The White House this month released a legislative package that Obama Administration officials said focuses on their “three remaining [cybersecurity] priorities” that can only move forward with congressional approval. The package was sent to Capitol Hill with the recent cyber attack against Sony Entertainment still on the minds of many lawmakers – which could give cybersecurity legislation a new sense of urgency in Congress.
Obama’s three-part proposal would encourage the private sector to share cyber-threat information with government offices and other stakeholders, set national standards requiring companies to notify consumers when their personal information is compromised, and strengthen law enforcement’s ability to investigate and prosecute cyber crimes. Details of the three bills are available in these letters the administration transmitted to congressional leaders on January 13.
While members of Congress will now decide whether, and to what extent, to follow President Obama’s cyber policy recommendations, Sen. Bill Nelson (D-Fla.) has already announced plans to introduce a bill based on the White House’s data protection proposal. The draft bill and the White House plan would each require businesses to promptly notify consumers in the event of data breaches that expose sensitive information (such as home addresses, telephone numbers, birthdates, and electronic user names or account numbers) to hackers. The current drafts do not appear to apply to public or governmental entities (such as public water systems) that may hold such consumer data, but that could change if Congress takes up the proposal.
The President’s most far-reaching proposal would reshape how the government engages with the private sector on cyber-threat information sharing. The plan would encourage private sector and non-federal governmental entities to voluntarily share certain computer data across sectors and with the National Cybersecurity and Communications Integration Center (NCCIC) at DHS. Participating stakeholders would receive liability protection against state and federal lawsuits related to cyber threat information they share with the government or other stakeholders pursuant to the act.
One component of the plan would establish “Information Sharing and Analysis Organizations” – separate from existing Information Sharing and Analysis Centers that serve critical infrastructure sectors – to facilitate the trading of cyber threat information among the government and private sector. Federal officials have said the new ISAOs could organize in a multitude of ways (such as along regional lines or through common business interests) and not be tied to a particular sector like the ISACs.
The chairman and ranking members of the respective House and Senate homeland security committees reacted to the White House proposal somewhat cautiously, pledging to continue work on boosting cyber protections but stopping short of endorsing any particular administration proposal.