Risk

5/12/2011
04:16 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

White House Releases Cybersecurity Plans

The Obama administration's legislative proposal includes critical infrastructure protection, breach notification, privacy requirements, and overhauls for internal government cybersecurity.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
The Obama administration on Thursday announced a broad legislative proposal to overhaul the nation's cybersecurity laws with new provisions to shore up privacy protection, data breach reporting, critical infrastructure protection, and the security of federal government systems.

The new plan touches both public and private systems, requiring certain key critical infrastructure companies to draw up cybersecurity risk mitigation plans on one hand, and updating the Federal Information Security Management Act (FISMA), which regulates internal government cybersecurity, on the other.

The proposal comes at a time when dozens of pieces of cybersecurity legislation are circulating on Capitol Hill, including comprehensive bills that cover just as much ground as the White House plan. Congressional leadership has indicated a desire to push cyber legislation through Congress this year, and several members of Congress have blamed a delay on passage of comprehensive legislation--proposals have been languishing for years--on the White House's lack of a plan.

"We recognize that this is the beginning of a discussion with the Congressional leadership," a senior White House official said Thursday on a background call with reporters. "We look forward to enacting legislation this year."

Even with the White House plan now on the table, there's still much work to be done if Congress truly hopes to get a bill on the president's desk by year's end. The Republican-led House of Representatives and Democrat-controlled Senate remain at arms over several issues, including the balance of power on cybersecurity issues between the military and the Department of Homeland Security, and whether a comprehensive legislative overhaul should be accomplished in pieces or in one massive bill.

DHS, which already has a key role in government cybersecurity, plays a big part in White House plans, as well as in the primary Senate plans, both in critical infrastructure protection and in securing federal government networks. For critical infrastructure, which is increasingly coming under cyber attacks, the bill clarifies the ability of companies to share information with DHS, and allows DHS a broad, though voluntary on the part of the private sector, role in assisting critical infrastructure companies with their cybersecurity needs.

For the most critical infrastructure, which DHS would identify, the department would draw up a set of risks that the industry would need to mitigate, and private enterprise would be responsible for developing cybersecurity plans to address those risks, providing those plans to DHS, getting those plans audited by a third party, and making high-level overviews of the plan available to the public.

The proposal also includes a national data breach reporting standard aimed at "simplifying and standardizing" a patchwork of 47 state data breach reporting laws, and would provide for harsher mandatory minimum punishments for cyber criminals, particularly those responsible for intrusions into critical infrastructure networks.

Civil liberties groups have raised concerns that comprehensive legislation might include some sort of "kill switch" that could enable the President to switch parts of the Internet off at will. However, no such new cybersecurity authority is sought for the President in the White House proposal.

Privacy protection also is built into the plan. DHS would be required to develop privacy and civil liberties procedures that would be overseen and signed off on by the Attorney General, and companies wanting to share information with the government must first make reasonable efforts to remove any identifying information unrelated to cyber threats.

The White House plan also focuses on internal government cybersecurity. For example, it would update FISMA to include provisions on continuous monitoring, and codify DHS' role in managing federal civilian agency cybersecurity. The plan would also make it easier for DHS to hire cybersecurity talent, and permit "expert exchanges" between the government and private companies to share best practices.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11487
PUBLISHED: 2018-05-26
PHPMyWind 5.5 has XSS via the cid parameter to newsshow.php, or the query string to news.php or about.php.
CVE-2018-11471
PUBLISHED: 2018-05-25
Cockpit 0.5.5 has XSS via a collection, form, or region.
CVE-2018-11472
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has Reflected XSS during Login (i.e., the login parameter to admin/index.php).
CVE-2018-11473
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has XSS in the registration Form (i.e., the login parameter to users/registration).
CVE-2018-11474
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has a Session Management Issue in the Administrations Tab. A password change at admin/index.php?id=users&action=edit&user_id=1 does not invalidate a session that is open in a different browser.