Public Intelligence

See also:

Project 12 and the Public-Private Cybersecurity Complex
(U//FOUO) DHS Project 12 Report: Critical Infrastructure Public-Private Partnerships

U.S. Department of Homeland Security emblem is pictured at the National Cybersecurity & Communications Integration Center (NCCIC) located just outside Washington in Arlington, Virginia September 24, 2010. U.S. national security planners are proposing that the 21st century's critical infrastructure -- power grids, communications, water utilities, financial networks -- be similarly shielded from cyber marauders and other foes. The ramparts would be virtual, their perimeters policed by the Pentagon and backed by digital weapons capable of circling the globe in milliseconds to knock out targets. REUTERS/Hyungwon Kang

Cybersecurity Legislative Proposal Fact Sheet (WhiteHouse.gov):

Our safety and way of life depend upon our critical infrastructure as well as the strength of our economy. The Administration is already working to protect critical infrastructure from cyber threats, but we believe that the following legislative changes are necessary to fully protect this infrastructure:

Voluntary Government Assistance to Industry, States, and Local Government. Organizations that suffer a cyber intrusion often ask the Federal Government for assistance with fixing the damage and for advice on building better defenses. For example, organizations sometimes ask DHS to help review their computer logs to see when a hacker broke in. However the lack of a clear statutory framework describing DHS’s authorities has sometimes slowed the ability of DHS to help the requesting organization. The Administration proposal will enable DHS to quickly help a private-sector company, state, or local government when that organization asks for its help. It also clarifies the type of assistance that DHS can provide to the requesting organization.

Voluntary Information Sharing with Industry, States, and Local Government. Businesses, states, and local governments sometimes identify new types of computer viruses or other cyber threats or incidents, but they are uncertain about whether they can share this information with the Federal Government. The Administration proposal makes clear that these entities can share information about cyber threats or incidents with DHS. To fully address these entities’ concerns, it provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.

Critical Infrastructure Cybersecurity Plans. The Nation’s critical infrastructure, such as the electricity grid and financial sector, is vital to supporting the basics of life in America. Market forces are pushing infrastructure operators to put their infrastructure online, which enables them to remotely manage the infrastructure and increases their efficiency. However, when our infrastructure is online, it is also vulnerable to cyber attacks that could cripple essential services. Our proposal emphasizes transparency to help market forces ensure that critical-infrastructure operators are accountable for their cybersecurity.The Administration proposal requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would develop their own frameworks for addressing cyber threats. Then, each critical-infrastructure operator would have a third-party, commercial auditor assess its cybersecurity risk mitigation plans. Operators who are already required to report to the Security and Exchange Commission would also have to certify that their plans are sufficient. A summary of the plan would be accessible, in order to facilitate transparency and to ensure that the plan is adequate. In the event that the process fails to produce strong frameworks, DHS, working with the National Institute of Standards and Technology, could modify a framework. DHS can also work with firms to help them shore up plans that are deemed insufficient by commercial auditors.

White House cyber plan would expand role of DHS, private sector (Government Computer News):

The Obama administration is proposing comprehensive cybersecurity legislation that would clarify the government’s role in protecting the nation’s critical infrastructure and favor public/private cooperation over regulation.

The proposal would give the Homeland Security Department oversight authority for the Federal Information Security Management Act, the primary framework for protecting civilian government IT systems, and establish a program to encourage owners and operators of critical infrastructure to implement cybersecurity.

“The nation cannot fully defend against these threats unless portions of existing cybersecurity laws are updated,” a senior White House official said in a briefing today.

Officials from the White House and DHS emphasized that the proposal is a work in progress rather than a finished product. They described its introduction as the beginning of an extensive discussion among the administration, Congress and industry.

President Barack Obama has identified cybersecurity as crucial to national security and the economy, and he has taken a number of steps to improve the country’s cybersecurity posture, including appointing Howard Schmidt to be the White House cybersecurity coordinator and developing a cybersecurity incident response plan.

But authority for overseeing and enforcing the security of the nation’s public and private information systems remains fragmented, and technology has outstripped federal laws and regulation. A number of bills that would overhaul cybersecurity responsibilities were introduced during the last Congress and the current one.

One issue addressed in bills before Congress but not addressed in the White House proposal is the president’s authority to intervene during a cyber emergency. A White House official said the president already has sufficient emergency authority to act under existing rules, and, therefore, no specific authority is outlined in the proposal.