The administration is serious.
In one of the first signs of how seriously the current administration takes cybercrime, on May 12 the White House sent its cybersecurity legislation to Capitol Hill, asking for changes in the law. Specifically, the White House wants the Department of Homeland Security (DHS) to have more authority – and responsibilities – in overseeing both private-sector and government networks. Additionally, the White House asked for a national data-breach law, one that would supersede the current state-by-state laws.
The White House stated that the objective of its proposal is “improving cybersecurity for the American people, our nation’s critical infrastructure, and the federal government’s own networks and computers.”
If Congress approves the proposed legislation – as it is expected to do – it will result in a federal law for reporting data breaches, and new penalties for cybercrime by classifying them as falling under the Racketeering Influenced and Corrupt Organizations Act (RICO). The White House also is asking for a clear statutory framework in order to provide the DHS with more flexibility in working with industry, states and local governments when cybercrimes occur.
What the legislation will mean.
The White House described its proposed legislation this way: “The Administration proposal will enable DHS to quickly help a private-sector company, state, or local government when that organization asks for its help. Businesses, states, and local governments sometimes identify new types of computer viruses or other cyber threats or incidents, but they are uncertain about whether they can share this information with the federal government. The Administration proposal makes clear that these entities can share information about cyber threats or incidents with DHS. To fully address these entities’ concerns, it provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.”
The White House has also asked Congress to adopt legislation that “requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators.” This reflects a step toward bringing energy companies and utilities under the guidance of DHS, which would coordinate with the National Institute of Standards and Technology (NIST).
The White House also asked for updates and changes to the Federal Information Security Management Act in order to “formalize DHS’ current role in managing cybersecurity for the Federal government’s civilian computers and networks, in order to provide departments and agencies with a shared source of expertise.”
The changing landscape of cybersecurity.
The objective of these proposals is to make permanent “DHS’ authority to oversee intrusion prevention systems for all federal executive branch civilian computers.” DHS is testing the Einstein intrusion prevention system, along with ISPs which are also implementing various systems on behalf of DHS.
Cloud computing is also addressed in the proposal, which notes that the federal government has “embraced cloud computing,” and wants a law that prevents states from requiring companies to build their data centers in that state, “except where expressly authorized by federal law.”
The impact of the legislation is that DHS would be responsible for collecting massive amounts of cybersecurity information, with the caveat that “all monitoring, collection, use, retention, and sharing of information are limited to protecting against cybersecurity threats. Information may be used or disclosed for criminal law enforcement, but the Attorney General must first review and approve each such usage.”
Not long after the White House’s cybersecurity proposals reached Congress, the proposal to consider cyberattacks as acts of war which could be responded to by armed forces has been taken up. The combination of DHS responsibility for cybersecurity and the potential authorization of military response to cyberattacks shows the level of concern raised by the administration, reflecting the increasingly vital importance of protecting data and ongoing services.
