Sens. John D. Rockefeller IV (D-W.Va.) and Olympia J. Snowe (R-Maine) introduced a significant piece of legislation yesterday, the Cybersecurity Act of 2009 (S. 778). The measure puts the federal government, specifically the White House, at the center of the nation's cybersecurity effort and equips it with unprecedented authority to assert its will across the public and private Internet.
OK, so federal government hegemony over the global (and private) Internet is a troubling prospect. On the other hand, if you are able to set aside civil liberties forebodings or the prospect of re-engineering your company's IT operation, or obtaining federal government approval for any piece of software or hardware you might want to distribute, consider this: S. 778 contains vast opportunities for businesses and their legal representatives to make money in the emerging cybersecurity industry. Call it a Stimulus Act for security geeks and their attorneys.
The message I got out of the Rockefeller/Snowe bill is that the federal government would like to end an era of feckless pleading for private companies to participate together with the government on cybersecurity matters. S. 778 proposes giving the federal government the authority to dictate computer security standards and to enforce them against providers of online services, software developers, and private companies connected to the Internet (basically everybody). Private industry will be allowed to participate in the decision-making process, but at the end of the day there will be "measurable and auditable cybersecurity standards" for both government and business.
Section 18 (Cybersecurity Responsibilities and Authority) is the much-discussed section that creates the cybersecurity czar, an official in the White House, empowering him or her to shut down Internet traffic in the event of a "cybersecurity emergency." And other sweeping powers. However, I found other parts of the bill much more interesting.
Section 3 (Cybersecurity Advisory Panel) of the proposed Act creates a "Cybersecurity Advisory Panel," a private sector and government group that will advise the President on all aspects of the federal cybersecurity strategy. No mention is made of the permissible size of the panel. The government will pay the expenses of non-federal members. The panel is exempt from the sunset provisions of the Federal Advisory Committee Act. In other words, if you are a tech-sector lobbyist, an academic or member of an advocacy group relating to cybersecurity or cyberliberties, this is a very good appointment to land.
An added benefit of panel membership is that, pursuant to Section 8 (Review of NTIA Domain Name Contracts), the panel has the authority to veto the Department of Commerce's decision to extend or modify the government's domain name management contract with the Internet Corporation for Assigned Names and Numbers.
In a further shot across ICANN's bow, Section 9 (Secure Domain Name Addressing System) directs the Department of Commerce to develop its own secure domain name addressing system, a project that ICANN itself has been working on.
The heart of S. 778 is Section 6 (NIST Standards Development and Compliance), which would give the Director of the National Institute for Standards and Technology one year to develop comprehensive security standards for computer information systems. Though the bill is nominally directed toward government agencies and federal contractors, the clear intent is to establish a comprehensive security strategy across the Internet. How could it be otherwise? Security is only as strong as the weakest link, meaning in this context that all parts of the Internet need to be secured. A final provision in this section gives the Federal Communications Commission to weigh in on the "most effective and efficient means to ensure the cybersecurity of commercial broadband networks."
Section 7 (Licensing and Certification of Cybersecurity Professionals) is interesting, in that it contains the strong suggestion that existing security certification providers have not been up to the task. Section 7 directs the Secretary of Commerce to create a national certification program for cybersecurity professionals. Unfortunately, the bill does not define "cybersecurity professional," and I was left wondering whether attorneys in this area will need to have this designation to give legal advice on information security matters. I also wonder about the effect of this section on the private entities who are now providing information security and privacy certifications (companies like SANS Institute and the International Association of Privacy Professionals come to mind, though I am sure there are many others). Section 7(b) sounds like it means business:
MANDATORY LICENSING.--Beginning 3 years after the date of enactment of this act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.
It is hard to know what impact this will have on providers of certification services. Perhaps this business will go away entirely in three years, leaving only a government-supplied certification. Or perhaps it will be possible to be designated as a NIST-certified provider of certifications. One thing is certain: in three years everybody is going to need a new certification, a tidy piece of business for lucky certification providers. Again, more lobbying work here for someone.
Money. Quite a bit of spending is authorized by S. 778. I added up over $1 billion in spending that can be doled out by the National Science Foundation and NIST for research, competitions, cybersecurity scholarships, and various other programs.
Section 14 (Public-Private Clearinghouse) reposes quite a bit of authority in the Secretary of Commerce to demand information from network providers. For example, the bill states "The Secretary of Commerce ... (1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access; (2) shall manage the sharing of Federal government and other critical infrastructure threat and vulnerability information between the Federal government and the persons primarily responsible for the operation and maintenance of the networks concerned; ...." That's a lot of power to give to a relatively weak and politicized agency. Starting in 1989, the following individuals have served as Secretary of Commerce: Robert Mosbacher, Barbara Franklin, Ron Brown, Mickey Kantor, William M. Daley, Norman Mineta, Donald Evans, Carlos Gutierrez, and Gary Locke. I count a lot of fundraisers and political operatives in this bunch. Perhaps the feeling with S. 778's sponsors is that, if someone is going to have unfettered power to demand "all relevant data" about Internet operations regardless of federal legal protections, such power should be reposed in someone highly unlikely to use it.
The final part of S. 778 that I found interesting was Section 16 (Legal Framework Review and Report), a section that directs the President to complete a comprehensive review of federal laws relating to cybersecurity. Among them: the Privacy Act, the Electronic Communications Privacy Act, the Computer Security Act, the Federal Information Security Management Act, the E-Government Act, and the Defense Protection Action. Interesting that the Computer Fraud and Abuse Act was not specifically mentioned. The ECPA and the Privacy Act are both shopworn and in need of attention; however, receiving attention in the context of a cybersecurity assessment seems unlikely to result in greater privacy. Here again, good lobbying work for somebody.
There is a lot of loose change in other sections of the bill. The President is directed to prepare a report on the feasibility of an identity management system, including a discussion of civil liberties and privacy issues. The President is also empowered to act on the international stage to "develop norms, organizations, and other cooperative activities for international engagement to improve cybersecurity." Patent rights are protected for companies involved in, and whose activities are funded as a part of, the standards-setting process. Information-sharing duties, long a source of contention between law enforcement and business, are reposed in the business-friendly Department of Commerce. Elsewhere, the Director of National Intelligence and the Secretary of Commerce are directed to jointly prepare an assessment and report on cybersecurity threats.
(Finally, I want to express how frustrating it is when legislation is announced in the middle of the day, as it was yesterday, but the text of the bill is not available until much later in the day. It was 6 p.m. here at BNA. Nobody who wrote a story yesterday on the Cybersecurity Act had a copy of the bill in their possession when they wrote the story; at least it didn't look that way to me. Legislators withhold the text of legislation to ensure that the first wave of news accounts are based entirely on press releases and summaries, resulting inevitably in stories that carry the bill sponsors' message. In this case, the message was: We need a federal cyber-czar to head off cyber-Katrina. Perhaps. Not all legislators withhold bill text, but plenty do. This way of doing business doesn't reflect well on our elected representatives, who peddle important public policy like laundry detergent, nor does it reflect well on journalists such as myself, who rarely go back and write a revised account with the legislation in hand.)
Follow me on Twitter at @bnatechlaw
Recent Comments