Little new in Obama cybersecurity proposal

Administration's proposal calls for data breach legislation, stronger DHS role, upgrading FISMA

A set of cybersecurity proposals, submitted to Congress on Thursday by the Obama Administration, contained little that was new or unexpected.

The proposals have been in the making since May 2009, when President Obama announced his intentions to make cybersecurity a national priority as part of his new Comprehensive National Cybersecurity Initiative .

Since then, the administration has created a new White House cybersecurity office and appointed a coordinator to head it. It has put in place a National Cyber Incident Response Plan, which it is in the final stages of being tested.

And the White House has also been engaged in discussions with stakeholders from both the public and the private sector on how to improve cybersecurity at the federal government level and within the private sector.

Thursday's cybersecurity legislative proposal is one outcome of those efforts. But its contents are likely to come as something of a disappointment for those that might have been expecting sweeping new proposals.

The proposal was developed in response to Congress' "call for assistance" on cybersecurity matters, White House cybersecurity coordinator Howard Schmidt said in a blog post today .

The proposals include a long-standing call for a national data breach notification law that would standardize the existing patchwork of state laws companies and government entities have to comply with.

It also calls for laws that would impose stricter penalties on cybercriminals, and would set mandatory minimum prison terms for intrusions into critical infrastructure targets.

In addition, the White House is calling for legislation that would give the Department of Homeland Security (DHS) a much more active role in working with private sector critical-infrastructure operators to identify, prioritize and protect against threats.

"The lack of a clear statutory framework describing DHS's authorities has sometimes slowed the ability of DHS" to help organizations that come seeking its aid on cybersecurity issues, the White House noted.

The new proposals would also clarify "the type of assistance that DHS can provide to the requesting organization," it said.

As expected, the White House proposals call for a strengthening of the Federal Information Security Management Act (FISMA), which all civilian federal agencies are required to comply with. Critics of FISMA have long called for a total revamp of its requirements, saying that the standard, as it exists, now does little to enhance security.

In addition, the proposals require the DHS to oversee the implementation of intrusion-prevention system (IPS) for blocking attacks against government computers. Internet service providers who implement the systems on behalf of the DHS would be provided legal immunity, as needed, to provide the service, the White House noted.

Other proposals include measures for stronger protections of cloud computing, and laws that would prevent states from requiring cloud service providers to build data centers in their state, unless explicitly approved by the federal government.

"This proposal strikes a critical balance between maintaining the government's role and providing industry with the capacity to innovatively tackle threats to national cybersecurity," Schmidt said in his blog post.

Alan Paller, research director at the SANS Institute. said the White House proposal will catalyze congressional action around cybersecurity.

"It is a fundamental and important step," Paller said. "I think the Republicans and the Democrats will go along with it," especially as far as the FISMA recommendations are concerned.

"There are some details in the FISMA upgrade that are central to making the government lead by example," on the cybersecurity front, he said. "I'm sure there are people who are going to think they needed to do a lot more, but I like what I'm seeing in this."

However, Richard Stiennon, an analyst with IT Harvest, said that there's little in the proposals that would move the needle significantly on cybersecurity.

"Congress, for instance, has been working on a data breach law to supersede state laws since 2004," and that task still remains incomplete, he said. Similarly, IPS systems might have been a great idea several years ago, but he said that "threats have moved beyond that in ensuing years."

The increased data sharing between the private and public sector that is called for in the proposals is also nothing new, he said. "That's what US-CERT was set up for. No vision here," he said.

The notion of the DHS getting more actively engaged in helping private sector companies on cyber matters is also a bit troubling, he said. "How often is the federal government involved in fixing potholes in our freeways?" he asked. "Their job is to protect government."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is .

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags governmentsecuritydata securitydata protectionGovernment use of ITCybercrime and HackingIT in Government

More about ACTCERT AustraliaIPSSANS InstituteTopic

Show Comments