This story appeared on Network World at

This story appeared on Network World at
http://www.networkworld.com/columnists/2009/040609bradner.html

Yet another government attempt at cybersecurity

Proposed laws will impact most of us, but have open questions

'Net Insider By Scott Bradner , Network World , 04/06/2009

The timing of two cybersecurity bills just introduced by Sen. John D. Rockefeller IV (D-W.Va.), Sen. Olympia Snowe
(R-Maine) and Sen. Bill Nelson (D-Fla.) seems a bit funny. It is not so much that they were introduced on April Fools’ Day; more importantly, they were introduced before the widespread review of U.S. cybersecurity ordered by President Obama is completed by Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils.

It would seem to make more sense to wait and see what Hathaway thinks is broken before submitting bills to fix it. While I expect that the bills will be changed when Hathaway reports her findings in a few weeks, the current bills are interesting and have the potential to impact just about everyone in the network or network security business.

The first bill (S 778) would establish an Office of National Cybersecurity Advisor within the Executive Office of the President. The second (S 773), which goes by the title of "The Cybersecurity Act of 2009," covers a grab bag of topics designed to "ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications", among other things.

Some provisions in these bills come from the Center for Strategic and International Studies' (CSIS) report titled "Securing Cyberspace for the 44 Presidency." But there are a lot of things in the bills, particularly S 773, which did not come from the CSIS report. Wherever the bill's provisions come from, it seems that someone who has some Internet clue was involved, at least for some of the provisions -- not the norm for congressional staffers. The Washington Post also reports that White House people helped draft the bills, so maybe there is Internet clue there as well.

There has been some controversy over two provisions in S 773. One provision that would empower the president to declare a "cybersecurity emergency" and shut down government networks and maybe even parts of the public Internet. The other provision says that the Secretary of Commerce "shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access." Some pendants have read this to mean that the government could wiretap any Internet communications but the drafters could have just meant that a network could not hide its design or performance from the government. This will have to be clarified during the legislative process.

Some other provisions in S 773: establish a cybersecurity advisory panel to advise the president on U.S. cybersecurity and "whether societal and civil liberty concerns are adequately addressed; ask NIST to quickly "establish measurable and auditable cybersecurity standards" in a number of areas for U.S. government and other networks -- including compliance standards for all software; "integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals" that includes, within three years, mandatory licensing for cybersecurity professionals if they want to be engaged in business in the United States (I wonder if that means I will have to get a license to keep working as the technology security guy at Harvard?); implement a secure domain name addressing system; educate the public about cybersecurity; provide grants for cybersecurity research (lots of money) and support for students; figure out if cybersecurity insurance for companies would be a good idea; and have the president "develop and implement a comprehensive national cybersecurity strategy" within a year -- seems a touch quick to me.

The provisions apply to U.S. governmental networks and to networks or systems designated by the president as a "critical infrastructure system or network" without defining any criteria for such a determination.

It's not hard to see all major Internet providers being so designated.

These bills, if passed, could impact just about everybody in the Internet or Internet services business in the United States -- maybe that is what is needed to get all of the players to pay attention to security.

Disclaimer: It appears Harvard would not escape the requirements, or hopefully, the money, in these proposals, but the university has not commented on them so the above is my own review.