Reporting from Washington — The White House has just sent to Capitol Hill a proposal to beef up cyber security regulations, an attempt to forge consensus on how to protect vulnerable U.S. networks from attacks that could blow up city blocks, erase bank data, crash planes and cut power to large sections of the country.
One key provision would require electric utilities and others to disclose what steps they are taking to protect their networks, an attempt to use the market to force companies to beef up protections. Another provision provides legal immunity to companies that notify the government about cyber threats and intrusions against them, something they are sometimes reluctant to do now for fear of being sued.
The proposal will be derided as tepid by some critics, but a cross section of experts has long said even weak regulation is better than the status quo, with critical infrastructure now wide open for a variety of potentially crippling attacks.
As the Los Angeles Times reported in March, electrical grids, pipelines, chemical plants and other infrastructure are controlled by computer systems that were designed without security in mind, and are vulnerable to crippling cyber attacks.
Nonetheless, industry and privacy groups will probably oppose any government regulation of cyberspace, and the Republican-controlled House has shown little interest in moving a bill.
"Our proposal outlines key steps to take in order to better protect the American people from cyber crime and identity theft, to better safeguard critical infrastructure as well as the federal government computers and networks, and to better protect individuals’ privacy and civil liberties," said an administration official who spoke on condition of anonymity.
The proposal, the official said, was the White House's attempt to forge consensus among the dozens of cyber security bills pending, some of which call for starkly different approaches.
- Requires businesses that have suffered an intrusion to notify consumers if the intruder had access to consumers’ personal information, standardizing the existing patchwork of 47 state laws that contain these requirements.
- Empowers the Department of Homeland Security to quickly help a private-sector company, state, or local government when that organization asks for its help -- and clarifies the type of assistance that the DHS can provide to the requesting organization.
- Provides legal immunity to businesses, states and local governments that share information about cyber threats or incidents with the DHS, while mandating robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.
- Requires operators of critical infrastructure, such as chemical plants and electric grids, to publish their cyber security risk mitigation plans so that the marketplace can assess whether or not their plans are adequate to the risks they face.
The proposal prevents states from requiring companies to build their data centers in that state, except where expressly authorized by federal law.
It includes a number of civil liberties protections, including limiting all monitoring, collection, use, retention, and sharing of information to protect against cybersecurity threats. Immunity for the private-sector business, state, or local government is conditioned on its compliance with the requirements of the proposal.