The following text is copyright 2009 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Yet another government attempt at cybersecurity
By Scott Bradner
The timing of two new cybersecurity bills just introduced in the US Senate by Senators John D. Rockefeller, IV (D-WV), Sen. Olympia Snowe (R-ME) and Sen. Bill Nelson (D-FL) seems a bit funny. It is not so much that they were introduced on April Fools Day, more importantly, they were introduced before the widespread review of US cybersecurity ordered by President Obama is completed by Melissa Hathaway. It would seem to make more sense to wait to see what Hathaway thinks is broken before submitting bills to fix it. While I expect that the bills will be changed when Hathaway reports her findings in a few weeks, the current bills are interesting and have the potential to impact just about everyone in the network or network security biz.
The first bill (S 778 (http://thomas.loc.gov/cgi-bin/query/z?c111:S.778:)) would establish an Office of National Cybersecurity Advisor within the Executive Office of the President. The second bill (S 773 (http://thomas.loc.gov/cgi-bin/query/z?c111:S.773:)), which goes by the title of "The Cybersecurity Act of 2009," covers a grab bag of topics designed to "ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications" among other things.
Some of the provisions in these bills come from the Center for Strategic and International Studies (CSIS) (http://www.csis.org/) report "Securing Cyberspace for the 44 Presidency." (www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf) But there are a lot of things in the bills, particularly S 773, which did not come from the CSIS report. Wherever the bill's provisions come from, it seems that someone who has some Internet clue was involved, at least for some of the provisions - not the norm for congressional staffers. The Washington Post also reports that White House people helped draft the bills, so maybe there is Internet clue there as well.
There has been some controversy over two of the provisions in S 773. One provision that would empower the President to declare a "cybersecurity emergency" and shut down Government networks and, maybe, parts of the public Internet. The other provision says that the Secretary of Commerce "shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access." Some pendants have read this to mean that the government could wiretap any Internet communications but the drafters could have just meant that a network could not hide their network design or performance from the government. This will have to be clarified during the legislative process.
Some of the other provisions in S 773:
o establish a cybersecurity advisory panel to advise the President on US cybersecurity and "whether societal and civil liberty concerns are adequately addressed;
o ask NIST to quickly "establish measurable and auditable cybersecurity standards" in a number of areas for US government and other networks - including compliance standards for all software;
o "integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals" that includes, within 3 years, mandatory licensing for cybersecurity professionals if they want to be engaged in business in the US - I wonder if that means I will have to get a license to keep working as the Technology Security guy at Harvard;
o implement a secure domain name addressing system;
o educate the public about cybersecurity;
o provide grants for cybersecurity research (lots of money) and support for students;
o figure out if cybersecurity insurance for companies would be a good idea; and
o have the President "develop and implement a comprehensive national cybersecurity strategy" within a year - seems a touch quick to me.
The provisions apply to US governmental networks and to networks or systems designated by the President as a "critical infrastructure system or network" without defining any criteria for such a determination. It's not hard to see all major Internet providers being so designated.
These bill, if passed as is, could impact just about everybody in the Internet or Internet services business in the US - maybe that is what is needed to get all of the players to pay attention to security.
It appears Harvard would not escape the requirements, or, hopefully, the money, in these proposals but the University has not commented on them so the above is my own review.