Almost two years after outlining a broad strategy intended to strengthen the security of the nation’s computers and networks, the Obama administration said Thursday that it was sending proposed legislation to Congress that would strengthen penalties for any invasion of private computer systems.
But the White House, in a briefing for reporters, said it had elected not to seek authority for stringent top-down regulations that would require companies to erect specific barriers to computer intrusions — which corporations feared would be enormously costly and soon be outdated.
Instead, the administration is hoping to offer incentives that will persuade private industry to improve computer security voluntarily and have those standards reviewed by the Department of Homeland Security.
“The private sector has a huge incentive to secure its own systems and an incentive to do that work better by sharing that information more broadly,” said Gregory T. Nojeim, senior counsel for the Center for Democracy and Technology, a policy group here.
The administration made no mention of seeking authority for the president to hit a “kill switch” that would essentially shut off access to the Internet in the event of a national emergency or a broad-based computer attack meant to shut down financial markets or power plants.
But administration officials said the Department of Homeland Security would designate certain privately run computer systems as part of a “critical infrastructure” over which the department would have enhanced authority.
While the proposed legislation will address new American defenses against computer crime, it does not appear to deal with a growing cyberoffense capability in the American intelligence agencies and in the military. Billions are being spent on building weapons for attacking computer networks — in part to deter cyberattacks on the United States. While those programs are highly classified, the United States is believed to have played a major role in the software-based attacks on Iran’s nuclear program, and recently Iran announced the creation of a cyberforce of its own.
The international component of the strategy will be addressed on Monday, according to several policy specialists, who have been invited to a White House briefing with John O. Brennan, the deputy national security adviser.
The White House said it would release proposed language for the new legislation on Thursday evening, and the text of different sections of the proposal were placed online by Senator Harry Reid of Nevada, the majority leader, during the day.
By increasing and clarifying the penalties for computer crimes, and giving the homeland security agency a clear mandate for the protection of the government’s own networks, the administration hopes to reverse a growing perception that the penalties for attacks on government, corporate and personal computers have been comparatively trivial.
Just in the past few months, companies including the EMC Corporation and Sony have experienced major breaches of security. In some cases, the digital identity information for millions of customers has been stolen.
In addition to giving the Department of Homeland Security new authority over federal computer systems, the proposed legislation calls for the agency to work with energy companies, water suppliers and financial institutions to rank the most serious threats and find ways to counter them. The new law would require each business to have an independent commercial auditor assess its plans, and, in the case of financial firms, report those plans to the Security and Exchange Commission.
A senior homeland security official, who declined to be identified during a telephone news briefing on Thursday under ground rules set by the administration, said the administration had shied away from a stronger regulatory approach because it believed “it did not have all the answers.”
“Nor do we believe that it’s appropriate for the government to say, ‘Thou shall do X, Y and Z’, ” he said.
Privacy groups said that the administration’s proposals did not appear to put in place strict enough controls to protect personal information against potential government surveillance.
“There should be legal standards, not voluntary guidelines,” said Marc Rotenberg, director of the Electronic Privacy Information Center, a Washington policy group.
Six major bills addressing computer security have been introduced in the past two years and the administration must now work to get Congress to adopt its language. On Thursday, members of Congress welcomed the administration’s draft while saying that it did not cover as much ground as legislation that has already been proposed.
“I commend the president for sending us a package of cyberinitiatives,” said Senator Kirsten E. Gillibrand, Democrat of New York “This is a good step forward, but we must also address the growing international cyberthreat.”
No comments:
Post a Comment