The White House on Thursday unveiled a cyber-security proposal that it hopes Congress will use as a framework for legislation.
Among other things, the plan includes national data breach reporting, increased penalties for computer crimes, rules that would allow the private sector to commiserate with the Department of Homeland Security on cyber-security issues, and cyber-security audits for critical infrastructure providers.
"Our Nation is at risk. The cybersecurity vulnerabilities in our government and critical infrastructure are a risk to national security, public safety, and economic prosperity," the White House said in a statement. "The Administration has responded to Congress' call for input on the cybersecurity legislation that our Nation needs, and we look forward to engaging with Congress as they move forward on this issue."
The proposal comes at the request of Senate Majority Leader Harry Reid and six Senate committee chairs, who asked President Obama for his input on cyber-security legislation. Two years ago, Obama designated cyber security as a national security priority.
The plan has four components: protecting American citizens; protecting critical infrastructure; protecting the federal government's computer systems; and protecting civil liberties.
First up, the White House recommends national data reporting instead of a patchwork of state laws. At this point, 47 states have laws that require companies to inform consumers if a hacker has gained access to their personal information; like Sony or Epsilon, for example. The White House proposal would have all companies in all states adhere to one law in the interest of simplicity.
Second, the plan sets mandatory minimum sentences for cyber intrusions into critical infrastructure. All too often, penalties for computer crimes are not synched up with other criminal statutes.
"For example, a key tool for fighting organized crime is the Racketeering Influenced and Corrupt Organizations Act (RICO). Yet RICO does not apply to cyber crimes, despite the fact that cyber crime has become a big business for organized crime," the White House said.
The administration also tackled information sharing between the public and private sector. Sometimes, companies that have been hacked will ask DHS for its assistance, but there are no clear rules that establish DHS's authority in these matters. The proposal would allow DHS to step in quickly and assist, while clarifying what type of help it can provide.
Similarly, the plan would allow businesses or local governments to share information with the federal government about computer viruses or other cyber threats they have uncovered.
"To fully address these entities' concerns, it provides them with immunity when sharing cybersecurity information with DHS," the White House said. "At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties."
The White House plan mentions critical infrastructure quite a bit, but what does that actually mean? Under the proposal, DHS would work with industry players to identify core critical-infrastructure operators, who would get top priority and protection in the event of a cyber attack. In turn, they would have to develop cyber-security plans, which would be evaluated by an outside auditor. If their plans are insufficient, DHS can step in with its own suggestions.
Meanwhile, the plan would formally designate DHS as the agency heading up cyber-security issues for the feds. It would also streamline the process by which Internet service providers obtain immunity for blocking attacks against government computers.
On the privacy front, the White House plan calls on DHS to work with privacy and civil liberties groups to make sure rights are being respected.
"Taken together, these requirements create a new framework of privacy and civil liberties protection designed expressly to address the challenges of cybersecurity," the White House said.