Does Bill Ban President from Shuttering the Net?
The Rockefeller-Snowe Cybersecurity Act of 2010 adopts a carrot and twig approach to winning businesses cooperation on information security. It's heavy on incentives - the carrot - and light on regulation - the twig. No thick stick here, more of friendly jostling to get businesses to comply with initiatives to secure the nation's critical IT infrastructure.
The legislation, S. 773, comes up for a vote Wednesday before the Senate Commerce, Science and Transportation Committee, and if approved, would become the first major piece of cybersecurity legislation to reach the Senate floor this Congress.
The bill is very business friendly, and adheres to the principle being forwarded by the Obama administration that calls for close collaboration with the private sector to secure the nation's critical IT infrastructure, of which, 85 percent is controlled by the private sector.
Indeed, the latest draft of the bill calls for the federal government and business - working through sector coordinating councils such as those in communications, energy, IT and financial services industries - to collaborate in developing a cyber emergency response plan. What's garnered the most attention in the current version of S. 773 is what's been excised from the original draft introduced last spring, a provision granting the president the authority to shutter Internet traffic in a cyber emergency, which brought loud objections from some quarters in the private sector.
That criticism prompted the bill's sponsors - Sens. Jay Rockefeller, Olympia Snowe and Bill Nelson - to not only drop that provision but add the following language:
"This section does not authorize, and shall not be construed to authorize, an expansion of existing presidential authorities."
That has led some observers to conclude that S. 773 would bar the president from acting to limit the flow of Internet traffic during a declared cyber emergency. But that interpretation could be wrong.
First, some legal and government experts contend existing laws already grant the president wide latitude to protect the public during a national emergency, including shutting down critical root servers that handle Internet traffic. If that's the case, the expansion provision of S. 773 would have no impact because the bill would not expand existing presidential authority.
Second, in developing an emergency response plan, the parties could spell out circumstances in which the president can act to limit Internet traffic if the policy writers deem it best to protect the nation's critical IT infrastructure.
Regardless of what ultimate power the president has during a cyber emergency, S. 773 provides for an active role by business in nearly every aspect of cybersecurity: protection, workforce, training and awareness.
The legislation offers a series of incentives - rather than regulations - to win business cooperation, though some of the incentives seem like an appreciative pat on the back from the president. From the section of the bill entitled Workforce Development, a provision labeled "Positive Recognition" says:
"The president ... may publicly recognize the owners and operators of United States critical infrastructure information systems whose independent audits demonstrate compliance with the accreditation, training and certification programs ..."
A bit more meaningful reward is another provision allowing the president to publicize cybersecurity accreditation, training and certification programs offered by the private sector.
The private sector's failure to comply with provisions of the act, should it become law, don't seem overly injurious to business. One representative provision calls for the operator of a critical infrastructure IT system to collaboratively work with the government to develop and implement a remediation plan if two straight independent audits show the business failed to demonstrate substantial compliance with accreditation, training and certification programs.
There are those who feel the government needs to get tougher on business through regulation to make sure that the private sector does what it must to protect key IT systems critical for national health.
Business, on the other hand, is appreciative that this bill is less draconian in their eyes than the original draft. Here's a letter from the business lobbying group, Internet Security Alliance, to Rockefeller and Sen., Kay Bailey Hutchison, chairman and ranking Republican on the Senate Commerce, Science and Transportation Committee:
"The approach reflected in the current draft is a vast improvement over the government centric, regulatory-mandate framework reflected in the initial version. ... That said, ISA believes there are a few remaining areas where the bill could be strengthened to ensure that it becomes all even more effective tool for protecting our strategic cybersecurity goals and our national security."
And what are those few remaining areas?
Elimination of required semi-annual audit of critical IT systems and cybersecurity professionals that the ISA sees as draining resources and undermining IT security:
"Undergoing a security audit is not the same thing as providing security."
And, what does business think of the incentives? Again, from the ISA letter:
"While these incentive programs are laudable, they are not currently broad enough or powerful enough to provide sufficient motivations across the expanse of companies involved in the critical infrastructure."
Isn't that an argument for regulation?