The White House today sent Congress a proposed cybersecurity law designed to force companies to do more to fend off cyberattacks, a threat that has been reinforced by recent reports about vulnerabilities in systems used in power and water utilities.
This proposal seems designed to prod the legislative branch to enact by the end of the year some variety of cybersecurity legislation, which has been stalled by concerns about privacy, Internet “kill switches,” and overreaching regulation. One proposal from Sen. Jay Rockefeller (D-W.V.), for instance, would have explicitly given the government the power to “order the disconnection” of specific networks or Web sites.
Details remain hazy — the White House said the actual text won’t be released until this evening — but the proposal seems to veer in a less regulatory direction than some of its predecessors. A summary provided by the administration suggests the plan relies more on mandating disclosures of vulnerabilities, including significant data breaches, than on top-down regulation of the sort that applies to, say, the securities industry.
During a conference call with reporters this morning, administration officials who spoke on background and declined to give their names characterized their proposal as a way to provide the correct incentives for businesses.
But, said a Department of Homeland Security official, if “industry does not come forward” with an “appropriate” standard, the draft legislation would give the government the power to “pick one, to create one, to modify one and choose that one. We believe that won’t be necessary.”
The scope of the department’s regulatory powers is also unclear. While the legislation would generally track existing definitions of what businesses are “critical infrastructure” or not, using criteria such as risk and consequences of an attack, the full extent of the authority “has not been defined yet,” the official said.
Congress has been holding hearings aimed at drafting cybersecurity legislation for at least two years, and the topic has been discussed for nearly a decade. In 2002, for instance, the Bush administration unveiled a cybersecurity plan that was also aimed at influencing members of Congress as they considered related laws. (See CNET’s comparison of some of the proposals from 2003 and 2009.)
Reports of computer intrusions launched by China that purportedly targeted companies in the oil and energy industries have accelerated discussions of what new laws, if any, are necessary. Those intrusions appear to have been done with the purpose of espionage, not sabotage, in mind, akin to experiences of its own that Google disclosed early last year. Meanwhile, the Stuxnet worm illustrated how remote attacks could be performed.
A fact sheet from the White House says the proposal includes national data breach reporting to help in “standardizing” the existing state laws, increased penalties for computer crimes, a focus on “critical infrastructure cybersecurity plans,” and civil liberties protections.