May 17, 2011 > White House reveals refurbished cybersecurity plan
White House reveals refurbished cybersecurity plan
By Lolita C. Baldor, Associated Press
WASHINGTON (AP), May 13 - Companies that run critical U.S. industries such as power plants would get government incentives to make sure their systems are secure from computer-based attacks, the White House said, detailing its broad proposal to strengthen U.S. cybersecurity.
The approach is similar to congressional legislation already in the works, but some criticized it Thursday as being too weak, while the business community said it preferred a voluntary program rather than government mandates.
Under its proposed legislation, the White House said Thursday it would give the Department of Homeland Security the authority to work with industry to come up with ways to secure computer systems and protect against cyber threats. If a company should fail to do so, or should come up with an inadequate plan, Homeland Security would be able develop its own security framework for that firm.
The proposal reflects the broad understanding that any more stringent regulatory system, such as the one that controls safety at nuclear power plants, would get little support, and business groups have been lobbying strongly for as much of a voluntary program as possible.
The government should encourage the private sector to adopt security standards voluntarily and ``avoid a one-size-fits-all, mandated approach to cybersecurity,'' said Phil Bond, president of TechAmerica, which represents about 1,200 companies.
Other critics say the White House approach has little teeth.
``The administration's proposal shows no sense of urgency,'' said Stewart Baker, a former senior Homeland Security official. ``It tells even critical industries on which our lives and society depend that they will have years before anyone from government begins to evaluate their security measures.''
Under the administration's proposal, an independent group would evaluate the security plans. The DHS could use that evaluation as it makes purchasing decisions, thus potentially rewarding companies who take strong measures to secure their networks from intrusions.
The threat is diverse, ranging from computer hackers going after banking and financial accounts to terrorists or other nations breaching government networks to steal sensitive data or sabotage critical systems like the electricity grid, nuclear plants or Wall Street.
Federal computer networks are being scanned and attacked millions of times a day, and U.S. officials warn that hackers have begun targeting power plants and other critical operations to either bring them down or take them over. A glaring example was the Stuxnet worm that targeted Iran's nuclear program last year, including the infection of laptops at Iran's Bushehr nuclear power plant.
Several committees in the House of Representatives and the Senate have been working on cybersecurity legislation for the past two years, while waiting for the administration to weigh in with its proposal. The process has been difficult, as industry leaders, privacy advocates and security experts wrangled over how to protect the U.S. from cyberattacks without infringing on business practices or civil liberties.
Crucial lawmakers involved in drafting Senate and House versions of the cybersecurity bill praised the White House plan, while noting that Congress and the White House are sharply divided over at least one issue. House and Senate lawmakers want the White House cyber coordinator to be subject to Senate confirmation. The White House has opposed that idea.
The White House proposal also requires companies to tell their customers when their personal information has been compromised. And it lays out guidelines for federal agencies to continuously monitor and protect their systems, insisting that they have a better understanding of who is on their networks, what they are doing and whether any data is being stolen or manipulated.
Democratic Sen. Jay Rockefeller, in a related move on Thursday, pushed the Securities and Exchange Commission to clarify that companies should disclose information about cybersecurity lapses. In a letter to the SEC, he said a 2009 survey suggested that nearly 40 percent of Fortune 500 companies do not reveal privacy or data breaches.
Such information, he said in the letter signed by four other Democratic senators, would be valuable for investors, analysts and credit rating agencies.
Rockefeller, who is chairman of the Senate Commerce Committee, is working with his panel and leaders of the Homeland Security and Governmental Affairs Committee, to finish draft cybersecurity legislation. The effort is being coordinated by Sen. Harry Reid, leader of the chamber's Democratic majority.
The administration plan also lays out guidelines for federal agencies to monitor and protect their systems continuously, insisting that they have a better understanding of who is on their networks, what they are doing and whether any data is being stolen or manipulated.
Officials said Thursday that the proposal calls for strong protections for individuals' privacy and civil liberties. And it also sets out expanded criminal penalties for cyber crimes.