Senate Panel Clears Major Cybersecurity BillMeasure Reforms FISMA, Strengthens DHS's Infosec Oversight
The legislation, S. 3480, approved by the Senate Homeland Security and Governmental Affairs Committee, also would grant the president authority to declare a national cyber emergency, in which the government could order the owners of the nation's critical IT infrastructure to take steps to secure their networks and systems.
Since the bill's introduction two weeks ago, this provision has been characterized by bloggers and others as an Internet "kill switch," in which the government could grab control of the Internet, and interfere with the privacy rights of American citizens. "Not true," said panel chairman and chief sponsor Joseph Lieberman, ID-Conn. "These reports failed to recognize that the extent that such a kill switch is even technologically feasible."
Lieberman and co-sponsor Susan Collins of Maine, the panel's ranking Republican, contended that a 1941 amendment to the Communications Act already gives the president wide authority to shutter parts of the communications network, and their bill would limit presidential authority by providing the president with a range of options to address the most severe threats, making any emergency measure the least disruptive. "Our bill provides the president with what I prefer to call a scalpel to address threats to individual systems or networks so that he would not be left with only a sledge hammer," Lieberman said.
Under the amended bill, a national cyber emergency could last for up to 30 days, and the president could renew it up to three times. It could only be renewed beyond 120 days with the approval of Congress. The bill limits the presidential action to only the most critical IT systems.
The measure approved by the panel is a bit different from the original bill introduced June 10. Language in the amended version provides for more participation by business and local and state governments in developing processes to protect the nation's critical IT infrastructure. It also calls for the development and implementation of an identity management strategy for cyberspace that protects privacy and civil liberties while assuring safety.
One of the few objections raised during the Senate committee markup session came from Daniel Akaka, the Alaska Democrat, who chairs the panel's subcommittee on the federal workforce. Akaka expressed concerns that the bill's provisions aimed at recruiting cybersecurity professionals could provide exceptions to current civil service laws and create a class of federal employees that would be treated more favorably than other government workers. Akaka said he would work with Lieberman and other sponsors to address his concerns.
The future of this specific legislation is uncertain, but it's likely to be combined with other cybersecurity bills before other Senate committees into an omnibus IT security measure. That's what Senate Majority Leader Harry Reid, D.-Nev., told the sponsors of the various cybersecurity measures he'd like to see. Whether the Senate addresses a combined cybersecurity bill separately, or add it to another measure as the House did, has not been decided. The House late last month approved a cybersecurity bill as part of the Defense Authorization Act, and the possibility exists for the Senate to follow suit. That would be the quickest way for a comprehensive cybersecurity bill to become law; that way, a conference committee among Senate and House sponsors of the Defense Authorization Acts could iron out difference in the cybersecurity legislation.
The bill approved by the Senate panel also would reform the 8-year-old FISMA law that governs how federal agencies secure their IT systems by jettisoning the paper-based compliance process with one that emphasizes continuous monitoring of computer systems and red-team assaults by "friendly hackers" to test vulnerabilities. "Producing a plan that sounds good on paper is not the same as ensuring the plan is effective when implemented," said another of the bill's sponsors, Sen. Tom Carper, D.-Del. "That's why our bill compels agencies to stop producing the reams of ineffective paperwork they currently do and instead focus their efforts on defending their systems in real-time."
The legislation also would establish a White House Office of Cyberspace Policy, headed by a Senate-confirmed director, who would advise the president on all cyber security matters. The director would lead and harmonize federal efforts to secure cyberspace and would develop a national strategy that incorporates all elements of cybersecurity policy, including military, law enforcement, intelligence, and diplomacy. The director would oversee all federal activities related to the national strategy to ensure efficiency and coordination. The director would report regularly to Congress in the interests of transparency and oversight.
However, much of the day-to-day authority in implementing government cybersecurity policy would be granted to a Senate-confirmed director of the National Center for Cybersecurity and Communications, or N3C, who would report to the secretary of Homeland Security and to the president through the Office of Cyberspace Policy.
The National Center would also oversee the United States Emergency Readiness Team, or U.S.-CERT, and lead federal efforts to protect public and private sector cyber and communications networks. The amended bill toughens oversight of U.S.-CERT, which in an audit last week by DHS Inspector General Richard Skinner said the agency does not have the appropriate enforcement authority to help mitigate security incidents; it is not sufficiently staffed to perform its mission; and it has not finalized and approved its performance measures and policies and procedures related to cybersecurity efforts.