U.S. Outlines Cybersecurity Initiative Under the plan, private companies that manage the nation's "critical infrastructure" would be required to submit detailed plans showing how they can defend themselves against cyberattack. The federal government would then have the authority to approve or reject the proposals.
NPR logo

U.S. Outlines Cybersecurity Initiative

  • Download
  • <iframe src="https://www.npr.org/player/embed/136250408/136250681" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
U.S. Outlines Cybersecurity Initiative

U.S. Outlines Cybersecurity Initiative

  • Download
  • <iframe src="https://www.npr.org/player/embed/136250408/136250681" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

ROBERT SIEGEL, host:

From NPR News, this is ALL THINGS CONSIDERED. I'm Robert Siegel.

For years, security experts have been warning that the country's banking and telecommunications systems, its power and transportation grids, as well as its oil refineries, are all vulnerable to cyberattack.

Computer networks underlie that infrastructure. If they're shut down, daily life could be paralyzed. And yet steps to improve the nation's cybersecurity have stalled due to disagreements over what exactly should be done.

Well, today the White House laid out its own proposal for improving the nation's cybersecurity. And joining us to talk about that is NPR's Tom Gjelten. Hi, Tom.

TOM GJELTEN: Hi, Robert.

SIEGEL: And first, why has it been so difficult to get folks to agree on a plan?

GJELTEN: One reason, the infrastructure that we're talking about, the banks, the power grid, the oil refineries, the telecommunications companies, that's almost entirely in private hands. Close to 90 percent of this critical infrastructure is in the private sector.

And if you look at computer systems generally, Robert, you've got the military network, that's the dot-mil domain, they're very well-protected. You've got the dot-gov networks. They're somewhat protected. And then you've got the dot-com domain. That's the least protected.

Each company up to now has largely been on its own. There hasn't been much of a role for the government. The government doesn't have a legal authority to take charge of protecting private computer networks. So if that's to change, you need new laws. That's what's difficult.

CONAN: And the Obama administration is proposing what?

GJELTEN: The Obama administration is actually proposing that private companies continue to be responsible for their own cybersecurity. They'd come up with their own plans. The idea is that they know best what threats they face and how they can confront them.

But they do have to come up with a plan. This is the key. The government, under this plan, would define critical infrastructure, what companies are included in that sector, and all those companies would then be required to come up with a security plan.

The government would evaluate those plans, decide if they're adequate or not. If they're not satisfied, they will report that. It's kind of a name-and-shame approach. If they're satisfied, they'll report that. That would be good publicity for them.

SIEGEL: So it's a plan for a lot of plans. Does this seem adequate to the challenge, this plan?

GJELTEN: That's the issue. You know, there are various legislative proposals out there in this area. The White House proposal is just one. Some of them are tougher than others. The main Senate bill, for example, would actually impose fines and penalties on companies that don't come up with good plans.

Some members are advocating a much heavier touch, more government regulation, more like the nuclear industry, which is very heavily regulated. So that is an area of disagreement.

The Obama administration says the government does not have all the answers here. They're betting that companies can come up with effective cybersecurity plans.

SIEGEL: I want to ask you about an idea that people involved in this area talk about, the notion of a full-scale cyber-war. So far you're talking about attacks on a particular infrastructure. Does the administration's proposal address the notion of a huge cyberattack on all sorts of systems?

GJELTEN: You know, Robert, I've asked that question. And the truth is there are those people who are focused on the prospect of cyber-war, that's largely on the military side, aren't entirely satisfied with where things are in that regard.

One of the things they're concerned about is there's really nobody in the government that has clear command and control authority to orchestrate a government response in the event of a cyberattack. And this is one of the issues that has to be worked out because the White House cybersecurity coordinator does not have that authority right now.

SIEGEL: Any reaction from industry today?

GJELTEN: Generally positive. They see this as a step in the right direction. They recognize that the government will have a role to play here, and they're willing to work with the government. They say that this is a step in the right direction.

SIEGEL: Thank you, Tom.

GJELTEN: You're welcome.

SIEGEL: That's NPR's Tom Gjelten.

Copyright © 2011 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.