May 12, 2011

Obama’s Cybersecurity Plan Urges More Disclosure of Breaches to Consumers

The Obama administration’s proposal for protecting banks, power grids and government computers from cyber attacks urges tightening oversight of critical infrastructure and requiring companies to notify consumers of data breaches.

The Homeland Security Department would “work with industry” to detect vulnerabilities in electrical grids and financial networks, according to a summary of the proposal released today by the White House. The plan also calls for mandatory minimum penalties for computer-related crimes.

The administration’s proposal seeks to jump-start efforts in Congress to update U.S. laws in response to the increased threat of cyber attacks capable of crippling business and government operations.

“Cyber crime has increased dramatically over the last decade,” according to the summary. “It has become clear that our nation cannot fully defend against these threats unless certain parts of cybersecurity law are updated.”

U.S. lawmakers introduced about 50 cybersecurity measures in the last session of Congress, according to the White House summary. Those measures include at least eight bills that seek to boost security at energy and utility companies.

Senate Majority Leader Harry Reid, who is compiling comprehensive cybersecurity legislation on his side of Capitol Hill, solicited the administration’s proposal to guide Congress’s efforts on the issue.

Symantec Rises

“Cybercrime, cyber industrial espionage and cyber attacks cost American businesses and consumers billions of dollars per year and threaten our economy and our national security,” Reid said in a statement. “It is time to create the proper authorities and enhance the tools to protect the computer networks that are so crucial to our daily lives.”

Shares of Symantec Corp. (SYMC), a leading provider of computer security software, rose 5.2 percent to $20.42 at 4:00 p.m. New York time in Nasdaq composite trading, the most since August 19.

Juniper Networks Inc. (JNPR), another security provider, rose 3.5 percent to $39.81 at 4:02 p.m. in New York Stock Exchange trading, the most since March 11.

The White House proposal would require companies that operate systems critical to the nation’s economy to develop plans for securing their systems. They also would have to hire commercial auditors to determine if the security procedures are adequate. If not, the company would have the option to work with the Homeland Security Department to strengthen the plan.

'Major Concern'

A “major concern for companies” is that the government may choose to disclose the audits publicly, which “could turn into a naming and shaming approach,” Travis Sharp, research associate at the Center for a New American Security, a Washington-based policy research group, said in an interview.

“It could be good if it reveals that certain companies are really good at cybersecurity,” he said, and create “an obvious business benefit.”

Under the proposal, the Homeland Security Department would be authorized to assist targeted companies seeking government aid after a cyber attack, according to a White House official who discussed the proposal on a conference call today. The official spoke on condition of anonymity because the full proposal had not yet been released.

Recent Assaults

The urgency of advancing a cybersecurity bill has been heightened by recent assaults. The Senate’s Sergeant at Arms reported last year that computer systems of Congress and executive branch agencies are probed or attacked 1.8 billion times per month, costing about $8 billion annually.

“Cybersecurity is finally getting the proper attention that it needs,” said Lawrence Ponemon, founder of the Ponemon Institute, an information-security research group. He said the U.S. is “lucky” it hasn’t had a serious cyber attack to infrastructure like a power grid or oil refinery.

Data breaches cost U.S. businesses an average of $7.2 million per incident last year, according to a March report by the Ponemon Institute.

Sony Corp. took down its PlayStation Network and Qriocity services April 20 because of data theft affecting 77 million users. Sony Online Entertainment, a U.S. unit that offers online games, also shut its network May 1 after discovering personal information from approximately 24.6 million accounts may have been compromised.

Least-Prescriptive Approach

The White House proposal also seeks to standardize what it calls a patchwork of state laws requiring businesses to inform their customers in the event of a breach affecting consumers’ personal data. It also encourages businesses to voluntarily share information about network intrusions and computer viruses with federal, state and local government authorities.

The administration wants to take the least-prescriptive approach possible, a senior official said during the conference call. The rationale behind the proposal was that the White House doesn’t have all the answers, the official said, speaking on condition of anonymity.

“Trusted, secure networks are now the foundation of our nation’s infrastructure,” said Phil Bond, chief executive of TechAmerica, the Washington-based technology industry association, said in a statement. The administration’s focus on a partnership between the government and the private sector is key since “the private sector owns or operates the vast majority of our nation’s critical infrastructure.”

The proposal also calls for updating existing law on securing federal computer systems. It recommends recruiting talented cybersecurity professionals and authorizing the Homeland Security Department to “oversee intrusion prevention systems for all Federal Executive Branch civilian computers.”

The department would be directed to modify federal acquisition rules to reward companies that have secure systems, according to senior administration officials who spoke on the conference call.

“It’s a really smart move,” Sharp said. “Prioritizing security in acquisition helps stop problems before they start.”