For a bill that has yet to have a public hearing, much less faced a single vote, the Cybersecurity Act of 2009 (S. 773) remains the most controversial technology-related legislation before the current Congress.
Introduced by Sens. Jay Rockefeller, D-W.Va., and Olympia Snowe, R-Maine, in April and redrafted late this summer, the bill would create a National Cybersecurity Adviser under the authority of the president to coordinate cyber-security efforts.
Rockefeller and Snowe drafted the legislation in response to years of post-9/11 complaints that neither the private sector nor government officials were doing enough to adequately protect the nation’s critical cyber-infrastructure. According to a number of reports, the senators drafted the bill after consulting with the White House.
While no one particularly objected to a cyber-czar, there were howls of protest about the details in the bill. As originally drafted, the Cybersecurity Act gave the president an Internet “kill switch” for reasons of national security or in an emergency and the authority to designate private networks as critical infrastructure subject to cyber-security mandates, including standardized security software and testing and licensing and certification of cyber-security professionals.
Rockefeller and Snowe retreated and redrafted.
A brief question-and-answer on the redrafted Cybersecurity Act of 2009.
Would the bill empower the president to shut down or limit Internet traffic to critical infrastructure information systems?
As the CDT (Center for Democracy and Technology) said in its analysis of the redrafted legislation: unclear. The new language dropped all references to the president’s ability to shut down the Internet. Instead, Rockefeller and Snowe granted the president the authority to declare a cyber-security emergency and to direct the “national response to the cyber-threat.”
What would be the criteria for the president declaring a cyber-emergency?
The president decides, although an immediate threat to strategic national interests is required.
Who decides what in the government and private networks is critical infrastructure?
Would the government be able to access privately held data concerning critical infrastructure networks?
As originally drafted, the bill granted the Department of Commerce the authority to serve as a clearinghouse for cyber-security threats and vulnerability information. In addition, the bill gave Commerce override authority over any law of regulation-including privacy statutes-to seize relevant threat data. In the redraft, the override authority went away, and confidentiality and privacy protections for intellectual property and proprietary data were added.
Would there be mandatory standards relating to security software?
NIST (National Institute for Standards and Technology) would establish or recognize “measurable and auditable cyber-security risk management metrics, measures and best practices detailing performance criteria, functional specifications, quality assurance or other relevant considerations” for all critical infrastructure systems. According the CDT, this provision raises concerns that NIST could effectively impose software and network standards on the private sector.
Does the bill require licensing and/or certification for cyber-security professionals?
The bill would make it unlawful for a federal government agency or private sector infrastructure provider to use cyber-security services unless they are managed by a certified cyber-security professional. Commerce would develop plans to train cyber-security professionals.