April 2009 Newsbrief

Back

Cybersecurity Act of 2009 Drafted
http://www.hesstech.com/images/cybersecurityAct2009.pdf

Senators Olympia Snowe and John D. Rockefeller have drafted a cybersecurity bill that would establish a real-time information system to track the security status of federal systems, require the licensing of cybersecurity professionals and give federal officials new powers to create and enforce data security standards for businesses in critical infrastructure industries.

The goal of the legislation is to reinforce ongoing cybersecurity efforts within the government and to ensure proper safeguards are in place for critical infrastructure targets within private sector industries such as water, power systems, healthcare and banking.

According to the Staff Working Draft, the bill contains the following provisions:

• Create a real-time cybersecurity dashboard providing security status and vulnerability information of all Federal information systems and networks.
• Create regional Cybersecurity Centers to aid small and midsize businesses.
• Develop by the National Institute of Standards and Technology (NIST) measurable cybersecurity standards for all Federal government, government contractors, and critical infrastructure information systems and networks including the creation of standardized testing and accreditation protocals for software.
• Mandatory national licensing of cybersecurity professionals within three years.
• Review of NTIA domain name contracts.
• Implement a secure domain name addressing system.
• Promote cybersecurity awareness to the public and communicate the government's role in securing the internet and protecting civil liberties.
• Direct the NSF to give priority to computer and information science and engineering research related to cybersecurity.
• Establish a Federal Cyber Scholarship-for-Service Program to recruit and train the next generation of Federal IT workers and security managers.
• Conduct cybersecurity challenges and competitions to aid in awareness and recruiting.
• Make the Department of Commerce a centralized clearinghouse of cybersecurity threat and vulnerability information to Federal government and private sector owned critical infrastructure information systems and networks.
• Report to the House Committee on Science and Technology on the feasibility of creating a market for cybersecurity risk management and requiring cybersecurity to be a factor in all bond ratings.
• Comprehensive review and report of the Federal statutory and legal framework applicable to cyber-related activities in the United States.
• Report on the feasibility of an identity management and authentication program, with appropriate civil liberties and privacy protection, for government and critical infrastructure information systems and networks.
• Have the President create and implement a comprehensive national cybersecurity strategy including the power to shut down networks in the event of an emergency.
• Quadrennial review of the cyber posture of the United States.
• Annual assessment of, and report on, cybersecurity threats by the Director of National Intelligence and the Secretary of Commerce.
• Direct the President to work with foreign governments to establish norms and other activities to improve cybersecurity on a global basis.

While the bill satisfies calls for a national strategy on cybersecurity and stronger leadership to ensure security proposals are implemented effectively, there are concerns about whether greater government control over computer software and internet services will harm both security and privacy and what its effects on innovation will be.

Others experts question why the Department of Commerce is given such a large role and not the Department of Homeland Security and if this will lead to inefficiencies.

Privacy advocates are unahppy that the bill would grant the Commerce Department the ability to override privacy laws to access information about Internet usage in connection with its role in tracking cybersecurity threats.

Another concern is the power the bill gives to the President to shut down networks in an emergency. Also absent is any mention of end-of-life precautions for network and system hardware.

The bill has been prepared based on recommendations by the Center for Strategic and International Studies and comes before a review of federal cybersecurity programs ordered by President Obama has been presented.