Extra protection is to be offered to critical infrastructure by the US government in order to keep them secure.
US cyber security coordinator Howard Schmidt called it a ‘milestone in our national effort to ensure secure and reliable networks for Americans, businesses and government'. He said that the government's cyber security legislative proposal ‘strikes a critical balance between maintaining the government's role and providing industry with the capacity to innovatively tackle threats to national cyber security'.
Schmidt, who was appointed to the position of cyber security coordinator and special assistant to President Barack Obama in December 2009, said that the proposal will aim to achieve three key areas: safeguard personal data and enhance a person's right to know when it has been compromised; protect national security by addressing threats to water grids, water systems and other critical infrastructure; and help protect federal networks, while creating stronger privacy and civil liberties protections that keep pace with technology.
With regard to protecting critical infrastructure, Schmidt said: “These systems are the backbone of our modern economy; many are privately owned but all merit our support in protecting them.
“The administration proposal advances the security of our increasingly ‘wired' critical infrastructure, strengthens the criminal penalties for hacking into the systems that control these vital resources and clarifies the ability of companies and the government to voluntarily share information about cyber security threats and incidents in a privacy-protective manner. This is behaviour we want and need to promote.”
As well as continuing with its Stop. Think. Connect campaign, Schmidt also called on businesses to inform users when their sensitive personal information may have been compromised, with changes to the ‘patchwork of 47 state notification laws'.
The proposal will also allow the Department of Homeland Security (DHS) to implement intrusion detection and prevention systems within federal networks that can help speed a response to incidents. Schmidt said: “The proposal also designs a framework for protecting privacy and civil liberties that includes new oversight, reporting requirements and annual certification to ensure that cyber security technologies are used for their intended purpose and nothing more.”
Henry Harrison, technical director of Detica, said: “While both the US and the UK governments recognise cyber security as one of their top national security risks, the reality is that the majority of the challenge is borne by private sector companies that operate our national infrastructure and provide our national wealth generation.
“As there are no borders in cyberspace, it will be interesting to see if the US plans effectively inspire UK authorities to step up our own critical infrastructure protection, given the identical challenges faced by our private sector. It also remains to be seen whether any US or UK initiatives will extend to the mandatory reporting of cyber incidents, for example the theft of intellectual property or commercial secrets.”
Rob Rachwald, director of security strategy at Imperva, said: “While it tries to address some of the gaps that have existed for years, the proposal would benefit from some specifics. Actually, a lot more specifics. In some key areas, the proposal is ‘plan for a plan' as opposed to prescribing specific, actionable steps to protect data, intellectual property and infrastructure.
“The brightest component of the proposal is the emphasis on information sharing. Since attacks come from common places, this is a no brainer. Additionally, the White House recommends a common intrusion prevention system. Another excellent step.”