What Will the Cybersecurity Act of 2009 Do to Your Job and Business?

Many of the items in the bill, such as the advisory panel, the state and regional "enhancement program" to raise awareness of cyber-security, and the R&D program, are at worst wastes of money. The fact that some of this money is to be distributed regionally tells me that it will be as well-thought-out as homeland security money, much of which goes to areas with no real homeland security problems. Here are the other parts of the bill that caught my eye:

SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE—The basic idea in this long section is that security is too much art and opinion and not enough hard science and engineering and that "measurable and auditable" standards should exist for all decision making in the field. The bill tasks NIST (National Institute of Standards and Technology) with this job. These standards would measure the actual security of a software system, economic impact and effectiveness of security controls, a computer-readable standard for configuration description, definitions of secure standard configurations of systems, and a vulnerability specification language. Conformance with all these standards would be required of all systems and networks covered under the act as discussed a few paragraphs up.

As I already said, much of this work has been done or is in the process of being done. For instance, CVE is something of a vulnerability description system and language, and the Federal Desktop Core Configuration has been ongoing for some time. But most of the standards ideas in this seem impossible to me. Any standard that defines something as controversial and complex as security of a system and the economic impact of a security control is going to be unwieldy.

SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS— I'll include the complete text of this section:

(a) IN GENERAL. Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.

(b) MANDATORY LICENSING. Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.

The real impact of this will depend on how broad a definition of "critical infrastructure" the president chooses, but the impact on IT professionals could be immense. A very large number of you (that means you, readers) will be required to take a course and pass a test, perhaps every few years, or it will be illegal for you to do your job. How do you feel about that?

SEC. 8. REVIEW OF NTIA DOMAIN NAME CONTRACTS—This section gives the advisory panel created by the act veto power on decisions made by the assistant secretary of commerce for Communications and Information with respect to renewal or modification of the IANA (Internet Assigned Numbers Authority) contract for operation of the DNS (Domain Name System). No objections here, someone should be reviewing it. It's better that they get to review the decision than to make it.

SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM—Within three years after enactment, the aforementioned assistant secretary will formulate a plan to implement DNSSEC, and all systems and networks covered under the act will implement it under a schedule set by the assistant secretary. (The bill doesn't actually say "DNSSEC" but it's clear that's what is meant.) I like the idea in general, but gulp! That's a major undertaking to mandate, and an inconsiderate one to mandate without funding. This will be highly disruptive, which isn't necessarily a reason not to do it.

But a better question to ask about this last provision is, Why is the assistant secretary of commerce in charge of it instead of the national cybersecurity advisor? In fact there is no mention of the NCA in this act, presumably because it's not law. Why are they separate acts? The next section I discuss shows how this text could have been written better.

SEC. 17. AUTHENTICATION AND CIVIL LIBERTIES REPORT—

Within 1 year after the date of enactment of this Act, the President, or the President’s designee, shall review, and report to Congress, on the feasibility of an identity management and authentication program, with the appropriate civil liberties and privacy protections, for government and critical infrastructure information systems and networks.

This is bringing up the possibility of a national Digital ID. We have avoided a formal national ID card for exactly the sort of civil rights problems to which the text of the act alludes. Fortunately, all this part of the act does is authorize a study. It's not like there are no good arguments for it, but the rest of the act doesn't put me in a mood disposed to trust the government under the arguments against it.

That covers the really interesting parts, as I see them. I do recommend reading the other parts of the act. It's really not that long. It's indisputable that some agency of the federal government should be paying attention to the security of government and other critical networks. I think it's also indisputable that the reach of this bill is excessive. So get involved when the action heats up on this bill and the future of your job and your industry is decided by a few hundred lawyers.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.