Revised Cybersecurity Bill Introduced in Senate

A revised version of a cybersecurity bill first proposed last year was introduced again in the U.S. Senate today, notably without a controversial provision that would have given the president authority to disconnect networks from the Internet during a national emergency.

A revised version of a cybersecurity bill first proposed last year was introduced again in the U.S. Senate today, notably without a controversial provision that would have given the President authority to disconnect networks from the Internet during a national emergency.

Slideshow: Quiz: Separate Cyber Security Fact From Fiction

The bill, called the Cybersecurity Act, is sponsored by Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine). It seeks to improve national cybersecurity preparedness by fostering a closer collaboration between the government and the private sector companies, which own a vast portion of the country's critical infrastructure.

The bill contains several provisions designed to encourage the growth of a trained and certified cybersecurity workforce, promote public awareness of cybersecurity issues and to foster and fund research leading to the development of new security technologies.

It would require agency heads to provide information on their cybersecurity workforce plans including recruitment, hiring and training details.

The bill would empower the National Institute of Standards and Technology (NIST) to develop measurable and auditable security standards for government entities, as well as companies in critical infrastructure industries.

New provisions in the revised bill include one that would require the President to work with owners of critical infrastructure to identify and designate IT systems "whose disruption or incapacitation would threaten strategic national interests," according to a draft of the bill.

The revised bill also adds a provision that would require the President to provide clearances for private sector executives to access classified information relating to cyber-threats.

In addition, the bill would require the White House to collaborate with private sector companies to identify the best cybersecurity training programs.

One of the most important changes in the newly introduced bill, however, is a provision that has been deleted. It would have given the President new authority to essentially disconnect government and private sector organizations from the Internet in a declared emergency.

The President would have the power to declare security emergencies and then curtail or shut down Internet traffic to and from any compromised federal or critical infrastructure networks.

The inclusion of the provision in the original version of the Rockerfeller-Snowe bill attracted widespread criticism from many, who saw it as a measure that would give the President unfettered authority over private-sector networks.

Under the new proposal, the President will be required to work with critical infrastructure owners in the private sector to deal with cyber-emergencies. It requires the White House to collaborate with them in the development and rehearsal of a detailed cybersecurity emergency response and restoration plan.

The plan will spell out the roles, responsibilities and authority of government and private sector actors in the event of a cyber-emergency.

The President will be required to explain to Congress in writing within 48 hours why exactly an emergency was declared, as well as the scope and likely duration of the emergency. "Nothing in the section authorizes new or expanded Presidential authorities," a draft of the new bill notes.

"It simply seeks to avoid the type of deadly bureaucratic confusion that left New Orleans to drown in the aftermath of Hurricane Katrina," the draft version says.

The bill, as written, is "seminal" and should be passed, said Tom Kellerman, vice president of security awareness at Core Security Technologies and a member of a commission that developed a set of cybersecurity recommendations for President Obama last year.

Provisions such as the one focused on building a better cybersecurity workforce, and the one allowing private sector executives to access classified threat data are very important, Kellerman said.

So too are provisions that require regular threat and preparedness assessments by government and critical infrastructure organizations and the increased collaboration that is required between the government and private sector.

"I like the bill. They've done a lot of work to meet people half way," said James Lewis, director and senior fellow at the Center for Strategic and International Studies. "The attention to human capital is great." Keynote:

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Knowledge Center.

This story, "Revised Cybersecurity Bill Introduced in Senate" was originally published by Computerworld .

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies