On April 1, 2009 a bill, a.k.a. "Cybersecurity Act of 2009" to ensure the free flow of commerce within the United States has been introduced in the US Senate. (See PDF draft here) It's important that our nation gets working on this critical issue now so I reviewed the working draft and thought I'd summarize it and note some interesting passages.
- Cybersecurity oversight of government networks, the Internet, cybersecurity research would fall under the Secretary of Commerce;
- Roles and responsibilities involve other agencies such as ODNI, NIST, FCC, and NSF.
- Three years of funding, then after a review/evaluation a potential for continued funding;
- Establishes state and regional cybersecurity centers tasking them with securing small- and medium-sized businesses;
- Requires providing security for the FCC's national broadband initiative;
- Establishes a private-public sector clearinghouse for vulnerability information;
- Conducts the feasibility of cybersecurity insurance;
- Taps NIST as the standards body for all cybersecurity related standards;
- Provides the President with the power to disconnect the Internet in a cybersecurity emergency or in the interest of national security;
Various interesting passages...
Section 3 - Cybersecurity Advisory Panel.
DUTIES.—The panel shall advise the President on matters relating to the national cybersecurity program and strategy and shall assess—I have a problem with that frequency; at a minimum it needs to be twice a year.
(1) trends and developments in cybersecurity science research and development;
(2) progress made in implementing the strategy;
(3) the need to revise the strategy;
(4) the balance among the components of the national strategy, including funding for program components;
(5) whether the strategy, priorities, and goals are helping to maintain United States leadership and defense in cybersecurity;
(6) the management, coordination, implementation, and activities of the strategy; and
(7) whether societal and civil liberty concerns are adequately addressed.
REPORTS.—The panel shall report, not less frequently than once every 2 years, to the President on its assessments under subsection (c) and its recommendations for ways to improve the strategy.
Section 4 - Real-time Cybersecurity Dashboard.
The Secretary of Commerce shall— (1) in consultation with the Office of Management and Budget, develop a plan within 90 days after the date of enactment of this Act to implement a system to provide dynamic, comprehensive, realtime cybersecurity status and vulnerability information of all Federal government information systems and networks managed by the Department of Commerce; and (2) implement the plan within 1 year after the date of enactment of this Act.Wow is this aggressive for this large of an undertaking.
Section 5 - State and Regional Cybersecurity Enhancement Program.
The Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards.What do they mean by "enhance"? To what extent will these new regional centers assist SMBs with their security?
The purpose of the Centers is to enhance the cybersecurity of small and medium sized businesses in United States...
ACTIVITIES.—The [Regional Cybersecurity] Centers shall—Where's NIST? Are they going to be folded into this new center? Ah later in the document, section 6, NIST is mentioned...
(1) disseminate cybersecurity technologies, standard, and processes based on research by the Institute for the purpose of demonstrations and technology transfer;
(2) actively transfer and disseminate cybersecurity strategies, best practices, standards, and technologies...
Section 6 - NIST standards development and compliance.
National Institute of Standards and Technology shall establish measurable and auditable cybersecurity standards for all Federal government, government contractor, or grantee critical infrastructure information systems and networks...Does NIST not already do this? Maybe this is giving them teeth - which is a great thing.
The Institute shall establish a standard testing and accreditation protocol for software built by or for the Federal government, its contractors, and grantees, and private sector owned critical infrastructure information systems and networks.This will touch the private sector is a very big way since something like 75% of all of the critical infrastructure is run by that sector.
...[NIST] shall be responsible for United States representation in all international standards development related to cybersecurity...
(2) shall require each Federal agency, and each operator of an information system or network designated by the President as a critical infrastructure information system or network, periodically to demonstrate compliance with the standards established under this section.So what exactly does that mean? Maybe requiring firewalls and other controls, which would help mitigate some of the network worms.
(e) FCC National Broadband Plan...shall report on the most effective and efficient means to ensure the cybersecurity of commercial broadband networks...
FCC NATIONAL BROADBAND PLAN.—In developing the national broadband plan pursuant to section 6001(k) of the American Recovery and Reinvestment Act of 2009, the Federal Communications Commission shall report on the most effective and efficient means to ensure the cybersecurity of commercial broadband networks, including consideration of consumer education and outreach programs.Section 9 - Secure domain name addressing system.
...develop a strategy to implement a secure domain name addressing system.Section 10 - Promoting cybersecurity awareness.
...develop and implement a national cybersecurity awareness campaign...Good good.
Section 11 - Federal cybersecurity research and development.
(b) Secure Coding Research...Interesting.
(c) Assessment of Secure Coding Education in Colleges and Universities
Section 14 - Public-private clearinghouse.
...The Department of Commerce shall serve as the clearinghouse of cybersecurity threat and vulnerability information to the Federal government and private sector owned critical infrastructure information systems and networks.Section 15 - Cybersecurity risk management report.
In section 15 they talk about conducting a feasibility study of creating a market of cybersecurity management including civil liability and insurance.
Section 18 - Cybersecurity responsibilities and authority.
This is the section that has got several people concerned and upset about. It essentially provides for the President to declare a cybersecurity emergency and shutdown the Internet. There's also a provision which allows him to disconnect any system or network in the interest of national security. This authority extends to Internet connections into Federal offices as well as any US critical infrastructure information system or network. This is intriguing because a majority of the infrastructure defined "critical" by the US Government is owned and operated by the private sector. This bill would grant the President the power to shut down private sector systems and networks.
This section also requires mapping of Federal systems and networks. Good idea, wonder how long it will take though.
Section 30 - Joint intelligence threat assessment.
This section requires the Director of National Intelligence and the Secretary of Commerce to submit to Congress an annual assessment on cybersecurity threats.
What's interesting in all this is that neither DHS nor NSA are mentioned in this bill. Just recently the Director of National Intelligence testified in front of Congress that the NSA should be in charge of cybersecurity. And a few weeks ago director of DHS's NCSD resigned over concerns about the move of cybersecurity from DHS to under the NSA.
What will hapen to all the initiatives currently underway by DHS and NSA? Will they be folded into this new organization or directed by this organization yet still reside in respective agencies? What about DOD's cybersecurity efforts?
All I want is for them to get it right organization-wise and start working to address the country's cybersecurity shortcomings - ASAP.