The Time is Ripe for Cybersecurity Legislation

It was late evening when the call came in to one of our law enforcement agencies. Nasdaq management was on the line asking for assistance with a security breach they had discovered. Within twenty-four hours, a joint Federal team was on the way to New York to provide support and begin the investigation. Shortly afterwards, I was in the White House Situation Room with other top officials to review what steps we needed to take to strengthen the security of our networks.

This intrusion taught us a few lessons about the shortcomings of our current cybersecurity system. For instance, we greatly appreciate it when corporate leadership alerts the Federal government to serious intrusions, yet there is no general national requirement that companies do so. In cases of cybersecurity incidents that can damage our critical infrastructure such as the electric grid or our financial, transportation, and communication networks – damage that can put our national security, public safety, and economic prosperity at risk – the Federal government must know what is happening so that it can take steps to bring adversaries to justice and help protect Americans.

Unfortunately, our critical infrastructure has suffered repeated cyber intrusions in the past year. Cybercrime, including online identity theft that hurts millions of Americans as well as the theft of intellectual property – American companies’ innovative ideas that are the lifeblood of our economic growth – continues to escalate. Many cyber intrusions could be prevented by implementing sound cybersecurity practices, but companies must be better motivated to make these investments. And while the Federal government continues to take actions to improve our nation’s cybersecurity under our existing legal frameworks, our laws need updating if we are to even the playing field with the cybercriminals.

To address these gaps, and at the invitation of Congressional leaders, the Administration delivered a major cybersecurity legislative proposal on May 12, 2011. This proposal incorporates many of the ideas of Senate and House leaders. It includes national requirements for consumer notification after data security breaches to help Americans take steps to protect themselves and hold companies accountable. It also gives companies a defined process so they can build their internal response plans. It provides for new authorities for the Secretary of Homeland Security to ensure government networks remain safe and reliable, and a unique framework to protect privacy and civil liberties. It would encourage critical infrastructure owners and operators to make the necessary investments to limit the current surge of cyber intrusions, and would set clear expectations for companies to let the Federal government know promptly if intrusions do occur – essential information that can help us stop an incident from turning into a crisis.

Unfortunately, time is not on our side. Since the White House delivered the Administration’s proposal to Congress, a number of new security breaches have been reported. We need Congressional leaders to move forward with a cross-committee and bipartisan approach. Some good news: just last week, we had a very encouraging meeting with a bipartisan group of Senators that ended with agreement to work together to enact cybersecurity legislation as soon as possible. The time is ripe to make proposal into law, and give the government and private sector the extra tools needed to fight those who would harm us.