Act Proposes Expansion of Federal Government Role in Cybersecurity

Earlier this month, Senators Rockefeller, Snowe, and Nelson introduced S.773, the "Cybersecurity Act of 2009." The bill is primarily designed to address cybersecurity in the federal government, but various provisions could impact you or your business, particularly if you are designated as a "critical infrastructure information system or network," provide cybersecurity to the federal government, are a small- or medium-sized business, or are an institution of higher learning. The bill would (1) create new government agencies, work forces, and tasks; (2) create new priorities for existing federal agencies; and (3) implement new Presidential powers to address cybersecurity on a national scale.

New Government Agencies, Work Forces, and Tasks

The bill would create at least three new types of cybersecurity-related agencies and professionals:

• President's Cybersecurity Advisory Panel: consisting of representatives from industry, academic, non-profit organizations, interest groups, advocacy organizations, and government, the panel will advise the President on national cybersecurity program and strategy, including trends and developments in research and development; progress and development; funding, priorities, and goals; and the program's balance between security and civil liberties.
• Regional Cybersecurity Centers: to promote and implement cybersecurity measures, these centers will focus on enhancing the cybersecurity of small- and medium-sized businesses through cooperative technology transfer, dissemination of cybersecurity information, and by making short-term loans of advanced cybersecurity measures to small businesses with less than 100 employees.
• Cadre of Cybersecurity Professionals: any provider of cybersecurity services to any Federal agency or any network designated as "critical infrastructure information system or network" must be licensed, certified, and recertified under this new federal program.

New Priorities for Existing Federal Agencies

The bill would refocus or expand at least two existing government cybersecurity efforts:

• National Institute of Standards and Technology (NIST) Standards Development: for the federal government and designated "critical infrastructure information systems and networks," NIST will establish national cybersecurity compliance standards, including security controls; software security, configuration language, and standard configurations; and vulnerability specification language. NIST will also establish cybersecurity competitions to identify individuals for the federal information technology workforce.
• National Science Foundation (NSF) Priority Research: giving new priority to computer and information science, the NSF will address fundamental cybersecurity research, conduct secure coding research, assess secure coding education, and provide grants for expanded cybersecurity modeling. These priorities would specifically include tasks such as how to guarantee the privacy of an individual's identity online, how to enable protocols for robust security on the Internet, and how to design and build secure and flaw-free software. The NSF will also establish a Cybersecurity Scholarship-for-Service program for up to 1,000 students per year.

New Powers for the President

Under the bill, the President's new powers would include to:

• Designate state, local, and nongovernmental networks as "critical infrastructure information systems or networks," potentially subjecting them to federal control;
• Declare a cybersecurity emergency and order the shutdown of the Internet to any compromised federal network or "critical infrastructure information system or network";
• Order the disconnection of any federal network or "critical infrastructure information system or network" in the interest of national security;
• Direct the periodic mapping of federal networks and "critical infrastructure information systems or networks"; and
• Work with foreign governments to develop norms, organizations, and other cooperative activities to improve international cybersecurity.

Provisions That Could Impact You or Your Business

• For operators of designated "critical information infrastructure systems or networks": the "measurable and auditable" NIST cybersecurity standards could apply to your computer systems and you may potentially be subject to Presidential orders to suspend or terminate service.
• For providers of cybersecurity to the federal government: the cybersecurity professional certification could impact your workforce's licensing requirements.
• For small- or medium-sized businesses: regional cybersecurity centers could offer help in upgrading your cybersecurity preparedness.