Little new in Obama cybersecurity proposal

Administration's proposal calls for data breach legislation, stronger DHS role, upgrading FISMA

A set of cybersecurity proposals, submitted to Congress on Thursday by the Obama administration, contained little that was new or unexpected.

The proposals have been in the making since May 2009, when President Obama announced his intentions to make cybersecurity a national priority as part of his new Comprehensive National Cybersecurity Initiative.

Since then, the administration has created a new White House cybersecurity office and appointed a coordinator to head it. It has put in place a National Cyber Incident Response Plan, which is in the final stages of being tested.

And the White House has also been engaged in discussions with stakeholders from both the public and private sectors on how to improve cybersecurity at the federal government level and within the private sector.

Thursday's cybersecurity legislative proposal is one outcome of those efforts. But its contents are likely to come as something of a disappointment for those who might have been expecting sweeping new proposals.

The proposal was developed in response to Congress' "call for assistance" on cybersecurity matters, White House cybersecurity coordinator Howard Schmidt said in a blog post today.

The proposals include a long-standing call for a national data breach notification law that would standardize the existing patchwork of state laws companies and government entities have to comply with.

It also calls for laws that would impose stricter penalties on cybercriminals, and would set mandatory minimum prison terms for intrusions into critical infrastructure targets.

In addition, the White House is calling for legislation that would give the Department of Homeland Security a much more active role in working with private sector critical-infrastructure operators to identify, prioritize and protect against threats.

"The lack of a clear statutory framework describing DHS's authorities has sometimes slowed the ability of DHS" to help organizations that come seeking its aid on cybersecurity issues, the White House noted.

The new proposals would also clarify "the type of assistance that DHS can provide to the requesting organization," it said.

As expected, the White House proposals call for a strengthening of the Federal Information Security Management Act (FISMA), which all civilian federal agencies are required to comply with. Critics of FISMA have long called for a total revamp of its requirements, saying that the standard, as it exists, now does little to enhance security.

In addition, the proposals require the DHS to oversee the implementation of intrusion prevention system (IPS) for blocking attacks against government computers. Internet service providers that implement the systems on behalf of the DHS would be provided legal immunity, as needed, to provide the service, the White House noted.

Other proposals include measures for stronger protections for cloud computing, and laws that would prevent states from requiring cloud service providers to build data centers in their state, unless explicitly approved by the federal government.

"This proposal strikes a critical balance between maintaining the government's role and providing industry with the capacity to innovatively tackle threats to national cybersecurity," Schmidt said in his blog post.

Alan Paller, research director at the SANS Institute, said the White House proposal will catalyze congressional action around cybersecurity.

"It is a fundamental and important step," Paller said. "I think the Republicans and the Democrats will go along with it," especially as far as the FISMA recommendations are concerned.

"There are some details in the FISMA upgrade that are central to making the government lead by example" on the cybersecurity front, he said. "I'm sure there are people who are going to think they needed to do a lot more, but I like what I'm seeing in this."

However, Richard Stiennon, an analyst at IT Harvest, said that there's little in the proposals that would move the needle significantly on cybersecurity.

"Congress, for instance, has been working on a data breach law to supersede state laws since 2004," and that task still remains incomplete, he said. Similarly, IPS systems might have been a great idea several years ago, but he said that "threats have moved beyond that in ensuing years."

The increased data sharing between the private and public sectors that is called for in the proposals is also nothing new, Stiennon said. "That's what US-CERT was set up for. No vision here," he said.

The notion of the DHS getting more actively engaged in helping private sector companies on cyber matters is also a bit troubling, Stiennon said. "How often is the federal government involved in fixing potholes in our freeways?" he asked. "Their job is to protect government."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies