In an effort to step up and better protect America against cyber threats, the Obama administration Thursday announced its latest cyber security plan.
Coming nearly two years after the president issued his Cyberspace Policy Review, the new plan strives not only to enhance the security of the nation’s infrastructure, but also lays groundwork for businesses to report data breaches. This last point is noteworthy given the recent breach at Sony, and especially for insurers and financial services companies in the wake of the Epsilon breach in early April.
According to the administration, state laws currently require businesses that have suffered an intrusion to notify consumers if the intruder had access to the consumers’ personal information. The proposal, however, contains national data breach reporting designed to help businesses by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements.
While the cyber security plan focuses on protecting American citizens, the federal government's computer systems and civil liberties, it also touches on protecting critical infrastructure. Specifically, it also entails the private sectors’ work with the
According to the administration’s plan:
• Organizations that suffer a cyber intrusion often ask the Federal Government for assistance with fixing the damage and for advice on building better defenses. For example, organizations sometimes ask DHS to help review their computer logs to see when a hacker broke into their system. However the lack of a clear statutory framework describing DHS’s authorities has sometimes slowed the ability of DHS to help the requesting organization. The proposal will enable DHS to quickly help a private-sector company, state or local government when that organization asks for its help. It also clarifies the type of assistance that DHS can provide to the requesting organization.
• Businesses, states and local governments sometimes identify new types of computer viruses or other cyber threats or incidents, but they are uncertain about whether they can share this information with the Federal Government. The proposal makes clear that these entities can share information about cyber threats or incidents with DHS. When a private-sector business, state or local government wants to share information with DHS, it must first make reasonable efforts to remove identifying information unrelated to cyber-security threats. To fully address these entities’ concerns, it provides them with immunity when sharing cyber security information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.
• The nation’s critical infrastructure, such as the electricity grid and financial sector, is vital to supporting the basics of life in America. Market forces are pushing infrastructure operators to put their infrastructure online, which enables them to remotely manage the infrastructure and increases their efficiency. However, when the infrastructure is online, it is also vulnerable to cyber attacks that could cripple essential services. The proposal emphasizes transparency to help market forces ensure that critical-infrastructure operators are accountable for their cyber security.
To see the plan’s fact sheet, click
