Private companies that manage the nation's "critical infrastructure" would be required under a new cybersecurity initiative announced Thursday by the White House to submit detailed plans showing how they can defend themselves against cyberattack.
The proposal would apply to companies that provide electrical, financial and telecommunications services, oversee energy and transportation systems, or operate in other areas considered vital to national life.
Security experts have long warned that the country's civilian infrastructure is vulnerable to cyberattack. As many as 90 percent of the companies operating in that sector, however, are in private hands, which means that the government lacks the authority on its own to confront cyberthreats to the civilian networks on which daily life depends.
"Our critical infrastructure ... have suffered repeated cyber-intrusions, and cybercrime has increased dramatically over the last decade," the White House said in a statement. "It has become clear that our Nation cannot fully defend against these threats unless parts of cybersecurity law are updated."
The plan announced Thursday would allow private companies to draw up their own cybersecurity programs but gives the federal government the authority to approve or reject the proposals. Companies whose plans are considered inadequate would have to work with the Department of Homeland Security to improve their cyberdefenses and could be publicly identified as having unsatisfactory security programs. Companies with approved plans, on the other hand, would be rewarded for their compliance.
'Good Intentions Only Get Us So Far'
A senior White House official, briefing reporters anonymously on the administration's proposal, said it would produce "better results than a more prescriptive approach."
"We don't believe government has all the answers here," he said.
Some legislative proposals, however, call for a stronger government role in ensuring that critical facilities are well-protected, similar to the way the nuclear power industry is regulated.
"Good intentions only get us so far," said Rep. James Langevin (D-RI), who has introduced his own cybersecurity legislation. "Cyberattacks can cause great damage to the economy and loss of life. Government has a role to play here in making sure we bring industry that extra step down the field to make sure we're as safe as we can possibly be."
Private firms that would be affected by the White House plan, however, not surprisingly favor the more voluntary approach.
"We see this as an important step forward," said Shannon Kellogg, senior director of government affairs at EMC Corp., a leading cybersecurity firm. "We think there are many elements of the White House proposal that should be enacted by the Congress."
Dozens of bills have been introduced in Congress to enhance cybersecurity, but sponsors of those measures have been waiting to see the Obama administration's own proposal before proceeding with their legislation.