Oak Street Blog
Following the action as Federal Cybersecurity requirements start falling into place. Researched and assembled by Mary Fetherolf, President, Oak Street Associates, Inc.
Wednesday, April 29, 2009
Overview: Cybersecurity Act of 2009 - Introduced April 1, 2009
Assembled, but not written, by Mary Fetherolf.
Official Bill Title
A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.
Sponsorship
Sen. John Rockefeller [D, WV]
and 3 Co-Sponsors
Sen. Evan Bayh [D, IN]
Sen. Bill Nelson [D, FL]
Sen. Olympia Snowe [R, ME]
Apr 01, 2009: Read twice and referred to the Committee on Commerce, Science, and Transportation.
Introduced on Apr 01, 2009.
Content of the Bill
· Bill text: http://cdt.org/security/CYBERSEC4.pdf
· 2009 Cybersecurity Act would require a complete threat assessment — not just for government systems, but also for private corporations that own 80 percent of the nation’s critical infrastructure. Those corporations would also have to follow federal security standards.
· Directs the president to create an advisory panel, with specialists from the private and public sectors, to offer cybersecurity guidance.
· The bill is one of two introduced last week by Sens. John Rockefeller, D-W.Va., and Olympia Snowe, R-Maine. The other would create a position, the national cybersecurity adviser, within the Executive Office of the President
· President Barack Obama has already promised to appoint a cybersecurity adviser; the bill would make that a Senate-confirmed position
· Requires a quadrennial cybersecurity review, similar to the Defense Department’s Quadrennial Defense Review
· Envisions a public-private clearinghouse to share standards, and requires the president to choose one agency to respond to cyberattacks[1]
· President would have the authority to declare a “cybersecurity emergency.”[2]
Commentary
It’s unclear how industry will respond to the bill, though, since it effectively allows the federal government to shut down private computer networks.
“The cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy,” said Leslie Harris, CEO of the Center for Democracy and Technology, an industry group.
Industry groups say the bill doesn’t provide enough detail on what is considered “critical infrastructure.” Rockefeller and Snowe have promised to solicit public opinion and then revise the bill.
Critics also say imposing uniform standards on computer networks could be counterproductive: Hackers who find a way around the government’s defenses would have unfettered access to critical networks.
Paller was critical of the big role the bill gives the National Institute of Standards and Technology. NIST would be in charge of setting standards for the government and the private sector. But many experts have been critical of the agency, saying its current cybersecurity guidance isn’t based on data about actual attacks.
“NIST doesn’t have current attack and threat knowledge,” Paller said. “If you allow them to do the threat standards, you’re going to be defending against the wrong thing.” A spokesman for NIST said the agency was familiar with the bill but could not comment on pending legislation. Lewis defended the agency and said there would be a learning curve for any agency tasked with creating nationwide standards.
Lawmakers briefed on the review told reporters that it will recommend coordinating cybersecurity through the White House and increased staffing for the Office of Management and Budget, which oversees the governmentwide implementation of that policy.
[1] This is a tangent to another story, with NSA lobbying for chief responsibility for cybersecurity of federal government offices.
[2] Hence the fears of some that the President would have the power to “shut down the Internet”
Official Bill Title
A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.
Sponsorship
Sen. John Rockefeller [D, WV]
and 3 Co-Sponsors
Sen. Evan Bayh [D, IN]
Sen. Bill Nelson [D, FL]
Sen. Olympia Snowe [R, ME]
Apr 01, 2009: Read twice and referred to the Committee on Commerce, Science, and Transportation.
Introduced on Apr 01, 2009.
Content of the Bill
· Bill text: http://cdt.org/security/CYBERSEC4.pdf
· 2009 Cybersecurity Act would require a complete threat assessment — not just for government systems, but also for private corporations that own 80 percent of the nation’s critical infrastructure. Those corporations would also have to follow federal security standards.
· Directs the president to create an advisory panel, with specialists from the private and public sectors, to offer cybersecurity guidance.
· The bill is one of two introduced last week by Sens. John Rockefeller, D-W.Va., and Olympia Snowe, R-Maine. The other would create a position, the national cybersecurity adviser, within the Executive Office of the President
· President Barack Obama has already promised to appoint a cybersecurity adviser; the bill would make that a Senate-confirmed position
· Requires a quadrennial cybersecurity review, similar to the Defense Department’s Quadrennial Defense Review
· Envisions a public-private clearinghouse to share standards, and requires the president to choose one agency to respond to cyberattacks[1]
· President would have the authority to declare a “cybersecurity emergency.”[2]
Commentary
It’s unclear how industry will respond to the bill, though, since it effectively allows the federal government to shut down private computer networks.
“The cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy,” said Leslie Harris, CEO of the Center for Democracy and Technology, an industry group.
Industry groups say the bill doesn’t provide enough detail on what is considered “critical infrastructure.” Rockefeller and Snowe have promised to solicit public opinion and then revise the bill.
Critics also say imposing uniform standards on computer networks could be counterproductive: Hackers who find a way around the government’s defenses would have unfettered access to critical networks.
Paller was critical of the big role the bill gives the National Institute of Standards and Technology. NIST would be in charge of setting standards for the government and the private sector. But many experts have been critical of the agency, saying its current cybersecurity guidance isn’t based on data about actual attacks.
“NIST doesn’t have current attack and threat knowledge,” Paller said. “If you allow them to do the threat standards, you’re going to be defending against the wrong thing.” A spokesman for NIST said the agency was familiar with the bill but could not comment on pending legislation. Lewis defended the agency and said there would be a learning curve for any agency tasked with creating nationwide standards.
Lawmakers briefed on the review told reporters that it will recommend coordinating cybersecurity through the White House and increased staffing for the Office of Management and Budget, which oversees the governmentwide implementation of that policy.
[1] This is a tangent to another story, with NSA lobbying for chief responsibility for cybersecurity of federal government offices.
[2] Hence the fears of some that the President would have the power to “shut down the Internet”
Archives
Subscribe to Posts [Atom]