The White House on Thursday is expected to unveil its proposal to enhance the country’s cybersecurity, laying out plans to require industry to better protect systems that run critical infrastructure like the electrical grid, financial systems and nuclear power plants.
The Obama administration also is insisting that companies tell consumers when their personal information has been compromised.
According to cybersecurity experts familiar with the plan, the administration’s proposed legislation also would instruct federal agencies to more closely monitor their computer networks.
Several House and Senate committees have been working on cybersecurity legislation for the past two years, while waiting for the administration to weigh in with its proposal. The process has been difficult, as industry leaders, privacy advocates and security experts wrangled over how to protect the U.S. from cyberattacks without infringing on business practices or civil liberties.
The threat is diverse, ranging from computer hackers going after banking and financial accounts to terrorists or other nations breaching government networks to steal sensitive data or sabotage critical systems like the electrical grid, nuclear plants or Wall Street.
Federal computer networks are being scanned and attacked millions of times a day, and U.S. officials warn that hackers have begun targeting power plants and other critical operations to either bring them down or take them over. A glaring example was the Stuxnet worm that targeted Iran’s nuclear program last year, including the infection of laptops at Iran’s Bushehr nuclear power plant.
“The biggest cyber threat is to critical infrastructure: electric grid, power systems, sewage systems, things like telecommunications or our banking system,” Democratic Rep. James Langevin said. “The government currently only has a limited role in offering assistance to private owners of our critical infrastructure and .com networks. We are also still struggling with how to defend critical systems while protecting our civil liberties and privacy.”
The White House and Congress have been working on legislation to give the government more control over how well key industry operations are protected. President Barack Obama declared cybersecurity a top priority soon after taking office.
Although the Homeland Security Department works with various industries to press for better security and network protections, there are no specific regulations governing what private companies must do to safeguard the systems that run their power plants, secure databases or financial systems.
The White House plan lays out broad goals to protect critical infrastructure, the federal government and the American people from data breaches. It calls for standards for industries to meet as they work to protect their computer systems.
Officials familiar with the White House plan spoke on condition of anonymity because it has not been made public.
The plan also would require companies to tell their customers when their personal information has been compromised. And it would lay out guidelines for federal agencies to monitor and protect their systems, insisting that they have a better understanding of who is on their networks, what they are doing and whether any data is being stolen or manipulated.
Complicating the matter are the government divisions over who is responsible for the various cyber domains. While the military is responsible for securing its own networks, Homeland Security has jurisdiction over other government networks.
Homeland Security and the Pentagon have been working more closely together, linking the military’s Cyber Command, the National Security Agency and Homeland Security so they can better share technical expertise and intelligence on cyber threats.