Obama's Cybersecurity Plan Gets Lukewarm Reception

Friday, May 20, 2011



The Obama administration delivered a long-awaited comprehensive cybersecurity strategy to Congress last week, and the document is only being given a lukewarm reception by industry groups.

The proposal is the culmination of over two years of effort by the White House to finish laying the groundwork for the protection of critical infrastructure in the face of increased threats posed by attacks on both public and private sector network systems.

While several information security and regulatory interest groups have lauded the administration for finally producing the much-touted plan of action, the consensus is that the strategy is lacking in depth and breadth.

"Overall, the proposals are disappointing compared with what the president said in his 2009 policy statement... [and] when you look at some sections, it appears to give DHS some broad authorities here that concern us." said Larry Clinton, president of the Internet Security Alliance.

The administration's proposal is seen as long on defining federal authority, but short on providing incentives for the private sector to make the necessary investments in security technology and best practices.

"Ironically, the President himself was far wiser on this issue when he published the 2009 Cyber Space Policy Review, which in fact called for more incentives, including procurement and tax and liability policies. I don't see any of that in the new proposal," Clinton said.

Major challenges in drafting the proposal included how to best prioritize federal security initiatives, defining the government's role in protecting and regulating private sector networks which administer the majority of the nation's critical systems, and protect privacy and civil liberties in the process.

"The administration's 'hands-off' approach to cybersecurity thus far hasn't worked. Without appropriate incentives, industry won't invest sufficiently in good security. At one end might be special tax credits for investing in information security and research, direct funding for research, safe harbors to immunize companies that met certain industry standards from class-action and other lawsuits, and antitrust exemptions for developing collaborative programs," said Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University.

As outlined by TechNewsWorld, the administration's cybersecurity proposal addresses four key issues:

  • Commercial transactions: The proposal addresses identity theft, including appropriate procedures to notify consumers of data breach events that compromise personal information. The program standardizes what the administration calls a "patchwork" of 47 state laws, and clarifies federal laws and penalties governing computer crimes.
  • Critical infrastructure: The plan attempts to reduce legal barriers that inhibit private industry and state and local governments from seeking federal assistance, such as technical analysis by the Department of Homeland Security (DHS), when suspected intrusions related to power, water, finance, transport and other vital functions occur. The plan requires DHS to closely monitor the implementation of enhanced cybersecurity measures by businesses.
  • Federal government protection: The administration proposes significant improvements to existing measures, including solidifying the central role of the DHS in protecting federal civilian agencies and updating the Federal Information Security Management Act (FISMA). The plan extends protections for Internet Service Providers to the federal government, enhances privacy and civil liberties protections, and bolsters security for data management functions, especially those that will be migrated to cloud platforms.
  • Privacy: The proposal enhances current privacy and civil liberties protections regarding personal information flowing to federal agencies, broadens the role of the U.S. Attorney general in privacy matters, and provides protocols for granting immunity to the private sector and state and local governments for compliance with security standards.

Presenting the proposal to Congress was just the first in may steps the administration has to undertake before an effective cybersecurity policy can be executed.

Sorting through the more than fifty cybersecurity legislative bills currently being considered by Congress, battling budget constraints, political posturing in the run up to the next election, satisfying a myriad of special interests, and then actually implementing new policies and programs will prove to be the real test of the administration's leadership.

"I think they got the part right about working with the private sector to set security goals and to take into account the international dimension of the issue. I think that with a number of areas involving outside audits, certification to the SEC, and residual government authority to rework industry frameworks, there might need to be some further conversations," said Software & Information Industry Association's Mark MacCarthy.

Source:  http://www.technewsworld.com/story/72491.html

Possibly Related Articles:
Security Strategies Internet Security Alliance Cyber Security Headlines Obama Network Security Congress National Security White House
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.