that the President believes the extent of his emergency powers are sufficient and that no new laws are needed to clarify them.
The proposals, which were described to National Journal, cover a spectrum of issues, including civil liberties, data breaches, and hacking. The government’s ability to mitigate cyberhazards on private networks would increase, but it promises to create a robust system of privacy oversight to make sure that the government does not misuse the information. The attorney general would have to approve every instance where cyberinformation provided to the government would be used for criminal law enforcement.
Also, the government would codify immunity given to Internet service providers who help the government block malicious threats to government systems, preparing at the same time a regime to notify Congress and review the extent of the interactions between the government and the private sector.
The administration wants to standardize reporting of data breaches and would set mandatory minimum sentences for certain cybercrimes. In an effort to spread the use of cloud computing, the administration's proposal would forbid states from requiring companies to locate data centers in their states.
Because private companies might share personal details about customers or patients if the system that stores the data is corrupted or has been attacked and the company seeks government help, the administration wants Congress to come up with procedures DHS and the companies would use to minimize government access to those details. Before a company shares information with the government for non-law-enforcement purposes, it would have to remove identifying information to the best extent possible. Also, any information stored by the government would be limited to protecting against threats. DHS will not be able to apply its intrusion-detection systems to private computer networks, but will be able to share technical data upon request, and will also be able to share information with private ISPs about potential cyberthreats.
Sensitive to industry concerns about a market-stifling, central cyberpolicing mechanism, Congress has coalesced around the approach that the White House is endorsing. It would allow independent but government-certified inspectors to rule that critical infrastructure in the hands of private companies is secure. The government would set the standards through rulemakings and industry-led processes. To compel participation, however, the government would push to make the contracts it awards contingent, in part, on how well a particular company’s cyberassets are protected. If industry doesn't come up with stringent enough standards, "DHS has the residual authority" to come up with their own, a senior Homeland Security official told reporters.
Two Senate bills, one sponsored by the Commerce Committee and the other by the Homeland Security Committee, overlap significantly, with most of the differences having been soldered over. The House is taking a wait-and-see approach, allowing the Senate to write the first draft of any major bill. But it will likely act quickly once the Senate passes legislation. Members of Congress have been frustrated by the lack of engagement by the White House on several critical questions, including standards for basic cybersecurity, for cyberwarfare, and for privacy protections.
Civil-liberties and public-interest groups are certain to scrutinize the extent to which any information can be shared for any purpose, worrying that the government is trying to expand its ability to snoop on Americans' private Internet use. For its part, the White House insists that it only wants to harmonize cybercrime enforcement with other types of criminal investigations.
The FBI has complained that companies often won't share Web-based data because the laws are not clear and they fear lawsuits. From the perspective of civil-liberties advocates, however, the Internet is a fundamentally different type of domain and that privacy protections against government intrusions and corporate sharing of their data should be stronger than usual.
"The administration's proposal is laudable in that it tackles many tough issues in concrete terms -- but the organizational dimension is not one of them," said Nate Olson, deputy director for congressional affairs at the Project on National Security Reform.
"It does not say how we achieve genuine unity of effort, which for a mission as complex as cybersecurity is absolutely key. Leaving significant management authority in a single department, be it DHS or elsewhere, won't get the job done." Olson and others endorse "an accountable Senate-confirmed official who leads an interagency team empowered by Congress to direct the national mission with a singular focus."
The White House opposes any new position, two administration officials told National Journal.
The White House guidance says nothing about presidential powers during an emergency, including whether the president has the right to segregate parts of the private cyberinfastructure if he feels they pose a significant danger during an emergency situation. Congress wants the president to have this authority but also wants to circumscribe it and force the president to report triggering what detractors call an "Internet kill switch."
Two weeks ago, the White House rolled out its National Strategy for Trusted Identities in Cyberspace, which aims to speed to market secure means to buy, sell, trade, and participate on social networks in ways that are protected from outside intrusion. But its Office of Cyber Policy has been relatively otherwise, with director Howard Schmidt playing a behind-the-scenes role coordinating the scaling up of efforts to secure the .gov and .mil domains, as well as boosting the federal government’s interaction with the private sector. He meets weekly with counterparts across the government, holding what one official called “deconflicting” sessions. The new military Cyber Command is still in the build-up phase, but defense and intelligence cyberactivities are being better coordinated, officials said.
The White House says it has completed all 10 "near-term" actions recommended by its own cyberpolicy review, which was released in June 2009. That includes the standing up of a cybersecurity policy office, the appointment of a civil liberties and privacy official, the creation of a national public awareness campaign about cybersecurity, and the development of a process to create interntional legal standards for cyberengagement. The Department of Homeland Security has created a cybersecurity incident response plan, though its mechanisms are not at capacity. It has been tested via exercises.
Last summer, Senate Majority Leader Harry Reid, D-Nev., told the White House he would work to bridge the differences within his chamber and send a bill to the White House before the end of the year, but that was delayed by the midterm elections. Cyber legislation was then knocked down a few rungs because of the high-profile budget fight in Congress. But now, House Republicans have appointed staff to the key committees and informal meetings are restarting.
Both the bipartisan 2012 intelligence authorization and House Armed Services Chairman Buck McKeon’s chairman’s mark of the defense authorization bill urge the White House to clarify how the U.S. military can use cyberwarfare. McKeon wants the Defense secretary given explicit authority to approve all such operations, even though they are conducted at the behest of intelligence agencies. The intelligence committees are keen to delegate that authority, arguing that cyberoperations are part of the toolkit that the community can use when the president authorizes covert action in a particular country. The Judiciary Committee remains concerned about the extent to which the National Security Agency and the Homeland Security Department cooperate to protect civilian, military, and government domains.
Want the news first every morning? Sign up for National Journal’s Need-to-Know Memo. Short items to prepare you for the day.
This article appears in the May 12, 2011 edition of National Journal Daily PM Update.