Risk
5/12/2011
04:16 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

White House Releases Cybersecurity Plans

The Obama administration's legislative proposal includes critical infrastructure protection, breach notification, privacy requirements, and overhauls for internal government cybersecurity.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
The Obama administration on Thursday announced a broad legislative proposal to overhaul the nation's cybersecurity laws with new provisions to shore up privacy protection, data breach reporting, critical infrastructure protection, and the security of federal government systems.

The new plan touches both public and private systems, requiring certain key critical infrastructure companies to draw up cybersecurity risk mitigation plans on one hand, and updating the Federal Information Security Management Act (FISMA), which regulates internal government cybersecurity, on the other.

The proposal comes at a time when dozens of pieces of cybersecurity legislation are circulating on Capitol Hill, including comprehensive bills that cover just as much ground as the White House plan. Congressional leadership has indicated a desire to push cyber legislation through Congress this year, and several members of Congress have blamed a delay on passage of comprehensive legislation--proposals have been languishing for years--on the White House's lack of a plan.

"We recognize that this is the beginning of a discussion with the Congressional leadership," a senior White House official said Thursday on a background call with reporters. "We look forward to enacting legislation this year."

Even with the White House plan now on the table, there's still much work to be done if Congress truly hopes to get a bill on the president's desk by year's end. The Republican-led House of Representatives and Democrat-controlled Senate remain at arms over several issues, including the balance of power on cybersecurity issues between the military and the Department of Homeland Security, and whether a comprehensive legislative overhaul should be accomplished in pieces or in one massive bill.

DHS, which already has a key role in government cybersecurity, plays a big part in White House plans, as well as in the primary Senate plans, both in critical infrastructure protection and in securing federal government networks. For critical infrastructure, which is increasingly coming under cyber attacks, the bill clarifies the ability of companies to share information with DHS, and allows DHS a broad, though voluntary on the part of the private sector, role in assisting critical infrastructure companies with their cybersecurity needs.

For the most critical infrastructure, which DHS would identify, the department would draw up a set of risks that the industry would need to mitigate, and private enterprise would be responsible for developing cybersecurity plans to address those risks, providing those plans to DHS, getting those plans audited by a third party, and making high-level overviews of the plan available to the public.

The proposal also includes a national data breach reporting standard aimed at "simplifying and standardizing" a patchwork of 47 state data breach reporting laws, and would provide for harsher mandatory minimum punishments for cyber criminals, particularly those responsible for intrusions into critical infrastructure networks.

Civil liberties groups have raised concerns that comprehensive legislation might include some sort of "kill switch" that could enable the President to switch parts of the Internet off at will. However, no such new cybersecurity authority is sought for the President in the White House proposal.

Privacy protection also is built into the plan. DHS would be required to develop privacy and civil liberties procedures that would be overseen and signed off on by the Attorney General, and companies wanting to share information with the government must first make reasonable efforts to remove any identifying information unrelated to cyber threats.

The White House plan also focuses on internal government cybersecurity. For example, it would update FISMA to include provisions on continuous monitoring, and codify DHS' role in managing federal civilian agency cybersecurity. The plan would also make it easier for DHS to hire cybersecurity talent, and permit "expert exchanges" between the government and private companies to share best practices.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.