New Bill Would Give Feds Sweeping Cybersecurity Enforcement Powers
If passed by Congress and signed into law by the president, the Cybersecurity Act of 2009 would mark a new dawn in securing the computer networks of utilities, banks, traffic control operations, telecoms and other entities critical to homeland security. Both government and private industry cybersecurity efforts have been ineffective up to now, proponents maintain.
A bill introduced in the U.S. Senate would give the government dramatic new powers to regulate and enforce federal standards for cybersecurity.
The government already monitors and regulates military networks, of course. This measure, however, called the "Cybersecurity Act of 2009," would extend that control to private systems that power essential activities, such as the electric grid. New regulatory powers would compel industry compliance.
All of this would be overseen by a cybersecurity "czar," appointed by the president to helm a new Office of the National Cybersecurity Adviser. The cybersecurity chief would be empowered to shut down networks -- including private ones controlling utilities, banking, transportation traffic control or telecommunications -- if a cyberattack were underway.
The legislation is cosponsored by Senate Commerce Committee Chairman John D. Rockefeller IV, D-W.Va., and Sen. Olympia J. Snowe, R-Maine. The White House reportedly contributed to the bill, although it has not officially endorsed it.
Among its provisions, the bill would create a public-private clearinghouse for sharing information on cyber-threats, as well as licensing and certification standards for cybersecurity professionals. The measure would also create state and regional cybersecurity centers and expand a scholarship program for students who wish to focus on cybersecurity as a course of study.
Very WeakCurrently the Department of Homeland Security is tasked with providing assistance to private networks. However, government efforts have been trained largely on its military and national security IT backbone -- with questionable success.
For example, it's widely suspected that China has successfully hacked its way into the Pentagon's computer systems.
Cybersecurity performance in the private sector is far from stellar.
Earlier this year, IBM researchers reported that poorly secured corporate Web sites were becoming a top cybersecurity threat, with companies increasingly putting their own clients at risk. Both commercial and custom-built software applications riddled with bugs and vulnerabilities were among the culprits.
The researchers also cited the increasing number of hacker attacks that used legitimate business sites as a launch pad for their activities -- usually through large-scale, automated SQL injection attacks.
The 'C' Word
The cybersecurity community appears to be withholding judgment on the proposed legislation until more details are revealed.
"It may wind up being a doubled-edge sword, like a lot of government regulation," Rohyt Belani, CEO of the Intrepidus Group, told the E-Commerce Times.
"What often happens is that regulators will come up with a rule or regulation in the tech space -- but once it is implemented it is clear they didn't think it through or ask a technologist for advice," Belani said.
On the positive side, he added, the measure could be used by security and compliance staff as an effective stick to secure more funds for IT security measures that management was reluctant to fund. "We call it the 'C' word," he said.
Given the Obama Administration's push for open forums and dialogue, Belani said he would like officials to give the cybersecurity community opportunities to review and comment on the proposal.
Even if the security community were to provide input, the bill would likely have some trouble spots.
Security is not something that is easy to measure, Jack Danahy, CTO and cofounder of Ounce Labs, told the E-Commerce Times. "It can be a combination of measures that can secure a network. You could have a lot of one thing and very little of another and still have the system be secure."
Entirely different combinations of products or ratios of measures could produce equally secure systems, he noted.
Generating metrics or measurements in the cybersecurity space is very difficult, said Danahy. "We have been grappling with this issue for years, trying to figure out how to best judge if something is secure."