Obama Administration Submits to Congress a Legislative Proposal for Cybersecurity

In response to a letter to the President from Senate Majority Leader Harry Reid and six Senate committee chairs, the Obama administration has provided its input on cybersecurity legislation that is necessary to “ensure that cyberspace continues to be an area defined by growth and innovation” according to a blog posted by Howard Schmidt, The White House’s Cybersecurity Coordinator and Special Assistant to the President.  When President Obama released his Cyberspace Policy Review two years ago he declared cyberspace as a key strategy asset for the United States its security just as vital.

The proposed legislation addresses the following three areas:

• Protecting the American People through a uniform, national data breach reporting law to simplify and standardize the existing patchwork of 47 state laws and clarifying the penalties for computer crimes to synchronize them with other crimes and create mandatory minimums for cyber intrusions into critical infrastructure.
• Protecting our Nation’s Critical Infrastructure through voluntary government assistance to organizations that suffer a cyber intrusion and facilitating information sharing with industry, state, local government, and businesses.  Changes in existing laws are necessary to clarify roles and responsibilities and to eliminate fear of liability.  DHS will work with industry “to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerability for those operators”.
• Protecting the Federal Government Computers and Networks through updates to the Federal Information Security Management Act (FISMA), the recruitment and retention of highly-qualified cybersecurity personnel, making permanent DHS’s authority to oversee intrusion prevention systems for all Federal Executive Branch civilian computers, and preventing states from requiring companies that offer cloud computing services and applications to build their data centers in a given state.

All of this is being done in the context of a “new framework to protect individuals’ privacy and civil liberties” according to the plans outlined in the Fact Sheet.  The framework includes new oversight, reporting requirements, and annual certification to ensure that cybersecurity technologies are used for their intended purpose and nothing more.

It is unclear what effect the Administration’s legislative proposals will have upon the legislation that has already been introduced or is in the process of being crafted to address concerns related to privacy, cybersecurity, identity theft, and a host of related issues.  It is also not clear what the impact will be upon colleges and universities who have been marginalized in the more recent prioritization of critical infrastructures.  Nonetheless, we can expect that the proposals will be the subject of Congressional hearings and will fuel additional discussions on Capitol Hill requiring careful analysis and close monitoring to ensure that the proposals are truly effective to the goals of the higher education community to be considered an important contributor and resource to the national effort to secure cyberspace.