White House proposals include breach notification law
The White House on Thursday unveiled sweeping cybersecurity legislative proposals to Congress that would create a national data breach notification law and clarify the U.S. Department of Homeland Security's role in defending private and public networks.
The recommendations, created in response to Congress' call for assistance on how to address the country's cybersecurity needs, is focused on improving security for citizens, the nation's critical infrastructure and the federal government's own networks and computers, the White House said Thursday in a news release.
The proposal follows the president's nearly two-year-old Cybersecurity Policy Review, which declared cyberspace a key strategic national asset and laid out an action plan for securing the country's networks.
“We look forward to working with Congress as it moves forward on this issue,” Howard Schmidt, cybersecurity coordinator and special assistant to the president, said in a statement posted Thursday to the White House website.
The proposal by the Obama administration aims to improve protections for Americans by standardizing the existing 47 state data breach notification laws into one overarching federal statute that requires businesses to alert customers if their personal information is inadvertently exposed.
A national data breach notification law has been in the works for a number of years. Several versions have made the rounds, but nothing ever has cleared both chambers. This mainly has been due to other Congressional priorities and, more specific to the bills, disagreement over what constitutes a suitable threshold to report a breach.
Thursday's proposal from the White House also asks for mandatory minimum penalties for cyber intrusions into critical infrastructure.
The White House additionally is seeking to improve the protection of critical infrastructures, such as the electric grid and financial networks, by clarifying the type of assistance the DHS can provide to private-sector organizations that have suffered an infiltration.
Organizations have, in the past, asked for the federal government's help investigating attacks or building defenses, but the lack of a clear legal framework describing the DHS' authority has slowed any aid the department can provide, the White House said.
In addition, the suggested legislation also would require the DHS to work with private-sector owners and operators of critical infrastructure to prioritize the most pressing threats affecting their networks. Entities would develop their own plans for addressing those risks and then have the plan assessed by a third-party commercial auditor.
As it relates to government computers and networks, the proposal would update the Federal Information Security Management Act (FISMA) by formalizing the DHS' role in managing cybersecurity for federal civilian computers and networks, the White House said. It would also formalize the DHS' authority to oversee intrusion prevention systems for all executive branch computers.
Further, it would give the DHS more flexibility to hire cybersecurity professionals in an effort to boost the recruitment of highly qualified experts.