Obama Administration officials used a Senate committee hearing last month to promote the White House’s new cybersecurity policy proposal, but faced criticism that the plan could put some sensitive data at risk.
Testifying at a hearing of the Senate Homeland Security and Governmental Affairs Committee, DHS Deputy Under Secretary of National Protection and Programs Directorate Philip Reitinger said the Administration’s proposal addresses gaps in current law by clarifying that private organizations and local governments that suffer cyber attacks may voluntarily accept assistance from the federal government. The White House proposal would also facilitate the voluntary sharing of cyber threat information with the federal government and establish a structure through which DHS would work with critical infrastructure entities “to propose standardized risk mitigation frameworks.” Individual critical infrastructure operators covered by the law would devise a cyber plan that meets the applicable framework, and third-party entities would evaluate individual plans.
Previously, the leaders of the Senate Homeland Security and Governmental Affairs Committee had introduced their own cybersecurity bill (S. 413) that takes a similar approach, but with some key differences. S. 413 would create a White House Cybersecurity Office with a Senate-confirmed leader who would serve as a liaison between DHS and infrastructure sector representatives. The White House proposal lacks such an official. The Administration’s plan does not specifically define which critical infrastructure would be subject to the new cyber rules, but S. 413 would limit applicability to critical infrastructure assets that are included on the DHS “prioritized critical infrastructure list” – a classified list of critical infrastructure whose failure would “cause national or regional catastrophic effects.” Additionally, the Senate bill makes clear that the government would not have the power to force an infrastructure operator to implement any specific cybersecurity measure – an issue that is not explicitly addressed in the White House plan.
Despite the differences, Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (I-Conn.) welcomed the Administration’s plan, noting his belief that a cybersecurity bill is “the most important piece of legislation” on the committee’s agenda this year. But Susan Collins, the Committee’s Ranking Republican, voiced caution over sections of the White House proposal that call for the publication of audits reviewing how well private entities protect critical infrastructure from cyber attacks. Collins warned that publishing such information could aid criminals.
Testimony from the committee’s hearing is available at http://tinyurl.com/3lvvozm. The Obama Administration’s cybersecurity proposal is online at http://tinyurl.com/3s3eq5n.