Rockefeller Crafting Cybersecurity Bill
Senate Commerce Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine, are crafting legislation that they hope will improve the country's cybersecurity posture in the face of increasingly sophisticated global attacks against U.S. government networks as well as the nation's broader critical infrastructure. Rockefeller indicated he was working on the bill at a Thursday hearing where he also pledged to make cybersecurity a committee priority this year. He called cybersecurity "a profoundly and deeply troubling problem to which we are not paying much attention." CongressDaily's AM Edition has more coverage of the hearing (subscription required).
"We presently have systems to protect our nation's secrets and our government networks against cyber espionage, and it is imperative that those cyber defenses keep up with our enemies' cyber capabilities," a draft summary of the Rockefeller-Snowe proposal obtained by CongressDaily stated. "However, the threat of cyber attack on our private sector's critical infrastructure - banking, utilities, air/rail/auto traffic control, and telecommunications is equally alarming and protections must be put in place." The document goes on to say the proposal would "bring new high-level governmental attention to develop a fully integrated, thoroughly coordinated, public-private partnership."
Follow the jump for a detailed rundown of what the bill could include...
1) Significantly raise the profile of cybersecurity within the Federal government and streamline cyber-related government functions and authorities.
• Establish the Office of the National Cybersecurity Advisor within the Executive Office of the President. The National Cybersecurity Advisor will lead this office and report directly to the President. The Advisor will serve as the lead official on all cyber matters, coordinating with the intelligence community, as well as the civilian agencies. This section also outlines a number of important functions and authority of the National Cybersecurity Advisor, including the authority to disconnect a Federal or critical infrastructure network from the Internet if they are found to be at risk of cyber attack.
• Develop a comprehensive national strategy for cybersecurity. The Advisor is responsible for developing a comprehensive national strategy for cybersecurity to coordinate Federal and private sector cybersecurity efforts.
• Require a Quadrennial Cybersecurity Review. The legislation will direct the National Cybersecurity Advisor to conduct a quadrennial review of the U.S. cybersecurity program, modeled after the Defense Department's Quadrennial Defense Review, to examine cyber strategy, budget, plans, and policies.
• Require a threat and vulnerability assessment to help us understand the threats and vulnerabilities of public systems and private-sector owned critical infrastructure.
2) Remake the relationship between government and the private sector on cybersecurity.
• Create a public-private clearinghouse for cyber threat and vulnerability information-sharing. The clearinghouse would responsible for the management and sharing of data between the federal government and private sector critical infrastructure operators.
• Create a Cybersecurity Advisory Panel consisting of outside experts in cybersecurity from industry, academia, and non-profit advocacy organizations to review and advise the President the on cybersecurity related matters.
• Establish enforceable cybersecurity standards. The legislation would require the National Institute of Standards and Technology to establish measureable and auditable cybersecurity standards that would be applicable both to government and the private sector.
• Provide for licensing and certification of cybersecurity professionals. The legislation would require the development and implementation of a professional licensing and certification program for cybersecurity professionals similar to those required for other major professions.
• Create state and regional cybersecurity centers for small and medium sized companies. These centers, modeled off of the Commerce Department's Hollings Manufacturing Extension Partnership (MEP) programs, would assist small and medium sized businesses in adopting cybersecurity measures.
• Establish international norms and cybersecurity deterrence measures. The legislation would require the Advisor to work with the Secretary of State to develop international standards and techniques for improving cybersecurity.
• Establish a Secure Products and Services Acquisitions Board responsible for certifying that products the federal government purchases will have met standards for security as established by the Board. Many federal contracting officers do not incorporate security provisions into acquisition contracts, either because it is not considered a performance requirement or they lack the knowledge and understanding to make it a requirement, and this Board would eliminate that problem by requiring all information and communication technologies are reviewed and approved.
3) Foster innovation and creativity in cybersecurity to develop long-term solutions
• Expand the Scholarship-For-Cyber-Service program focused on recruiting students into a cybersecurity curriculum program. Upon graduation, these students would enter public service, joining an agency or department and leveraging the skills they've learned.
• Create an annual cybersecurity competition and prize to attract, identify, and recruit students to study cybersecurity.
• Increase federal cybersecurity research and development at the National Science Foundation.
• Attempt to place a dollar value on cybersecurity risk. The legislation would require the Advisor to provide a report on the feasibility of create a market for cybersecurity risk management, to include civil liability and government insurance.
4) Promote public awareness and protect civil liberties.
• Promote cybersecurity awareness by initiating a cybersecurity awareness campaign to educate the general public about cybersecurity risks and countermeasures they can implement to better protect themselves.
• Require a comprehensive legal review of the federal statutory and regulatory legal framework applicable to cybersecurity, including recommendations on changes that need to be made to modernize this legal framework.
• Require a report on identity management and civil liberties. The legislation would require the Advisor to review the feasibility of an identity management and authentication program, to include recommendations regarding civil liberties protections.
Join the Discussion
The National Journal Group has the right (but not the obligation) to monitor the comments and to remove any materials it deems inappropriate.
Comments powered by Disqus