Risk
5/12/2011
04:16 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

White House Releases Cybersecurity Plans

The Obama administration's legislative proposal includes critical infrastructure protection, breach notification, privacy requirements, and overhauls for internal government cybersecurity.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
The Obama administration on Thursday announced a broad legislative proposal to overhaul the nation's cybersecurity laws with new provisions to shore up privacy protection, data breach reporting, critical infrastructure protection, and the security of federal government systems.

The new plan touches both public and private systems, requiring certain key critical infrastructure companies to draw up cybersecurity risk mitigation plans on one hand, and updating the Federal Information Security Management Act (FISMA), which regulates internal government cybersecurity, on the other.

The proposal comes at a time when dozens of pieces of cybersecurity legislation are circulating on Capitol Hill, including comprehensive bills that cover just as much ground as the White House plan. Congressional leadership has indicated a desire to push cyber legislation through Congress this year, and several members of Congress have blamed a delay on passage of comprehensive legislation--proposals have been languishing for years--on the White House's lack of a plan.

"We recognize that this is the beginning of a discussion with the Congressional leadership," a senior White House official said Thursday on a background call with reporters. "We look forward to enacting legislation this year."

Even with the White House plan now on the table, there's still much work to be done if Congress truly hopes to get a bill on the president's desk by year's end. The Republican-led House of Representatives and Democrat-controlled Senate remain at arms over several issues, including the balance of power on cybersecurity issues between the military and the Department of Homeland Security, and whether a comprehensive legislative overhaul should be accomplished in pieces or in one massive bill.

DHS, which already has a key role in government cybersecurity, plays a big part in White House plans, as well as in the primary Senate plans, both in critical infrastructure protection and in securing federal government networks. For critical infrastructure, which is increasingly coming under cyber attacks, the bill clarifies the ability of companies to share information with DHS, and allows DHS a broad, though voluntary on the part of the private sector, role in assisting critical infrastructure companies with their cybersecurity needs.

For the most critical infrastructure, which DHS would identify, the department would draw up a set of risks that the industry would need to mitigate, and private enterprise would be responsible for developing cybersecurity plans to address those risks, providing those plans to DHS, getting those plans audited by a third party, and making high-level overviews of the plan available to the public.

The proposal also includes a national data breach reporting standard aimed at "simplifying and standardizing" a patchwork of 47 state data breach reporting laws, and would provide for harsher mandatory minimum punishments for cyber criminals, particularly those responsible for intrusions into critical infrastructure networks.

Civil liberties groups have raised concerns that comprehensive legislation might include some sort of "kill switch" that could enable the President to switch parts of the Internet off at will. However, no such new cybersecurity authority is sought for the President in the White House proposal.

Privacy protection also is built into the plan. DHS would be required to develop privacy and civil liberties procedures that would be overseen and signed off on by the Attorney General, and companies wanting to share information with the government must first make reasonable efforts to remove any identifying information unrelated to cyber threats.

The White House plan also focuses on internal government cybersecurity. For example, it would update FISMA to include provisions on continuous monitoring, and codify DHS' role in managing federal civilian agency cybersecurity. The plan would also make it easier for DHS to hire cybersecurity talent, and permit "expert exchanges" between the government and private companies to share best practices.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.