Senators Unveil Long-Awaited Cybersecurity BillBill Establishes 2 Senate-Confirmed Cybersecurity Directors
The Protecting Cyberspace as a National Asset Act of 2010 - sponsored by Committee Chairman Joseph Lieberman, ranking Republican Susan Collins and Tom Carper - also would provide a framework for the president to authorize emergency measures to protect the mostly privately owned critical IT infrastructure - such as financial networks and utility grids - if a cyber attack is imminent. Owners of these critical IT systems could face civil penalties if they don't follow regulations to secure them properly. The bill provides for the government and industry to collaborate on defining regulations and situations when a cyber emergency could be declared.
The bill also would reform the Federal Information Security Management Act, the 8-year-old law that governs how federal agencies secure their IT systems by jettisoning the paper-based compliance process with one that emphasizes continuous monitoring of computer systems and red-team assaults by "friendly hackers" to test vulnerabilities.
Creating two cybersecurity leaders appears to be a compromise between lawmakers who favored a strong, White House cybersecurity adviser and Collins, the Maine Republican, who's been adamant that cybersecurity leadership should emanated from Homeland Security.
The Lieberman-Collins-Carper bill won praise by two key colleagues, Sens. Jay Rockefeller, D.-W.Va., and Olympia Snowe, R.-Maine, sponsors of their own cybersecurity legislation that the Senate Commerce, Science and Transportation Committee, which Rockefeller chairs, approved in March
"The broad overlap between this measure and the Rockefeller-Snowe initiative further underscores the bipartisan consensus within the Congress to confront this urgent threat," Snowe said in a statement. "Our failure to implement effective policies and procedures to prevent unauthorized intrusion has proven extremely consequential, and I stand ready to work with my colleagues in the Senate to swiftly enact a 21st century national security policy that will protect and preserve American cyberspace."
Support from Rockefeller and Snowe could help propel congressional passage of cybersecurity legislation this year. Late last month, as part of a defense authorization bill, the House passed comprehensive cybersecurity and FISMA reform legislation.
According to a committee-provided summary of the Protecting Cyberspace Act, a White House Office of Cyberspace Policy, headed by a Senate-confirmed director, would advise the president on all cyber security matters. The director would lead and harmonize federal efforts to secure cyberspace and would develop a national strategy that incorporates all elements of cybersecurity policy, including military, law enforcement, intelligence, and diplomacy. The director would oversee all federal activities related to the national strategy to ensure efficiency and coordination. The director would report regularly to Congress in the interests of transparency and oversight.
However, much of the day-to-day authority in implementing government cybersecurity policy would be granted to a Senate-confirmed director of the National Center for Cybersecurity and Communications, or NCCC, who would report to the secretary of Homeland Security and to the president through the Office of Cyberspace Policy. The NCCC would also oversee the United States Emergency Response Team, or U.S.-CERT, and lead federal efforts to protect public and private sector cyber and communications networks.
The NCCC would work with the private sector to establish risk-based performance standards to enhance cybersecurity for the nation's most critical infrastructure. Owners and operators of critical infrastructure covered by the act would be permitted to choose the combination of security measures to meet the risk-based performance standards.
The act would provide limited liability protections to owners/operators of covered critical infrastructure that are in compliance with the new risk-based performance standards. Covered critical infrastructure would also be required to report breaches to the NCCC to ensure the federal government has comprehensive awareness of the security risks facing these critical networks. The NCCC would also have an obligation to share information, including threat analysis, with owners and operators of critical infrastructure regarding cyber risks affecting the security of their sectors. The NCCC will work with sector specific agencies and other federal agencies with existing regulatory authority over the covered critical infrastructure to avoid duplicating requirements, utilize existing expertise, and ensure government resources are used in the most efficient and effective manner.
The NCCC would produce and share useful warning, analysis, and threat information with the private sector, other federal agencies, allied foreign nations, and state and local governments. By developing and promoting best practices and providing, as resources permit, voluntary technical assistance to the private sector, the NCCC would improve cybersecurity across the nation. Best practices developed by the NCCC would be based on collaboration and information sharing with the private sector. Information shared with the NCCC by the private sector would be anonymized and protected from public disclosure.
Protecting Against an Imminent Cyber Attack
The act would provide a responsible framework, developed in coordination with the private sector, for the President to authorize emergency measures, limited in scope and duration, to protect the nation's most critical infrastructure if a cyber attack is imminent. The president would be required to notify Congress in advance of the declaration of an imminent cyber threat (or as soon thereafter as possible), including the nature of the threat; the reason existing protective measures are insufficient to respond to the threat; and the emergency actions necessary to mitigate the threat. Any emergency actions directed by the president during the 30-day period covered by the declaration must be the least disruptive means feasible to respond to the threat.
The act would require development of a comprehensive supply chain risk management strategy to address cyber risks to the information technology products and services the federal government relies upon. This strategy would allow agencies to make informed decisions when purchasing IT products and services.
The act would direct the Office of Personal Management to reform the way cybersecurity personnel are recruited, hired, and trained to ensure that the federal government has the talent necessary to lead the national cybersecurity effort and protect its own networks. The act would also provide DHS with temporary hiring and pay flexibilities to assist in the establishment of the NCCC.