Senate Legislation Would Federalize Cybersecurity

Rules for Private Networks Also Proposed

By Joby Warrick and Walter Pincus
Washington Post Staff Writers
Wednesday, April 1, 2009; A04


Key lawmakers are pushing to dramatically escalate U.S. defenses against cyberattacks, crafting proposals that would empower the government to set and enforce security standards for private industry for the first time.

The proposals, in Senate legislation that could be introduced as early as today, would broaden the focus of the government's cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. At the same time, the bill would add regulatory teeth to ensure industry compliance with the rules, congressional officials familiar with the plan said yesterday.

Addressing what intelligence officials describe as a gaping vulnerability, the legislation also calls for the appointment of a White House cybersecurity "czar" with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway, the officials said.

How industry groups will respond is unclear. Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, which represents private companies and civil liberties advocates, said that mandatory standards have long been the "third rail of cybersecurity policy." Dempsey said regulation could also stifle creativity by forcing companies to adopt a uniform approach.

The legislation, co-sponsored by Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) and Sen. Olympia J. Snowe (R-Maine), was drafted with White House input. Although the White House indicated it supported some key concepts of the bill, there has been no official endorsement.

Many of the proposals were based on recommendations of a landmark study last year by the Center for Strategic and International Studies.

Currently, government responsibility for cybersecurity is split: The Pentagon and the National Security Agency safeguard military networks, while the Department of Homeland Security provides assistance to private networks. Previous cybersecurity initiatives have largely concentrated on reducing the vulnerability of government and military computers to hackers.

A 60-day federal review of the nation's defenses against computer-based attacks is underway, and the administration has signaled its intention to incorporate private industry into those defenses in an unprecedented way.

"People say this is a military or intelligence concern, but it's a lot more than that," Rockefeller, a former intelligence committee chairman, said in an interview. "It suddenly gets into the realm of traffic lights and rail networks and water and electricity."

U.S. intelligence officials have warned that a sustained attack on private computer networks could cause widespread social and economic havoc, possibly shutting down or compromising systems used by banks, utilities, transportation companies and others.

The Rockefeller-Snowe measure would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. It would require the National Institute of Standards and Technology to establish "measurable and auditable cybersecurity standards" that would apply to private companies as well as the government. It also would require licensing and certification of cybersecurity professionals.

The proposal would also mandate an ongoing, quadrennial review of the nation's cyberdefenses. "It's not a problem that will ever be completely solved," Rockefeller said. "You have to keep making higher walls."

Last week, Director of National Intelligence Dennis C. Blair told reporters that one agency should oversee cybersecurity for government and for the private sector. He added that the NSA should be central to the effort.

"The taxpayers of this country have spent enormous sums developing a world-class capability at the National Security Agency on cyber," he said.

Blair acknowledged there will be privacy concerns about centralizing cybersecurity, and he said the program should be designed in a way that gives Americans confidence that it is "not being used to gather private information."

And we can trust the government to protect us against cyberthreats, just look what they've done to protect us against any harm from the economy that they destroyed: http://www.samhsa.gov/economy/

(More...)

Bill Would Grant President Unprecedented Cyber-security Powers

By Roy Mark
2009-04-02

The Cybersecurity Act of 2009 introduced in the Senate would allow the president to shut down private Internet networks. The legislation also calls for the government to have the authority to demand security data from private networks without regard to any provision of law, regulation, rule or policy restricting such access.

The headlines were all about creating a national cyber-security czar reporting directly to the president, but the Cybersecurity Act of 2009 introduced April 1 in the U.S. Senate would also give the president unprecedented authority over private-sector Internet services, applications and software.

According to the bill's language, the president would have broad authority to designate various private networks as a "critical infrastructure system or network" and, with no other review, "may declare a cyber-security emergency and order the limitation or shutdown of Internet traffic to and from" the designated the private-sector system or network.

The 51-page bill does not define what private sector networks would be considered critical to the nation's security, but the Center for Democracy and Technology fears it could include communications networks in addition to the more traditional security concerns over the financial and transportation networks and the electrical grid.


"I'd be very surprised if it doesn't include communications systems, which are certainly critical infrastructure," CDT General Counsel Greg Nojeim told eWEEK. "The president would decide not only what is critical infrastructure but also what is an emergency."

The bill would also impose mandates for designated private networks and systems, including standardized security software, testing, licensing and certification of cyber-security professionals.

"Requiring firms to get government approval for new software would hamper innovation and would have a negative effect on security," Nojeim said. "If everyone builds to the same standard and the bad guys know those standards it makes it easier for the bad guys."

The legislation also calls for a public-private clearinghouse for cyber-threats and vulnerability information under Department of Commerce authority. The Secretary of Commerce would have the authority to access "all relevant data concerning such networks without regard to any provision of law, regulation, rule or policy restricting such access."

In another section of the bill, though, the president is required to report to Congress on the feasibility of an identity management and authentication program "with appropriate civil liberties and privacy protections."

Nojeim complained the bill is "not only vague but also broad. Its very broad language is intended to confer broad powers." Nojeim also speculated that the bill's vague language and authority may prove to be powerful incentive for the private sector to improve its cyber-security measures.

"The bill will encourage private-sector solutions to make the more troubling sections of the bill unnecessary," he said.

According to a number of media reports, the bill was crafted with the cooperation of the White House. The legislation aims to create a fully integrated, coordinated public-private partnership on cyber-security in addition to pushing for innovation and creativity in cyber-security solutions.

"We must protect our critical infrastructure at all costs—from our water to our electricity, to banking, traffic lights and electronic health records—the list goes on," Sen. Jay Rockefeller (D-W.Va.), bill co-sponsor, said in a statement. "It's an understatement to say that cyber-security is one of the most important issues we face; the increasingly connected nature of our lives only amplifies our vulnerability to cyber-attacks and we must act now."

Fellow co-sponsor Sen. Olympia Snowe (R-Maine) added, "America's vulnerability to massive cyber-crime, global cyber-espionage and cyber-attacks has emerged as one of the most urgent national security problems facing our country today. Importantly, this legislation loosely parallels the recommendations in the CSIS [Center for Strategic and International Studies] blue-ribbon panel report to President Obama and has been embraced by a number of industry and government thought leaders."

The CDT's Nojeim stressed that are a "number of good things in the bill," including creation of a cyber-security czar, scholarships for cyber-security programs and collaborations between the government and the private sector. While urging Congress to change the bill, he argued that the "problematic provisions shouldn't crowd out the beneficial provisions of the bill."