Risk
5/12/2011
04:16 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

White House Releases Cybersecurity Plans

The Obama administration's legislative proposal includes critical infrastructure protection, breach notification, privacy requirements, and overhauls for internal government cybersecurity.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
The Obama administration on Thursday announced a broad legislative proposal to overhaul the nation's cybersecurity laws with new provisions to shore up privacy protection, data breach reporting, critical infrastructure protection, and the security of federal government systems.

The new plan touches both public and private systems, requiring certain key critical infrastructure companies to draw up cybersecurity risk mitigation plans on one hand, and updating the Federal Information Security Management Act (FISMA), which regulates internal government cybersecurity, on the other.

The proposal comes at a time when dozens of pieces of cybersecurity legislation are circulating on Capitol Hill, including comprehensive bills that cover just as much ground as the White House plan. Congressional leadership has indicated a desire to push cyber legislation through Congress this year, and several members of Congress have blamed a delay on passage of comprehensive legislation--proposals have been languishing for years--on the White House's lack of a plan.

"We recognize that this is the beginning of a discussion with the Congressional leadership," a senior White House official said Thursday on a background call with reporters. "We look forward to enacting legislation this year."

Even with the White House plan now on the table, there's still much work to be done if Congress truly hopes to get a bill on the president's desk by year's end. The Republican-led House of Representatives and Democrat-controlled Senate remain at arms over several issues, including the balance of power on cybersecurity issues between the military and the Department of Homeland Security, and whether a comprehensive legislative overhaul should be accomplished in pieces or in one massive bill.

DHS, which already has a key role in government cybersecurity, plays a big part in White House plans, as well as in the primary Senate plans, both in critical infrastructure protection and in securing federal government networks. For critical infrastructure, which is increasingly coming under cyber attacks, the bill clarifies the ability of companies to share information with DHS, and allows DHS a broad, though voluntary on the part of the private sector, role in assisting critical infrastructure companies with their cybersecurity needs.

For the most critical infrastructure, which DHS would identify, the department would draw up a set of risks that the industry would need to mitigate, and private enterprise would be responsible for developing cybersecurity plans to address those risks, providing those plans to DHS, getting those plans audited by a third party, and making high-level overviews of the plan available to the public.

The proposal also includes a national data breach reporting standard aimed at "simplifying and standardizing" a patchwork of 47 state data breach reporting laws, and would provide for harsher mandatory minimum punishments for cyber criminals, particularly those responsible for intrusions into critical infrastructure networks.

Civil liberties groups have raised concerns that comprehensive legislation might include some sort of "kill switch" that could enable the President to switch parts of the Internet off at will. However, no such new cybersecurity authority is sought for the President in the White House proposal.

Privacy protection also is built into the plan. DHS would be required to develop privacy and civil liberties procedures that would be overseen and signed off on by the Attorney General, and companies wanting to share information with the government must first make reasonable efforts to remove any identifying information unrelated to cyber threats.

The White House plan also focuses on internal government cybersecurity. For example, it would update FISMA to include provisions on continuous monitoring, and codify DHS' role in managing federal civilian agency cybersecurity. The plan would also make it easier for DHS to hire cybersecurity talent, and permit "expert exchanges" between the government and private companies to share best practices.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3216
Published: 2015-07-07
Race condition in a certain Red Hat patch to the PRNG lock implementation in the ssleay_rand_bytes function in OpenSSL, as distributed in openssl-1.0.1e-25.el7 in Red Hat Enterprise Linux (RHEL) 7 and other products, allows remote attackers to cause a denial of service (application crash) by establi...

CVE-2014-3653
Published: 2015-07-06
Cross-site scripting (XSS) vulnerability in the template preview function in Foreman before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted provisioning template.

CVE-2014-5406
Published: 2015-07-06
The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, ...

CVE-2014-9737
Published: 2015-07-06
Open redirect vulnerability in the Language Switcher Dropdown module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a block.

CVE-2014-9738
Published: 2015-07-06
Multiple cross-site scripting (XSS) vulnerabilities in the Tournament module 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via an (1) account username, a (2) node title, or a (3) team entity title.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report