Senate Panel Clears Major Cybersecurity Bill

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

With its sponsors sounding a bit defensive, a Senate panel approved Thursday the Protecting Cyberspace as a National Asset Act of 2010, legislation that would reform the Federal Information Security Management Act and create two cybersecurity directors, one in the White House and the other in Department of Homeland Security, to lead federal government's IT security endeavors.

The legislation, S. 3480, approved by the Senate Homeland Security and Governmental Affairs Committee, also would grant the president authority to declare a national cyber emergency, in which the government could order the owners of the nation's critical IT infrastructure to take steps to secure their networks and systems.

Since the bill's introduction two weeks ago, this provision has been characterized by bloggers and others as an Internet "kill switch," in which the government could grab control of the Internet, and interfere with the privacy rights of American citizens. "Not true," said panel chairman and chief sponsor Joseph Lieberman, ID-Conn. "These reports failed to recognize that the extent that such a kill switch is even technologically feasible."

Lieberman and co-sponsor Susan Collins of Maine, the panel's ranking Republican, contended that a 1941 amendment to the Communications Act already gives the president wide authority to shutter parts of the communications network, and their bill would limit presidential authority by providing the president with a range of options to address the most severe threats, making any emergency measure the least disruptive. "Our bill provides the president with what I prefer to call a scalpel to address threats to individual systems or networks so that he would not be left with only a sledge hammer," Lieberman said.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Under the amended bill, a national cyber emergency could last for up to 30 days, and the president could renew it up to three times. It could only be renewed beyond 120 days with the approval of Congress. The bill limits the presidential action to only the most critical IT systems.

The measure approved by the panel is a bit different from the original bill introduced June 10. Language in the amended version provides for more participation by business and local and state governments in developing processes to protect the nation's critical IT infrastructure. It also calls for the development and implementation of an identity management strategy for cyberspace that protects privacy and civil liberties while assuring safety.

One of the few objections raised during the Senate committee markup session came from Daniel Akaka, the Alaska Democrat, who chairs the panel's subcommittee on the federal workforce. Akaka expressed concerns that the bill's provisions aimed at recruiting cybersecurity professionals could provide exceptions to current civil service laws and create a class of federal employees that would be treated more favorably than other government workers. Akaka said he would work with Lieberman and other sponsors to address his concerns.

The future of this specific legislation is uncertain, but it's likely to be combined with other cybersecurity bills before other Senate committees into an omnibus IT security measure. That's what Senate Majority Leader Harry Reid, D.-Nev., told the sponsors of the various cybersecurity measures he'd like to see. Whether the Senate addresses a combined cybersecurity bill separately, or add it to another measure as the House did, has not been decided. The House late last month approved a cybersecurity bill as part of the Defense Authorization Act, and the possibility exists for the Senate to follow suit. That would be the quickest way for a comprehensive cybersecurity bill to become law; that way, a conference committee among Senate and House sponsors of the Defense Authorization Acts could iron out difference in the cybersecurity legislation.

The bill approved by the Senate panel also would reform the 8-year-old FISMA law that governs how federal agencies secure their IT systems by jettisoning the paper-based compliance process with one that emphasizes continuous monitoring of computer systems and red-team assaults by "friendly hackers" to test vulnerabilities. "Producing a plan that sounds good on paper is not the same as ensuring the plan is effective when implemented," said another of the bill's sponsors, Sen. Tom Carper, D.-Del. "That's why our bill compels agencies to stop producing the reams of ineffective paperwork they currently do and instead focus their efforts on defending their systems in real-time."