Proposed Senate Bill 773, also known as the Cybersecurity Act of 2009, has received quite a bit of attention for its Internet "kill switch" proposal, which would give the president the authority to shut down the Internet in the event of a massive cyberattack.
That radical proposal makes up only a small portion of the bill, however. The rest covers areas that no one is talking about much: a raft of new federal security standards and certification and licensing requirements that could have major impacts on businesses and security professionals.
The bill, introduced April 1 by Sen. John D. Rockefeller IV (D-W. Va.) and Sen. Olympia Snowe (R-Maine), seeks to establish a Cybersecurity Advisory Panel, a "real-time cybersecurity dashboard" and regional cybersecurity centers that would oversee the "promotion and implementation of cybersecurity standards" as well as facilitate certifications and licensing of security professionals in the new standards.
Some experts contend that while the bill has some good ideas, many of them would be overkill and difficult to implement.
"This is one piece of legislation that has got more [required] reports in it pound for pound than any piece of legislation I've read in quite a long time," said Lynn McNulty, director of government affairs for (ISC)², a nonprofit security certification organization. "Congress is trying to galvanize the executive branch into some action."
The standards would be under the control of the National Institute of Standards and Technology (NIST), which already has established a number of technology and security standards, including the Federal Information Security Management Act (FISMA). NIST is under the Commerce Dept., and the Senate Commerce Committee is chaired by Rockefeller.
The bill is being debated as other branches of the government, in particular the National Security Agency and the Dept. of Homeland Security, are debating over who should run cybersecurity efforts in the U.S. But clearly President Barack Obama's administration and the 111th Congress are making sure there is more accountability around cybersecurity than the previous administration, experts say.
"Obama ... has effectively taken concrete steps such that if and when breaches occur, like the one recently found in the power grid, he will have a clear trail of action at least to show he has been taking steps to implement controls," said consultant Sarah Cortes of Inman Technology IT in Cambridge, Mass. "What is unique about this area of legislation is that technology and tools are changing and developing far more rapidly than the government is used to dealing with, and I believe a new method for dealing with it will evolve, a sort of legislative/business method for governing security areas that we have not as yet seen."
The potential for overlap between new and existing security standards concerns some authorities, who say that there are already adequate standards and practices spelled out by NIST. Those standards just need to be put to use and enforced.
"You already have FISMA. That mandates what government agencies must be doing," said regulatory expert Paul Reymann, CEO of ReymannGroup Inc., who was a co-author of Section 501 of the Gramm-Leach-Bliley Act data protection regulation. "Whether it comes from the Commerce Department or a presidential order, the capabilities are there [to enforce existing standards.] You don't use a hammer when you need a screwdriver."
This is one piece of legislation that has got more [required] reports in it pound for pound than any piece of legislation I've read in quite a long time.
Lynn McNulty, director of government affairs, (ISC)²
The bill stipulates that the Department of Commerce would put a licensing and certification program into place within one year of the bill's passage, which would make it unlawful for anyone who is not certified to perform cybersecurity services on what is deemed "critical infrastructure." What constitutes critical infrastructure is not defined in the bill and would be left up to the president or a designee.
"Licensing for doctors, for medical people, for attorneys in this country is done through the state government level, not at the federal level," McNulty said. "The government encourages people to get certified on their own volition. That's one thing, but it's another thing to talk about mandatory certification and a licensing agreement on top of that. It will be very difficult to implement in a timely matter and you're going to see a lot of push back on that from professional groups."
Reymann said the certification process would be pushed to the regional centers. He said he expects such centers would be made up of nonprofit entities, "which makes me nervous because they are on shoestring budgets. NIST, on the other hand, has a good reputation and has been on the forefront of putting out good standards, data security practices and certifications."
Many experts worry that new regulations will put additional financial and training burdens on smaller companies that already are straining under the weight of compliance regulations like the HIPAA, the Sarbanes-Oxley Act and PCI DSS. "Don't penalize people, especially SMBs," with more compliance, Reymann said.
Reymann said he does like the provision in the bill that would call for more security enforcement to be pushed out away from businesses and onto the broadband providers and ISPs as a means for mitigating the costs of complying with the security measures. "I'm a big advocate of better security at the perimeter, and we are starting to see Sprint and Verizon do that," he said.
Regardless of the fate of Bill 773, Reymann contends that compliance really shouldn't be the endgame of any cybersecurity laws; security should be. "The difference between security and compliance is that compliance does not guarantee security, but security done right can give you good compliance," he said.
As for the kill-switch provision, it's unlikely it will be passed as it is now written. "Shutting down the Internet [is] another way to say shutting down the economy," Reymann said. "Do we want to do that, and how do you start it back up again?"
Let us know what you think about the story; email Scot Petersen, Executive Editor.