President to Introduce Largely Self-Regulatory Cyber-Security Proposal, with Government Powers to Shape and Shame
EmailSources tell ABC News that President Obama will announce a cyber-security plan later today that will rely on industries to largely self-regulate, with the US government given powers to add to industry standards and shame companies that fail to enact sufficient security measures.
According to those briefed on the plan, the president’s proposal will require him to define what industries are critical, and he will designate telecommunications, surface transportation, aviation, and electric power. A carve-out provision will allow the president to designate the financial industry as a critical sector that already has sufficient regulation.
Following the president’s designation, those key industries will be required to come up with standards for cyber security. U.S. government officials will be able to add to those standards if they feel the need.
Every company in each sector will be required to come up with its own cyber security plan, one that has to be audited by outside 3rd party group.
If the US government wants to look at a company’s plan it can do so. If the government finds a company’s plan deficient, it can publicly announce that fact — though it cannot impose a fine.
Such an announcement by the government, while opening the possibility of civil liability for a company, differs from legislation offered by Sens. Joe Lieberman, I-Conn., Susan Collins, R-Maine, and Tom Carper, D-Del., which imposes a fine if a company’s plan is deemed insufficient.
Travis Sharp, co-author of a report on "America's Cyber Future” from the Center for a New American Security, notes that “85-90% of critical infrastructure in the US is in the private sector,” and thus, he argues, “the government has to have a light touch here. If it’s heavy handed, it would be a nightmare for the government to oversee” and would “create a huge regulatory nightmare.”
Others argue that without the threat of fines, companies will not take the appropriate measures – as evidenced by the current state of affairs, which has myriad vulnerabilities.
Still, even those experts favoring a more aggressive approach today applauded the president’s involvement. Currently, Cyber-command only defends the military.gov sites, with the Department of Homeland Security monitoring dot.gov sites. Every other site in the US is not defended by the government.
-Jake Tapper (@jaketapper)
Biden Reflects on Grief, Suicidal Thoughts 
Is Congress Sounding Dumber?
Joe Lieberman wants the Department of Homeland Security to be able to order around ISPs.
Does Obama?
Posted by: Eric Jaffa | May 12, 2011, 12:07 pm 12:07 pm
If the US government wants to look at a company’s plan it can do so. If the government finds a company’s plan deficient, it can publicly announce that fact — though it cannot impose a fine.
=====
I wonder if Obama will also want them to disclose their political donations.
Posted by: MayBee | May 12, 2011, 12:11 pm 12:11 pm
wow, there’s a lot of gray-areas in that proposal not to mention ambiguity.
Posted by: Dianne93101 | May 12, 2011, 12:17 pm 12:17 pm
who, or what, is the “3rd Party” who is doing the auditing? Who is paying them? Who is auditing them? Will they have any liability for security breaches or secret company data leaked out during their audits?
Is this simply another scheme to allow “big players” to push out small companies because they won’t be able to afford the new regulations, liability, and government pubic censure? Will smaller companies have an input on this “3rd Party” who will audit everyone?
Posted by: Ed | May 12, 2011, 12:18 pm 12:18 pm
>>wow, there’s a lot of gray-areas in that proposal not to mention ambiguity.
Posted by: Dianne93101 | May 12, 2011 12:17:35 PM<,
Not to mention vagueness and uncertainty also
Posted by: Pablo | May 12, 2011, 12:26 pm 12:26 pm
I can’t believe anyone would object to companies being safer internet-wise.
Honestly, with the amount of damage that could be done by cyber-threats, shouldn’t we be better prepared?
Or do some people just love to complain…about anything.
Posted by: Lydia | May 12, 2011, 12:35 pm 12:35 pm
Lydia- who is complaining about companies being safer internet-wise?
Posted by: MayBee | May 12, 2011, 12:45 pm 12:45 pm
“Others argue that without the threat of fines, companies will not take the appropriate measures – as evidenced by the current state of affairs, which has myriad vulnerabilities”
I have to agree- in my professional experience I have yet to work with a company that would take cyber-security seriously on the basis of moral principal. The reality of the situation is that companies are not obligated to act with moral conscious. They are obligated to act with fiscal responsibility to their investors/owners who, in a free market, are motivated by profit. The end game- if it impacts profit (i.e. costs money), then it doesn’t get approved. Now- having said this- if it can be demonstrated that spending some green up front will significantly reduce the risk of an expensive fine ( the fine would have to be about twice the amount of whatever you are trying to get budgeted/approved here) and the probable occurrence of the risk was high enough to be downright scary (like a 75% chance) then you might be able to motivate management to spend the dollars to secure themselves. Unfortunately, moral conviction- in my humble experience- has only ever come up as a reason AFTER it was decided that the risk of a fine was very high. – oh, well.
In an earlier post someone asked about the meaning of “3rd party audit”- this would be an audit that is completely independent of the subject being audited. Generally, these audit reports would be shared with the corporations audit committee before the conclusion of the audit and management responses would be expected. Once all the findings are finalized with management’s input, the report would be sent to the requesting entity, in this case, I suppose, the Federal department/office responsible for enforcement of the Act. We will see.
Posted by: J C Mapes | May 12, 2011, 12:51 pm 12:51 pm
J C Mapes hit the nail on the head. Companies frequently won’t spend the needed funds to prevent problems because that quarter or year’s profits are what is driving their ceo’s.
Thus the need for regulation and fines to corral them into taking the prudent and logical action.
Posted by: Lydia | May 12, 2011, 1:16 pm 1:16 pm
certain entities (government, utilities, etc) should have some of these regulations for security. But this policy would seem to apply to A LOT of companies, industries, and businesses in America. Another layer of bureaucrats and costs. Another opportunity for the government and unelected regulators to pick “winners”.
The market SHOULD correct other companies that don’t have security policies.
Unfortunately in the Bush/Obama times of bailouts, “too big to fail”, and regulatory agency creep companies don’t have incentive to do so. You bet if their stock-price, financial liability, and/or criminal liability was on the table companies would come up with security!
However, having some agency will likely lead to zero-liability, bailouts, etc and ability of companies to say “we complied”, “we were audited” and so not seek the most robust security for their businesses but only provide the minimum level demanded by the government.
Posted by: Ed | May 12, 2011, 1:24 pm 1:24 pm
surface transportation, aviation, and electric power. A carve-out provision will allow the president to designate the financial industry as a critical sector that already has sufficient regulation.
Posted by: cilt kremleri | August 26, 2011, 9:22 am 9:22 am