What Will the Cybersecurity Act of 2009 Do to Your Job and Business?

By Larry Seltzer  |  Posted 2009-04-10 Print this article Print

Further analysis of the proposed Cybersecurity Act of 2009 raises more questions than it answers. Many parts of the cyber-security bill represent good ideas, some set up security patronage work and some create vast new systems of rules for how security professionals can do their jobs.

Not long after I wrote my column on the proposed cyber-security bills in the Senate,  the actual text of the legislation became available. As I wrote at the time, my analysis was based on various other materials about the bill made public by the Commerce Committee and sponsoring senators.

Now the text is available in many places, including OpenCongress:

  • S. 773: Cybersecurity Act of 2009

  • S. 778: To establish, within the Executive Office of the President, the Office of the National Cybersecurity Advisor.

S.778 is short and to the point: the national cybersecurity advisor is an assistant to the president, subject to confirmation by the Senate, has specific duties with respect to advising the president and approval of cyber-security budget items, and has security clearance in relevant matters.

S.773 is where the meat is. It starts out with a collection of provocative quotes from reports and consultants on how vulnerable we are, which is undoubtedly true, although there is the usual hysteria in there with references to 9/11 and a "cyber-Katrina," whatever that is.

The main thing I looked for at first was some guidance about what networks and systems would be subject to oversight by this act. The press materials only referred to government networks and "critical infrastructure" with some examples, but no real definition. No doubt by sheer coincidence, a story in the Wall Street Journal last week asserted (with anonymous quotes but no actual facts) that the U.S. power grid had been hacked by "foreign spies."

The security of such systems, and generally of "SCADA" systems, even if they are privately held, is certainly a national security matter. Concern over this problem is hardly new, nor are vague, unsubstantiated and impossible-to-investigate rumors about it.

What else might qualify for control by the federal government under this bill? Here is the language:

State, local, and nongovernmental information systems and networks in the United States designated by the President as critical infrastructure information systems and networks.

So we won't know what it is until the president says. He can designate bank networks, perhaps critical common carriers, or whatever else he thinks is critical. Then, in the event of "cyber-attack," he can order those shut off or disconnected. I think Congress owes it to us to put a more solid definition in the bill so that it can be discussed in hearings, on the record, rather than letting the president decide unilaterally.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel