“This is a very important issue and the reason we’re doing it is because ... cyber-crime, online identity theft and theft of intellectual property have been significant challenges for national security, public safety and economic prosperity,” said a senior administration official from the White House during a conference call with the press. He noted that cyber-crime has increased dramatically over the last decade and as a result President Barack Obama has called cyber-security one of the most serious economic and national security challenges.
The proposed legislation is broken down into three main sections:
First, protecting citizens: The legislation would require national data breach reporting. Currently 47 states have laws that require businesses that have suffered an intrusion to notify consumers if the intruder had access to the consumers’ personal information — this bill would set a national standard for the reporting. It also clarifies penalties for computer criminals by setting mandatory minimums for cyber-intrusions into critical infrastructure.
Second, protecting critical infrastructure: The proposal clarifies the type of assistance that the U.S. Department of Homeland Security (DHS) can provide to state or local governments or private-sector companies following a cyber-intrusion. The legislation would also require the DHS “to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators,” according to a fact sheet.
Under the proposal, breaches against the most crucial critical infrastructure would be reported to the DHS to aid better situational awareness, said a DHS senior administration official during the call. The official added later that the framework would not apply “broadly to any critical infrastructure entity, but to the most critical of critical infrastructure.” Criteria will be identified in the legislation as to what constitutes the most critical of critical infrastructure, based on aspects like risk and consequences from attack. The DHS official also said the department’s secretary “would through a regulation process develop a set of additional criteria with strong input from the private sector to identify who actually fell within that regime.”
Third, protecting federal government computers and networks: Under the legislation, the DHS will be responsible for managing the Federal Information Security Management Act. The DHS will also be given more flexibility when hiring cyber-security personnel. In 2010, DHS Secretary Janet Napolitano set the goal of hiring 1,000 employees with cyber-security skills. However, as of March 2011, only about 200 people had been hired and there were plans to hire 100 more this year, the Federal Times reported. The DHS official said this bill will “do a better job of competing with private sector for getting these key people.”
Also included in the proposed legislation — and important for state government to note — is the federal government’s promotion of cloud computing. A Department of Commerce senior administration official called cloud services “more efficient and secure.” And the legislation states, “This new industry should not be crippled by protectionist measures, so the proposal prevents states from requiring companies to build their data centers in that state, except where expressly authorized by federal law.”
The proposed bill will be sent to Capitol Hill, and numerous media outlets said the White House is hoping for action by Congress on it this year.
“The cyber-threat is real and growing and we really must address the cyber-vulnerabilities and -security concerns we have today,” said a senior administration official from the Defense Department.