The specific private sector systems that would be covered by the legislation could include those operated by utilities, agriculture, public health, emergency services, telecommunications, transportation, banking and chemicals.
Sen. Jay Rockefeller, Chairman of the Commerce, Science and Transportation Committee, along with Sen. Olympia Snowe and Sen. Bill Nelson, introduced a bill (S.773) on April 1, 2009, that would greatly expand federal oversight and control over information systems and networks used to support “critical infrastructures” in the interest of protecting against cyber attacks. The specific private sector systems that would be covered by the legislation are left to the discretion of the President, but could include utilities, agriculture, public health, emergency services, telecommunications, transportation, banking and chemicals.
The Cybersecurity Act of 2009 includes a number of provisions intended to heighten government and private sector vigilance against cyber attacks. The bill is prefaced by a litany of findings to the effect that the United States’ security and economic prosperity largely depend on protection of government and private sector communications systems. Examples are given of threats to these systems and the potential for a “cyber-Katrina” unless adequate steps are taken to protect these systems. The following is a summary of the bill’s key provisions, many of which are likely to stimulate debate over whether the government can adequately protect the United States’ critical infrastructure without inhibiting free enterprise and the operation of private communications networks.
As introduced, the bill includes the following actions:
- Forms a Cybersecurity Advisory Panel composed of industry experts to give cybersecurity strategy recommendations to Congress, the President and industry
- Requires the Secretary of Commerce to create a cybersecurity “dashboard,” through which the federal government could provide dynamic, real-time vulnerability information to all federal government information systems managed by the U.S. Department of Commerce
- Creates regional Cybersecurity Centers, managed by nonprofit organizations and supported with federal funding, to assist small and medium-sized businesses in understanding and deploying cybersecurity best practices and technologies
- Requires the National Institute of Standards and Technology (NIST) to establish measurable cybersecurity standards—based on risk profiles, not on the classification of a system as a national security system or as involving classified or confidential information—for all federal government agencies and critical infrastructure information systems and networks, including standards for software security, standard configurations for software used on these systems, and testing protocols for software used by the government and critical infrastructure information systems; also requires the NIST to enforce the standards by requiring agencies and critical infrastructure systems to periodically demonstrate compliance
- Requires the Federal Communications Commission (FCC) to report on the most effective and efficient means of ensuring cybersecurity of commercial broadband networks as part of the national broadband plan the FCC must develop under the American Recovery and Reinvestment Act of 2009
- Makes it unlawful, beginning three years after enactment, for anyone to provide cybersecurity services to a federal agency or the operator of a critical infrastructure information system unless the individual is licensed as a cybersecurity professional by the Secretary of Commerce
- Requires the Department of Commerce to make decisions on the operation of the Internet Assigned Numbers Authority after considering the views of the Cybersecurity Advisory Panel as to the national security implications of the decision; also requires the Department of Commerce to develop a strategy to implement a secure domain name addressing system
- Directs the National Science Foundation (NSF) to give priority to computer science programs and the challenges of cybersecurity, such as supporting targeted research at colleges and universities, funding cybersecurity testbeds and awarding scholarships to students who agree to serve in the federal information technology workforce after graduation
- Directs the NIST to establish competitions, with cash-based prizes, for students at high schools and colleges in order to stimulate innovation in cybersecurity research and to recruit talented individuals for the federal information technology workforce
- Grants authority to the Secretary of Commerce to access all relevant data concerning federal government and private sector critical infrastructure information systems and networks, without regard to any other law or regulation restricting such access
- Requires the Secretary of Commerce to develop rules on how the federal government and the private sector will share cybersecurity threat and vulnerability information
- Requires the President to undertake a thorough review of federal laws relating to communications and privacy, and make a report with recommendations to Congress
- Requires the President to develop a comprehensive cybersecurity strategy
- Authorizes the President to declare a “cybersecurity emergency” and order the limitation or shutdown of Internet traffic to or from any federal government or private sector critical infrastructure information system or network; the President may order the disconnection of any federal government or critical infrastructure information system in the interest of national security
- Establishes a Secure Products and Services Acquisitions Board to review and approve high-value products and services and to work with NIST on standards for validating software to be acquired by the federal government
In a companion bill, S.778, Senators Rockefeller, Snowe and Nelson have proposed creation of an Office of National Cybersecurity Advisor in the Executive Office of the President. The advisor would be tasked with providing recommendations to the President on administration of laws relating to cybersecurity, and would be granted access to all federal programs relating to cybersecurity. The cybersecurity “czar” would also be responsible for working with the heads of other departments and agencies to ensure compliance with cybersecurity mandates.
Both bills have been referred to the Committee on Commerce, Science and Transportation. Although no hearings or markups have been scheduled on these bills, these issues likely will assume prominence as a result of recent reports of cyber attacks on information systems operated by the federal government and the private sector. Moreover, the administration’s strong push to expand broadband deployment in the United States is also likely to increase concerns with respect to the vulnerabilities of such networks as government and the public become even more reliant on them.