With President Obama's 60-day comprehensive review of US cybersecurity still underway, Sens. Jay Rockefeller (D-WV) and Olympia Snowe (R-ME) on Wednesday introduced sweeping legislation that would establish a cybersecurity "czar" within the White House and bring both governmental and private sector "critical infrastructure" under a unified regulatory regime.
The "czar"—more precisely, an Office of the National Cybersecurity Advisor within the White House—is established in a separate short-but-sweet bill running a mere three pages. It specifies that the post will be subject to Senate confirmation, and it gives the cybersecurity advisor a backstage pass to all of the federal government's cyber-related "special access programs," a designation given to highly secret initiatives.
Most of the action is in the much longer Cybersecurity Act of 2009. In case a lone cybersecurity advisor doesn't seem like enough, that legislation provides for the creation of cybersecurity advisory panel to be staffed by stakeholders from the governmental, private, academic, and nonprofit sectors.
The bill establishes a dizzying array of programs, administered by a variety of agencies, over the course of its 51 pages. Perhaps most significantly, the bill tasks the National Institute of Standards and Technology with developing a set of security standards and vulnerability tests that will apply to any information networks or software used by federal agencies and contractors—but also by any private entity designated as "critical infrastructure" by the President. The President is also empowered to order the disconnection of any federal or private critical infrastructure network, either during a "cybersecurity emergency" or for reasons of national security more broadly.
The "findings" section of the bill, which details the potential consequences of a successful cyberattack against the United States, suggests that likely candidates for the "critical infrastructure" designation include financial service providers, power and transportation networks, medical services—and quite possibly any industry seen as economically significant enough to make an attractive target.
While they're working on developing those standards, the Federal Communications Commission is directed to make securing commercial broadband networks a priority under the national broadband plan the agency will put together pursuant to the recent stimulus bill.
The statute also creates a licensing scheme, to be administered by the Department of Commerce, for cybersecurity professionals who do work for the government or critical infrastructure networks. Starting three years from the bill's passage, anyone who acts as a "provider of cybersecurity services" to any of those entities will need government certification.
Barack Obama's new Chief Information Officer, Vivek Kundra, will apparently have a role to play as well. The Office of Management and Budget, where Kundra resides, is to work with the Commerce Department to create a "cybersecurity dashboard," a comprehensive realtime status monitor for all federal information networks managed by Commerce.
reader comments
21