The Senate Commerce Committee introduced two new bills yesterday (S. 773 and S. 778), both of which are aimed at improving the nation's cybersecurity by establishing new oversight guidelines, creating a cybersecurity position in the Executive Office of the President (EOP), creating new cybersecurity tools, investing in cybersecurity training, providing funding and assistance to small and medium businesses, improving the communication between the federal government and businesses, and reporting on the creation of a market for cybersecurity risk management as well as identity management and authentication programs. The Senate Commerce Committee has acknowledged that these bills include some complex provisions that will be refined in the debate going forward and has invited comments.
S. 778, introduced by Senators John D. Rockefeller (D-W.Va.), Olympia J. Snowe (R-Maine) and Bill Nelson (D-Fla.), creates an "Office of the National Cybersecurity Advisor" ("NCA") within the EOP. The NCA would serve as the lead official on all cybersecurity matters, coordinate with intelligence agencies, and act as a liaison to civilian agencies as well. Importantly, the bill proposes that the NCA must review all cybersecurity-related budgets and may assign to the head of any relevant federal department the performance of duties incidental to the administration of cybersecurity-related laws. Such a position within the EOP addresses concerns raised by numerous commentators that prior so-called "cyber czars" had much responsibility, but no authority.
S. 773, also introduced by Rockefeller, Snowe and Nelson, contains both operational and strategic provisions that address perceived shortcomings in the current distributed approach to cybersecurity within the federal government. For example, Section 3 of the bill provides for the establishment of a "Cybersecurity Advisory Panel" consisting of experts from industry, academia, and non-profit advocacy organizations to advise the President on cybersecurity matters. This provision begins to fill the long-felt need for greater information sharing between the federal government and the private sector.
One interesting provision in Section 18 provides the President with the power to order "the disconnection of any Federal government or United States critical infrastructure information systems or networks in the interest of national security." This provision has already generated some controversy, since most of the critical infrastructure systems are in the hands of the private sector. Another provision generating some controversy is Section 14, which establishes within the Department of Commerce a "clearinghouse of cybersecurity threats and vulnerability information" including information from both Federal and private sector owned networks. Most unusual is a provision providing the Department of Commerce with authority to compel production of "all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access."
In the area of standards, Section 22 of the bill establishes a "Federal Secure Products and Services Acquisitions Board" charged with the task of certifying that high value products and services the federal government purchases meet security standards. In addition, the bill contains a number of reporting requirements regarding cybersecurity from the Director of National Intelligence, the Secretary of Commerce, and a quadrennial cyber review directed by the President.
The bill requires the Department of Commerce and the President to create standards and tools to aid the federal government in assessing cybersecurity threats. Section 4 requires the Secretary of Commerce to create a "Cybersecurity Dashboard" to monitor and report on the status and vulnerability of all federal information systems and networks within the Department of Commerce. In addition, Section 6 directs the National Institute of Standards and Technology to establish measurable and auditable cybersecurity standards for all federal government, contractor, and critical infrastructure networks.
Section 17 calls for a review of identity management and authentication programs, balanced with "civil liberties and privacy protections." In addition, the bill calls for a report from the President regarding how to create a market for cybersecurity risk management, including civil liability and government insurance. Section 16 of the bill requires a comprehensive review of the statutory and legal framework applicable to cyberspace.
The bill also provides funding for programs to assist businesses, increase awareness, and train cybersecurity professionals. Section 5 creates state and regional cybersecurity centers to provide technical knowledge and assistance to small business. Further, Section 10 directs the Secretary of Commerce to initiate a cybersecurity awareness campaign. To increase the number of qualified cybersecurity professionals and improve technology, Section 12 provides increased funding for cybersecurity research and scholarship for service programs to attract individuals to the field. Section 7 also calls on the President to create a standardized, nationwide licensing program for cybersecurity professionals and, three years after the licensing program is established, makes it unlawful for unlicensed professionals to work on federal systems.
Section 9 calls on the President to develop a strategy to implement a secure domain name addressing system. The bill contains related provisions in Section 8 requiring the Cybersecurity Advisory panel to review of the federal government's contracts with ICANN, and the President to develop international standards and techniques for improving cybersecurity.
Finally, Section 18 directs the President to develop an overarching strategy for cybersecurity. Under the proposed bill, within a year after the date of enactment, the President must develop a national cybersecurity strategy that provides a long-term vision of the nation's cybersecurity future and a plan that encompasses "all aspects of national security, including the participation of the private sector, including critical infrastructure operators and managers."