If a new security bill makes it through Congress, CIOs could be answering to a higher level of management than the CEO, chairman or board of directors
The Protecting Cyberspace as a National Asset Act of 2010, S.3480 as introduced by ranking Senate members of the Homeland Security and Governmental Affairs Committee, is intended to create an Office of Cyber Policy in the executive branch of the government, confirmed by the Senate and ultimately reporting to the president.
The bill was presented publicly June 10 by Sens. Joe Lieberman, Blanche Lincoln and Tom Carper. Key parts of the bill include cooperation from the proprietors of what the government deems critical infrastructure networks such as electricity grids, financial systems and telecommunications networks. ”The Internet may have started out as a communications oddity some 40 years ago, but it is now a necessity of modern life, and, sadly, one that is under constant attack,” Lieberman said in a statement on 10 June.
“The Protecting Cyberspace as a National Asset Act of 2010 is designed to bring together the disjointed efforts of multiple federal agencies and departments to prevent cyber-theft, intrusions and attacks across the federal government and the private sector. The bill would establish a clear organisational structure to lead federal efforts in safeguarding cyber-networks. And it would build a public-private partnership to increase the preparedness and resiliency of those private critical infrastructure cyber-networks upon which our way of life depends.”
At issue, however, is to what extent the bill extends powers to the president in cases of emergency. Here is how a statement provided by the Homeland Security and Governmental Affairs Committee described the emergency powers presented in this bill:
“Key elements of the legislation include […] Requiring covered critical infrastructure to report significant breaches to the NCCC [National Center for Cybersecurity and Communications] to ensure [that] the federal government has a complete picture of the security of these sensitive networks. The NCCC must share information, including threat analysis, with owners and operators regarding risks to their networks. The Act will provide specified liability protections to owners/operators that comply with the new risk-based security requirements. Creation of a responsible framework, developed in coordination with the private sector, for the President to authorise emergency measures to protect the nation’s most critical infrastructure if a cyber vulnerability is being exploited or is about to be exploited. The President must notify Congress in advance before exercising these emergency powers. Any emergency measures imposed must be the least disruptive necessary to respond to the threat and will expire after 30 days unless the President extends them. The bill authorizes no new surveillance authorities and does not authorize the government to “take over” private networks.”
Following the bill, several new offices would be created at the Department of Homeland Security, most notably the NCCC, which would have the US-CERT (United States Computer Emergency Readiness Team) put under its wing. US-CERT would become the key organization working with the public and private sectors on communicating threats and coordinating response efforts. The bill also accounts for changes in hiring practices by the Office of Personnel Management, as well as updates to FISMA (the Federal Information Security Management Act) to “modernize federal agencies’ practices of protecting their internal networks and systems,” said the statement.
Some in the technology industry are not keen on many of the regulatory aspects of the bill. ”An issue is the unintended consequences that could arise from any established set of standards, which does not allow for evolution on a timely basis,” Liesyl Franz, vice president for global public policy at lobbying group TechAmerica, told Nextgov.com.
TechAmerica supports self-certification over government-based standards. “What could be an effective standard today might not be tomorrow,” Franz said. ”The notion that the government has a better idea than the owners and operators about how to manage risk is not even reasonable,” Robert Dix, vice president of Government Affairs and Critical Infrastructure Protection at Juniper Networks, told Nextgov.com. “The paradigm needs to change from this kind of top-down push to a collaborative approach.”
“Over the past few decades, our society has become increasingly dependent on the Internet, including our military, government and businesses of all kinds,” Carper said. “While we have reaped enormous benefits from this powerful technology, unfortunately our enemies have identified cyberspace as an ideal 21st century battlefield. We have to take steps now to modernize our approach to protecting this valuable, but vulnerable, resource. This legislation is a vital tool that America needs to better protect cyberspace. It encourages the government and the private sector to work together to address this growing threat and provides the tools and resources for America to be successful in this critical effort.”