A revised draft of the Rockefeller-Snowe cybersecurity legislation released last week removes the so-called "kill switch" that gives the president the authority to shut down the Internet in the event of a massive cyberattack.
Cybersecurity Act of 2010 ( S. 773), however, retains licensing and certification provisions making it clear that it will not authorize an expansion of existing presidential authorities.
Cybersecurity has gained additional prominence in the past year due to increased cybercrime, threats to critical infrastructure and the Google Aurora cyberattacks. "This 21st century threat calls for a robust 21st century response from our government, our private sector and our citizens," Rockefeller said in a statement released last Wednesday. "Private companies and the government must work together to protect our nation, our networks and our way of life from the growing cyberthreat."
The revised Cybersecurity Act describes a closer partnership between the federal government and the private sector on cybersecurity compliance. The bill also identifies the institution that will be in charge of establishing and certifying cybersecurity standards.
Concerns about the ability of the United States to effectively respond to cybersecurity threats have been voiced at the highest level of the intelligence community. Testifying before the U.S. Senate Committee on Commerce, Mike McConnell, the former director of both the National Security Agency and national intelligence, said that if the U.S. were engaged in a cyberwar today, it would lose.
"We're the most vulnerable, we're the most connected, we have the most to lose," McConnell said.
There are two new provisions in the update, namely the "collaborative designation of critical infrastructure information systems" and "private-sector access to classified information." The first provision creates a process by which public cybersecurity officials and federal agencies could designate specific IT systems, if disrupted or destroyed, that would threaten national strategic interests. The second allows the government to grant key IT professionals in the private sector security clearances allowing them to access classified intelligence on cybersecurity threats.
The revised bill would also establish a Senate-confirmed office responsible for cybersecurity, replacing the role of cybersecurity coordinator. President Barack Obama appointed Howard Schmidt to that position in December.
The new draft of the Cybersecurity Act reflects recommendations from the information security private sector, electronic privacy advocates and government officials. "It's shaping up to be a reasonable bill," wrote Greg Garcia, former assistant secretary for Cybersecurity and Communications, in an email statement. "They're doing their homework."
New details on cybersecurity certification
Alan Paller, director of research at The SANS Institute, a Bethesda, Md.-based nonprofit cybersecurity research group, said he was enthusiastic about the new draft of the bill, particularly regarding education. "The main thing that will come out of this, including the study they're asking the National Academy of Sciences to do, will be defining the minimum required to do the cybersecurity profession," he said.
There is now specific language in the Cybersecurity Act about colleges teaching secure coding, Paller said. In fact, he added, testimony offered last month before the Senate Committee on Commerce by Mary Ann Davidson, Oracle Corp.'s CISO, could have a significant impact on the cybersecurity field.
The new draft addresses cybersecurity licensing issues to the point where it makes the bill "implementable", according to Paller. He added that he believes the National Academy of Science Committee will create a standard where categories can be created quickly.
"I think something like the National Board of Medical Examiners might be created for cybersecurity. The proposed rule for having to do a year of study will put the infrastructure in place. And if you define those standards at the National Academy, they can move forward," he said.
In testimony before Congress in October, U.S. CIO Vivek Kundra said the Obama administration will launch a cybersecurity dashboard in the first part of 2010.The new draft of the Cybersecurity Act of 2010 includes language about the federal cybersecurity dashboard, which in turn may change the way that FISMA compliance is viewed.
"The dashboard is really valuable because it's the vehicle that OMB [the Office of Management and Budget] will use to transform federal cybersecurity management -- and I don't mean make look it pretty," said Paller. "It will change from static reporting to more real-time reporting."
Reactions to the new draft within the information security community and industry range from guarded support to standard skepticism concerning the federal government's ability to deliver on needed reforms. The National Cable & Telecommunications Association praised the Rockefeller-Snowe bill.
"To date, Washington has not provided cybersecurity direction to the degree it could have," said Ben Rothke, a CISSP and senior security consultant with a major professional services firm. "Efforts such as FISMA, Sarbanes-Oxley, HIPAA and others have done little to prevent the epidemic of data compromise, identify theft, espionage and more."
Rothke said he sees the current draft of the Cybersecurity Act of 2010 as somewhat different. He said the act identifies the key issues and provides a long-term goal of creating a secure cyberinfrastructure. He added that he believes the act would create a large number of security jobs and new certification and accreditation firms and generate revenue for vendors.
"Will it improve security?" he said. "Ask me in 2020, which is when the effects of this bill will truly be seen."Cyber Security Act of 2010 Bill Summary