The Obama administration has issued a new legislative proposal that contains a number of steps it thinks critical to improving cybersecurity for U.S. citizens, the nation’s critical infrastructure and the Government’s own networks and computers.
The proposed steps for protecting U.S. citizens include clarifying the penalties for computer crimes, synchronizing them with other crimes, and setting mandatory minimums for cyber intrusions into critical infrastructure.
They also include the simplification and standardization of the existing 47 state laws regarding national data breach reporting, which require businesses that have suffered an intrusion to notify consumers if the intruder had access to the consumers’ personal information.
When it comes to protecting the nation’s critical infrastructure, the Obama administration would like to see a number of legislative changes such as the setting up of a clear statutory framework that will allow the Department of Homeland Security to help private-sector company, state, or local government when that organization asks for its help in the wake of an intrusion, and the setting up of laws that would make it clear to the aforementioned entities that sharing information about new types of computer viruses or other cyber threats or incidents they might have is fully welcomed by the DHS and that they will be provided with immunity when doing that.
They also propose that the DHS work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators.
A third-party auditor should then assess the operators’ cybersecurity risk mitigation plans, and after that they should be presented to the Security and Exchange Commission, which would have the final say on whether the plans were adequate and offer the help of the DHS to make them so.
In order to protect the Government’s computers and networks efficiently, the administration wants the Federal Information Security Management Act (FISMA) updated, wants the DHS to have more flexibility when it comes to hiring cybersecurity professionals and to have permanent authority to oversee intrusion prevention systems for all Federal Executive Branch civilian computers, and wants companies to be able to build their data centers outside the state they are located in, if they want to.
All of this should be achieved while also keeping individuals’ privacy and civil liberties protected.
Privacy and civil liberties procedures for the DHS and federal agencies must be developed and implemented, all monitoring, collection, use, retention, and sharing of information should be limited to protecting against cybersecurity threats, companies and organizations that want to share information with the DHS must first scrub from it identifying information, and more.