White House proposes cybersecurity legislation

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://news.cnet.com/8301-31921_3-20062277-281.html

The White House today sent Congress a proposed cybersecurity law
designed to force companies to do more to fend off cyberattacks, a
threat that has been reinforced by recent reports about
vulnerabilities in systems used in power and water utilities.

This proposal seems designed to prod the legislative branch to enact
by the end of the year some variety of cybersecurity legislation,
which has been stalled by concerns about privacy, Internet "kill
switches," and overreaching regulation. One proposal from Sen. Jay
Rockefeller (D-W.V.), for instance, would have explicitly given the
government the power to "order the disconnection" of specific networks
or Web sites.

Details of the new proposal remain hazy--the White House said the
actual text won't be released until this evening--but it seems to veer
in a less regulatory direction than some of its predecessors. A
summary provided by the administration suggests the plan relies more
on mandating disclosures of vulnerabilities, including significant
data breaches, than on top-down regulation of the sort that applies
to, say, the securities industry.

During a conference call with reporters this morning, administration
officials who spoke on background and declined to give their names
characterized their proposal as a way to provide the correct
incentives for businesses.

But, said a Department of Homeland Security official, if "industry
does not come forward" with an "appropriate" standard, the draft
legislation would give the government the power to "pick one, to
create one, to modify one and choose that one. We believe that won't
be necessary."

The scope of the department's regulatory powers is also unclear. While
the legislation would generally track existing definitions of what
businesses are "critical infrastructure" or not, using criteria such
as risk and consequences of an attack, the full extent of the
authority "has not been defined yet," the official said.

Congress has been holding hearings aimed at drafting cybersecurity
legislation for at least two years, and the topic has been discussed
for nearly a decade. In 2002, for instance, the Bush administration
unveiled a cybersecurity plan that was also aimed at influencing
members of Congress as they considered related laws. (See CNET's
comparison of some of the proposals from 2003 and 2009.)

Reports of computer intrusions launched by China that purportedly
targeted companies in the oil and energy industries have accelerated
discussions of what new laws, if any, are necessary. Those intrusions
appear to have been done with the purpose of espionage, not sabotage,
in mind, akin to experiences of its own that Google disclosed early
last year. Meanwhile, the Stuxnet worm illustrated how remote attacks
could be performed.

A fact sheet from the White House says the proposal includes national
data breach reporting to help in "standardizing" the existing state
laws, increased penalties for computer crimes, a focus on "critical
infrastructure cybersecurity plans," and civil liberties protections.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/