With the intense media scrutiny on cybersecurity failings in the private sector, one could easily forget that the issue goes far beyond consumers and their personally identifying information. Early this month, the Obama Administration released a comprehensive Cybersecurity Legislative Proposal focused on improving cybersecurity in three key areas: (1) consumer protection; (2) the Nation’s critical infrastructure; and (3) the Federal Government’s networks and computers. The proposal also focuses in a significant manner on protection of individual privacy under any new legislation. The central goal is to strike “a critical balance between maintaining the government’s role and providing industry with the capacity to innovatively tackle threats to national cybersecurity.” (The White House Blog, May 12, 2011.)
Protecting the American People
- National Data Breach Reporting. The patchwork of 47 state laws regarding protection of consumers against identity theft have caused confusion and consternation among businesses having to comply with the laws. The Administration proposes national data breach legislation that will simplify and standardize the rules businesses must follow to notify consumers in the event of data breaches.
- Computer Criminal Penalties. Legislation will clarify the penalties for computer crimes, synchronize them with other crimes, and set mandatory minimums for cyber intrusions into critical infrastructure. The Administration would seek to amend the Computer Fraud and Abuse Act (CFAA) to include a minimum penalty for cyberattacks and also to include CFAA-listed cyberoffenses to the Racketeering Influenced and Corrupt Organizations Act (RICO).
Protecting the Nation’s Critical Infrastructure
- Voluntary Government Assistance to Industry, States, and Local Government. The Department of Homeland Security (DHS) does not have clear authority to assist organizations that suffer cyber intrusions. The Administration proposes legislation that will enable DHS to quickly help a private-sector company, state, or local government upon request, and will clarify the type of assistance that DHS can provide.
- Voluntary Information Sharing with Industry, States, and Local Government. While entities often identify new types of computer viruses, or other cyber threats or incidents, they are unsure of whether such information should be shared with the Federal Government (because of consumer privacy concerns, or otherwise). The Administration proposes legislation that permits entities to share such information with DHS, provides such entities with immunity when sharing such information, and mandates “robust privacy oversight” to ensure that the shared information does not intrude on individual privacy/civil liberties.
- Critical Infrastructure Cybersecurity Plans. The Administration proposes that DHS work with industry to formulate cybersecurity policies for “covered critical infrastructures” or digital entities with significance to national security, national economic security, and national public health and security. With private entities, the DHS would have to consult with appropriate private sector representatives to determine the best practices for mitigating cybersecurity vulnerabilities.
Protecting Federal Government Computers and Networks
The Administration’s proposed legislation focuses on three areas: (1) updating of the Federal Information Security Management Act (FISMA), and formalizing DHS’s current role in central management of cybersecurity for the Government’s computers and networks; (2) recruitment and retention of highly-qualified cybersecurity professionals, as well as permitting government and private industry to exchange such experts; (3) allowing DHS continued authority to oversee intrusion prevention systems for Federal Executive Branch civilian computers, Internet Service Providers, and blocking attacks against government computers; and (4) forbids states from protectionist measures regarding local data centers being built in local states only.
New Framework to Protect Individuals’ Privacy and Civil Liberties
The Administration proposal also seeks to head off at the past concerns that the proposed legislation would infringe on individuals’ privacy and civil liberties. It proposes “privacy and civil liberties procedures” that would be developed by experts, and which all federal agencies would be required to comply with. It would limit the use of the information gathered through this legislation to protect against cybersecurity threats, removal of personally-dentifying information when possible. The legislation’s “teeth” would be that safe harbor of immunity would be conditioned on compliance with the privacy and civil liberties procedures.
Section by Section Analysis
The Administration also provided a detailed section-by-section analysis and proposals, which can be summarized as follows:
- Law Enforcement: (a) Amend Computer Fraud and Abuse Act (CFAA) to include minimum penalty for cyberattacks; (b) Amend Racketeering Influenced and Corrupt Organizations Act (RICO) to include CFAA-listed cyberattack offenses.
- Data Breach Notification: (a) FTC must create regulations on customer notification requirements for breach of sensitive personally identifiable information (SPII); (b) Business must notify DHS in case of SPII breach for 5000+ individuals or database owned by Federal Government.
- Department of Homeland Security Cybersecurity Authority and Information Sharing: (a) DHS is in charge of cybersecurity and response activities; DHS must assist in national efforts to mitigate digital infrastructure vulnerabilities.
- Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act: (a) Enhance the cybersecurity of infrastructures critical to national security, national economic security, and national public health and safety; (b) Consult with private entities for best practices; (c) DHS can determine entities as covered critical infrastructure; (d) DHS must identify security risks that must be mitigated; (e) DHS must develop frameworks for addressing cybersecurity risks; (f) DHS must consult with appropriate private sector representatives when determining extent of security enhancing frameworks; (g) DHS must establish a process for evaluation of covered critical infrastructure; (h) Data breach notification.
- Amendments to the Federal Information Security Management Act of 2002: (a) DHS must establish cybersecurity policies for government agency information