The Cybersecurity Legislative Proposal contains eight sections. Highlights of the proposal include:

• clarifying the elements of cyber crimes, and the creation of standard penalties for certain crimes –with the harshest punishments proposed for those who intrude into critical infrastructure networks;
• establishing a single national data-breach reporting standard – a point at which a person or organization is required to be notified that the security of their private information has been compromised – rather than continuing to work with a patchwork of 47 state data-breach reporting laws;
• codifying the role of DHS in managing federal civilian agency cybersecurity – the “dot-gov” domain;
• establishing a voluntary information-sharing program among federal, state, and local governments and private industry, safeguarded by privacy and civil liberties procedures that would be overseen by the attorney general – for example, if a company wants to share information with the government, it must first make reasonable efforts to remove any identifying information related to cyber threats; and
• a stronger DHS role in protecting critical infrastructure, in which the department works with industry to develop risk-based cybersecurity standards. DHS would play a stronger role both in defining what “critical infrastructure” is, and the risks needed to be mitigated; private enterprise would bear the responsibility for developing cybersecurity plans to address those risks for third-party review.

Predictably, the proposals outlined by the White House were criticized by some as being too draconian or too toothless; too focused on the government’s role; or too lax on the private sector, etc. Just as it had with its International Strategy for Cyberspace, however, the White House expressed the view that its proposals were the “beginning of a discussion with Congressional leadership.”

 

Implementing a Strategy for Cyberspace: The Work of DHS

The amount of the legislative proposal devoted to the role of DHS is understandable; according to Lewis, while DoD’s role in cybersecurity is well established, DHS’s role is still a work in progress. This isn’t because the department hasn’t been busy developing its own programs and strategies – it outlined its own comprehensive strategy for federal agency cybersecurity in the summer of 2010, for example – but primarily because it’s only seven years old and can only do what it’s authorized to do. For example, DHS is responsible for coordinating, if requested, any government response to cyber attacks against private industry networks. Eighty-five percent of the nation’s civilian infrastructure is privately owned, and “if requested” is a key phrase: DHS has little direct authority to influence the cybersecurity practices of the private sector. Right now, all it can do is make its expertise as available and attractive as possible.

The department’s outreach efforts are spearheaded by the NCCIC. Established in October 2009, the center is a 24-hour, DHS-led watch-and-warning facility that serves as the federal hub for organizing cyber response efforts. The two main operational organizations working through the NCCIC are the National Coordinating Center for Telecommunications (NCC) and the U.S. Computer Emergency Readiness Team (US-CERT).

US-CERT provides response support and cyber defense of the “dot-gov” domain, as well as to private networks on request. It’s one of the most active civilian cybersecurity agencies, responding to more than 100,000 incident reports and releasing more than 5,000 actionable cybersecurity alerts in FY 2011. To its nearly 600,000 private-sector subscribers, US-CERT provides updated vulnerability information through the National Cyber Alert System.

The department’s cybersecurity efforts over the past few years have tended to focus, understandably, on the owners and operators of critical infrastructure and key resources (CIKR). Its specialized Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provides on-site support to owners and operators of critical infrastructure for protection, response, forensic analysis, and site assessment. The team also provides training and tools to increase awareness of the evolving threats to industrial control systems. DHS has developed a baseline assessment to identify and prioritize risks to critical sector-wide IT functions, while outlining strategies to mitigate those risks.

DHS periodically evaluates its cybersecurity partnerships – international, national, state, local, and private-sector – through a national exercise designed to put its National Cyber Incident Response plan to work. The most recent exercise, Cyber Storm III, conducted in September 2010, simulated a large-scale attack on the nation’s critical infrastructure and involved seven Cabinet agencies, 11 states, 12 international partners, and 60 private companies.

The NCCIC, with the operational arm of US-CERT, is also the seat of DHS’s program for protecting federal civilian networks. In this domain, where DHS has greater statutory authority, the department has numerous tools at its disposal for helping agencies secure their unclassified networks, under the umbrella of the National Cybersecurity Protection System. The most direct means of achieving this is the Einstein program, which uses an early-warning technology designed by NSA for detecting and preventing intrusion into networks. Einstein technology, when fully developed, will essentially create a box through which data traffic passes and is held for examination before being allowed through to a federal network. The current iteration of the technology, Einstein 2, has been deployed to 16 departments and agencies, and consists of intrusion-detection sensors that display real-time information on data flow and traffic types (TCP/IP or UDP, for example). In the future, these sensors will be augmented with real-time capability for automatically detecting and disrupting malicious activity before harm is done.