What Will the Cybersecurity Act of 2009 Do to Your Job and Business?

Further analysis of the proposed Cybersecurity Act of 2009 raises more questions than it answers. Many parts of the cyber-security bill represent good ideas, some set up security patronage work and some create vast new systems of rules for how security professionals can do their jobs.

Not long after I wrote my column on the proposed cyber-security bills in the Senate, the actual text of the legislation became available. As I wrote at the time, my analysis was based on various other materials about the bill made public by the Commerce Committee and sponsoring senators.

Now the text is available in many places, including OpenCongress:

S.778 is short and to the point: the national cybersecurity advisor is an assistant to the president, subject to confirmation by the Senate, has specific duties with respect to advising the president and approval of cyber-security budget items, and has security clearance in relevant matters.

S.773 is where the meat is. It starts out with a collection of provocative quotes from reports and consultants on how vulnerable we are, which is undoubtedly true, although there is the usual hysteria in there with references to 9/11 and a "cyber-Katrina," whatever that is.

The main thing I looked for at first was some guidance about what networks and systems would be subject to oversight by this act. The press materials only referred to government networks and "critical infrastructure" with some examples, but no real definition. No doubt by sheer coincidence, a story in the Wall Street Journal last week asserted (with anonymous quotes but no actual facts) that the U.S. power grid had been hacked by "foreign spies."

The security of such systems, and generally of "SCADA" systems, even if they are privately held, is certainly a national security matter. Concern over this problem is hardly new, nor are vague, unsubstantiated and impossible-to-investigate rumors about it.

What else might qualify for control by the federal government under this bill? Here is the language:

"State, local, and nongovernmental information systems and networks in the United States designated by the President as critical infrastructure information systems and networks."

So we won't know what it is until the president says. He can designate bank networks, perhaps critical common carriers, or whatever else he thinks is critical. Then, in the event of "cyber-attack," he can order those shut off or disconnected. I think Congress owes it to us to put a more solid definition in the bill so that it can be discussed in hearings, on the record, rather than letting the president decide unilaterally.