The White House Thursday is announcing a cybersecurity
legislative package that will require critical infrastructure companies to work
with the Department of Homeland Security to come up with a cybersecurity
framework and would require them to report breaches to the government and the
Senior government officials Thursday assured reporters the
regime would be a public-private partnership and the legislative package would
be the beginning of a dialog on the measures.
While they did not identify who would qualify as a critical
infrastructure, cable and other ISPs are almost certainly going to be in
The administration has already taken steps to boost
cybersecurity, said a senior White House official speaking on background, but
added that the nation cannot fully defend itself from cyber attacks unless
"certain laws are updated."
According to a Justice Department official, the reporting
requirement will apply to "certain data breaches under certain
circumstances'." He said that the point was to standardize a patchwork of
state reporting requirements that companies are already subject to.
A Commerce Department official indicated that the reporting
requirements to the public will need to easy to understand so they will be able
to take appropriate action.
While industry players will be encouraged to work together
with DHS on a framework, an official there said it has the backstop authority
to enforce it, and will work such protections into government contract language
as an incentive. Executives will need to sign off on the plans, and
provide regular reports to government and the public on how they are
Industry will be expected to share network information with
the government so they can work together to prevent breaches, and there were
assurances that the privacy of such information would be protected via a number
of layers of oversight, include review by outside civil liberties experts and a
sign-off by the attorney general.
Asked by one reporter why industry was getting input and
some control over the framework, rather than a top-down regulatory structure, a
senior White House official said it dovetailed with the President's directive
to gauge new regs by their impact on innovation and the economy. "We
are trying to create an institutional culture of cybersecurity rather
than a slow-moving regulatory structure," added a Commerce official.
"We don't believe government has all the answers,"
said a Homeland Security official, or that it should implement a
"thou shalt do x, y and z" regime. "This is to enable
industry to figure out the best way to protect itself.
There is similar cybersecurity being teed up in the
Senate and Senator Jay Rockefeller (D- W. Va.) who has been a leader on the
issue said he hoped to get a bill passed this year.
"The White House has presented a strong plan to better
protect our nation from the growing cyber threat," he said in a statement.
"Their plan incorporates many of the same elements of the bill we
introduced last year. It establishes clear roles, responsibilities and
accountability for cybersecurity in government and the private sector.
Protecting our networks is a shared responsibility-and like our bill, the
Administration's plan proposes close collaboration between the government and
private sector. I am also pleased their proposal includes new protections for
Americans in the event of a data breach."
Commerce Committee member Olympia Snowe (R-Me.), who
has worked with Rockefeller on cybersecurity legislation suggested the
White House was a little late to the party. "While the Administration's delay
in providing critical input to the legislative process is regrettable, it is my
understanding that the administration proposal parallels many of the
objectives, particularly pertaining to modernizing the public-private
partnership, that Senator Rockefeller and I have advocated," she said...
"I look forward to working with my colleagues in the Senate, House and the
Administration to swiftly pass comprehensive cybersecurity legislation as
further delay compromises our ability to better protect Americans against cyber
intrusions and attacks that target our financial, commercial, transportation
and communications sectors."