Cybersecurity bill would impose standards, certifications

Legislation in the Senate would consolidate the leadership of federal cybersecurity programs in a new advisory office in the Executive Office of the President. The legislation also calls for new enforceable cybersecurity standards for the public and private sectors, and a licensing and certification program for cybersecurity professionals.

Sens. John "Jay" Rockefeller (D-W.Va.), chairman of the Commerce, Science and Transportation Committee, and Olympia Snowe (R-Maine) announced the legislation today. They seek to streamline cybersecurity authorities, promote public awareness, enhance cybersecurity cooperation between government and industry, and increase cybersecurity education and research and development efforts, according to a statement.

According to a summary, the legislation would give the new national cybersecurity adviser authority to disconnect a federal or critical infrastructure network from the Internet if they are found to be at risk of a cyberattack. The new adviser would also oversee the development of a comprehensive national strategy for cybersecurity and lead quadrennial reviews of cybersecurity.

The senators also called for a public awareness campaign, a review of the laws that apply to cybersecurity and a report on identity management and civil liberties. They would also further involve the private sector in cybersecurity efforts through the establishment of:

  • A group that would certify that products purchased by the federal government meet cybersecurity standards.
  • A panel of outside experts to advise the president on cybersecurity.
  • A public-private clearinghouse for information sharing on cyberthreats.
  • State and regional cybersecurity centers to help small and medium-sized businesses.

Meanwhile, the Obama administration’s security advisers continue their 60-day review of the country’s cybersecurity efforts. That effort review is expected to produce a series of recommendations for how the federal government should organize cybersecurity efforts and engage with the private sector. 

About the Author

Ben Bain is a reporter for Federal Computer Week.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Mon, Apr 6, 2009 Guy Norfolk

I like the idea of professional standards and I would like to see them build on the model outlined in DoD Directive 8570.01-M. In fact, a good start would be to actually begin requiring agencies to follow those guidelines. I agree with one of the comments about the implementation schedule too. I think it is far too ambitious to implement something this broad in scoep in only one year. I would be happy if they nailed down the goals and a timeline for implementing them in a year.

Sun, Apr 5, 2009 femtobeam

I read the NIST recommendations on safeguarding PII (personal identifying information) and then looked into the trouble in oversight of the internet operations of the worlds 15 (or so) nodes. The technical people are completely at odds with the management people. They don't even attend each others meetings, let alone report to or understand the actions of the other. In the 80's there was the same problem. The politicians and business leadership do not and in fact cannot understand the complexity of communications technology. The establishment of a cabinet level position is a good first step, but like all power players near the top, the President needs to have advice from many different sources so he can make an educated decision in a timely manner. Someone familiar with networking and routing software and hardware of "data" is already behind the curve. Cyberspace is in full swing, it is optical, and it is physics at the quantum level. The abilities are far beyond what people want to hear and they are faster than we can imagine. The time it takes to make policy decisions needs to be weighed against the rise of Chinese abilities in this Cyberspace arena and the time they have had to finance, build infrastructure and hack into their targets worldwide. If decisions are made to pull a network off of being online, I hope it isn't to sell more repeaters. DO NOT CUT THE DARK FIBER! Our lives may depend on being faster than digital. I also hope this is not just another "bashing Bill" campaign for not being effective enough at putting criminal hacks in jail. Brain interfaces demand that we have secure networks. Automation demands that we carefully look at what freedom is to a computer system. Without automation of detection to and from persons, we will be left to foreign subcontractors. During WWII, there was a famous maneuver at sea that prompted a Navy Admiral to say, "Fight against the delay tactics". The delay tactic is not one of adoption of more embedded hardware solutions, like HDTV set top boxes, but of warning the public, preparing for an attack and weeding out the criminal traitors selling scientists information and important technology secrets to foreign powers. The first place to start is the rescinding of the DOD sharing arrangement and a complete review of the Jason's Group scandal by the Pentagon. Slavery is unacceptable in any form in this country and so is a big business contract at the expense of security. Domination of the electromagnetic spectrum is the new frontier and nowhere is that more apparent than in the minds of forgotten implanted soldiers. Women and young girls are the new profit margin and the electrical potential of our neurons is the new national wealth.

Fri, Apr 3, 2009 Eoghan Washington, DC

Nothing will happen until it becomes mandatory in the private sector. Commercial enterprises spend more money in requirements "tell me what I have to do to get around this..." than they do becoming compliant. The certification process used to be known as a CCTL (Common Criteria Test Lab), certifiec by NIST & NSA under NIST's NVLAP (NIAP administered). Dot-com bust burst most of these facilities. Too bad, too, that would have been the way to go.

Fri, Apr 3, 2009 Joel

For the most part, the 'new' things espoused already exist in some fashion so I don't see much improvement in our cybersecurity posture as a result. My experiences in this arena to date all point to the same central weakness and that is not in the laws and regulations that already exist but in the people implementing them. The people at the top are bureaucratically heavy and intellectually light and therefore can never arrive....typical government operation. Can you imagine what a disposable diaper would look like if you charged the government with developing it?

Thu, Apr 2, 2009 Disgusted DC

Whatever happened to the checks and balances that our Constitutional fathers envisioned? These security standards and certifications are already in existence. This is yet another example of a knee-jerk reaction by uninformed bureaucrats who are clueless about cybersecurity, yet fancy themselves to be experts because they personally use a Blackberry.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group