Shows & Panels
- AFCEA Answers
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Connected Government
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Cyber Imperative
- Cyber Solutions for 2013 and Beyond
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Mission-critical Apps in the Cloud
- The Path from Legacy Systems
- The Real Deal on Digital Government
- The Reality of Continuous Monitoring... Is Your Agency Secure?
- Veterans in Private Sector: Making the Transition
Shows & Panels
White House presses for stricter cyber rules for critical infrastructure
Wednesday - 4/11/2012, 5:36am EDT
Any bill that emerges from Congress should include provisions that ensure the nation's most critical privately-owned critical infrastructure is as secure as it can be, the Obama administration's cyber policy chief said Tuesday.
While a mishmash of competing cyber bills currently are vying for attention on Capitol Hill, the most contentious divide is over whether or not to give the federal government new powers to set cybersecurity standards for the nation's most critical privately-held infrastructure. Lawmakers who are wary of adding a new regulatory burden to private businesses said that lowering the barriers to information sharing, both between federal agencies and private industry and within the private sector itself, could solve the problem.
"If information sharing was enough, that's all we would have asked for," Howard Schmidt, the White House's cybersecurity coordinator told a Georgetown University conference. "But there's other components that are important."
Schmidt said those other components include:
- Tougher penalties for certain categories of cyber criminals: "People have to be held more accountable when they interfere with critical infrastructure. There's got to be a higher level when it comes to organized crime," he said.
- Updates to the Federal Information Security Management Act (FISMA): "We have to move from an environment where by being FISMA compliant, you can still be insecure. We have to flip that around. We want an environment where, by becoming secure, you are indeed FISMA compliant," Schmidt said.
- Increasing the nation's ability to train and retain cyber talent.
Sen. John McCain (R-Ariz.) (AP)
Administration's bill is most contentious
Schmidt acknowledged the critical infrastructure provision of the bills advanced by the White House was the most contentious, but he said all operators of core critical infrastructure should have to prove to the government, and to their customers, that they're doing all they can on the cybersecurity front.
"And one would think that would not be that big of an ask," he said. "When all of us go out to buy a car, we don't deal with people who may or may not decide to add brakes or may or may not decide to put bald tires on the car. These are things that we expect for safety and security. We have to do the same thing when it comes to the core critical infrastructure."
Allies to the White House approach to regulating critical infrastructure approach include Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine), who have proposed a broad cyber overhaul. Smaller, more piecemeal bills are expected to be voted on in the House in the next few weeks.
Schmidt said protecting DoD and other federal systems is vital, but it's not the federal government's only responsibility on the cyber front. He said state and local governments would be devastated by the aftereffects of a successful attack on critical infrastructure, as would private businesses. He said it's the federal government's responsibility to prevent those attacks in the first place.
"We have natural things that take place that affect businesses all the time, windstorms, snowstorms, hurricanes, you name it. They're out of business for reasons we can't control," he said. "But can we afford to have companies go out of business for any period of time in today's economy just because they didn't have access to the core critical infrastructure? Yes, we care about the military, yes, we care about the cybersecurity of the federal government, but this is not just about the federal government. It's the local governments and the small and medium sized businesses that we have to protect. People talk about the impact of this legislation's impact on businesses, but let's look beyond that top layer. Let's look at all the things that are going to be impacted if these things aren't protected."