Sources tell ABC News that President Obama will announce a cyber-security plan later today that will rely on industries to largely self-regulate, with the US government given powers to add to industry standards and shame companies that fail to enact sufficient security measures.
According to those briefed on the plan, the president’s proposal will require him to define what industries are critical, and he will designate telecommunications, surface transportation, aviation, and electric power. A carve-out provision will allow the president to designate the financial industry as a critical sector that already has sufficient regulation.
Following the president’s designation, those key industries will be required to come up with standards for cyber security. U.S. government officials will be able to add to those standards if they feel the need.
Every company in each sector will be required to come up with its own cyber security plan, one that has to be audited by outside 3rd party group.
If the US government wants to look at a company’s plan it can do so. If the government finds a company’s plan deficient, it can publicly announce that fact — though it cannot impose a fine.
Such an announcement by the government, while opening the possibility of civil liability for a company, differs from legislation offered by Sens. Joe Lieberman, I-Conn., Susan Collins, R-Maine, and Tom Carper, D-Del., which imposes a fine if a company’s plan is deemed insufficient.
Travis Sharp, co-author of a report on "America's Cyber Future” from the Center for a New American Security, notes that “85-90% of critical infrastructure in the US is in the private sector,” and thus, he argues, “the government has to have a light touch here. If it’s heavy handed, it would be a nightmare for the government to oversee” and would “create a huge regulatory nightmare.”
Others argue that without the threat of fines, companies will not take the appropriate measures – as evidenced by the current state of affairs, which has myriad vulnerabilities.
Still, even those experts favoring a more aggressive approach today applauded the president’s involvement. Currently, Cyber-command only defends the military.gov sites, with the Department of Homeland Security monitoring dot.gov sites. Every other site in the US is not defended by the government.
-Jake Tapper (@jaketapper)