The Cybersecurity Act of 2009: The Summary In Their Words
CHAIRMAN ROCKEFELLER AND SENATOR SNOWE INTRODUCE COMPREHENSIVE CYBERSECURITY LEGISLATION This comprehensive legislation addresses our country’s unacceptable vulnerability to massive cyber crime, global cyber espionage, and cyber attacks that could cripple our critical infrastructure. We presently have systems to protect our nation’s secrets and our government networks against cyber espionage, and it is imperative that those cyber defenses keep up with our enemies’ cyber capabilities. However, another great vulnerability our country faces is the threat to our private sector critical infrastructure–banking, utilities, air/rail/auto traffic control, telecommunications–from disruptive cyber attacks that could literally shut down our way of life. This proposed legislation will bring new high-level governmental attention to develop a fully integrated, thoroughly coordinated, public-private partnership to our cyber security efforts in the 21st century by:
1) Significantly raising the profile of cybersecurity within the Federal government and streamlining cyber-related government functions and authorities.
2) Promoting public awareness and protecting civil liberties.
3) Remaking the relationship between government and the private sector on cybersecurity.
4) Fostering innovation and creativity in cybersecurity to develop long-term solutions.
1) Significantly raise the profile of cybersecurity within the Federal government and streamline cyber-related government functions and authorities.
· Establish the Office of the National Cybersecurity Advisor within the Executive Office of the President. The National Cybersecurity Advisor will lead this office and report directly to the President. The Advisor will serve as the lead official on all cyber matters, coordinating with the intelligence community, as well as the civilian agencies. This section also outlines a number of important functions and authority of the National Cybersecurity Advisor, including the authority to disconnect a Federal or critical infrastructure network from the Internet if they are found to be at risk of cyber attack.
· Develop a comprehensive national strategy for cybersecurity. The Advisor is responsible for developing a comprehensive national strategy for cybersecurity to coordinate Federal and private sector cybersecurity efforts.
· Require a Quadrennial Cybersecurity Review. The legislation will direct the National Cybersecurity Advisor to conduct a quadrennial review of the U.S. cybersecurity program, modeled after the Defense Department’s Quadrennial Defense Review, to examine cyber strategy, budget, plans, and policies.
· Require a threat and vulnerability assessment to gain a thorough, comprehensive and coordinated understanding of the threats and vulnerabilities of public systems and private-sector owned critical infrastructure.
2) Promote public awareness and protect civil liberties.
· Promote cybersecurity awareness by initiating a cybersecurity awareness campaign to educate the general public about cybersecurity risks and countermeasures they can implement to better protect themselves.
· Require a comprehensive legal review of the federal statutory and regulatory legal framework applicable to cybersecurity, including recommendations on changes that need to be made to modernize this legal framework.
· Require a report on identity management and civil liberties. The legislation would require the Advisor to review the feasibility of an identity management and authentication program, to include recommendations regarding civil liberties protections.
3) Remake the relationship between government and the private sector on cybersecurity.
· Create a public-private clearinghouse for cyber threat and vulnerability information-sharing. The clearinghouse would responsible for the management and sharing of data between the federal government and private sector critical infrastructure operators.
· Create a Cybersecurity Advisory Panel consisting of outside experts in cybersecurity from industry, academia, and non-profit advocacy organizations to review and advise the President the on cybersecurity related matters.
· Establish enforceable cybersecurity standards. The legislation would require the National Institute of Standards and Technology to establish measureable and auditable cybersecurity standards that would be applicable both to government and the private sector.
· Provide for licensing and certification of cybersecurity professionals. The legislation would require the development and implementation of a professional licensing and certification program for cybersecurity professionals similar to those required for other major professions.
· Create state and regional cybersecurity centers for small and medium sized companies. These centers, modeled off of the Commerce Department’s Hollings Manufacturing Extension Partnership (MEP) programs, would assist small and medium sized businesses in adopting cybersecurity measures.
· Establish international norms and cybersecurity deterrence measures. The legislation would require the Advisor to work with the Secretary of State to develop international standards and techniques for improving cybersecurity.
· Establish a Secure Products and Services Acquisitions Board responsible for certifying that products the federal government purchases will have met standards for security as established by the Board. Many federal contracts do not incorporate cybersecurity provisions, and this Board would eliminate that problem by requiring that all information and communication technologies are reviewed and approved.
4) Foster innovation and creativity in cybersecurity to develop long-term solutions.
· Expand the Scholarship-For-Cyber-Service program focused on recruiting students into a cybersecurity curriculum program. Upon graduation, these students would enter public service, joining an agency or department and leveraging the skills they’ve learned.
· Create cybersecurity competitions and challenges to attract, identify, and recruit individuals to cybersecurity.
· Increase federal cybersecurity research and development at the National Science Foundation.
· Attempt to place a dollar value on cybersecurity risk. The legislation would require the Advisor to provide a report on the feasibility of creating a market for cybersecurity risk management, to include civil liability and government insurance.
CHAIRMAN ROCKEFELLER AND SENATOR SNOWE INTRODUCE COMPREHENSIVE CYBERSECURITY LEGISLATION This comprehensive legislation addresses our country’s unacceptable vulnerability to massive cyber crime, global cyber espionage, and cyber attacks that could cripple our critical infrastructure. We presently have systems to protect our nation’s secrets and our government networks against cyber espionage, and it is imperative that those cyber defenses keep up with our enemies’ cyber capabilities. However, another great vulnerability our country faces is the threat to our private sector critical infrastructure–banking, utilities, air/rail/auto traffic control, telecommunications–from disruptive cyber attacks that could literally shut down our way of life. This proposed legislation will bring new high-level governmental attention to develop a fully integrated, thoroughly coordinated, public-private partnership to our cyber security efforts in the 21st century by:
1) Significantly raising the profile of cybersecurity within the Federal government and streamlining cyber-related government functions and authorities.
2) Promoting public awareness and protecting civil liberties.
3) Remaking the relationship between government and the private sector on cybersecurity.
4) Fostering innovation and creativity in cybersecurity to develop long-term solutions.
1) Significantly raise the profile of cybersecurity within the Federal government and streamline cyber-related government functions and authorities.
· Establish the Office of the National Cybersecurity Advisor within the Executive Office of the President. The National Cybersecurity Advisor will lead this office and report directly to the President. The Advisor will serve as the lead official on all cyber matters, coordinating with the intelligence community, as well as the civilian agencies. This section also outlines a number of important functions and authority of the National Cybersecurity Advisor, including the authority to disconnect a Federal or critical infrastructure network from the Internet if they are found to be at risk of cyber attack.
· Develop a comprehensive national strategy for cybersecurity. The Advisor is responsible for developing a comprehensive national strategy for cybersecurity to coordinate Federal and private sector cybersecurity efforts.
· Require a Quadrennial Cybersecurity Review. The legislation will direct the National Cybersecurity Advisor to conduct a quadrennial review of the U.S. cybersecurity program, modeled after the Defense Department’s Quadrennial Defense Review, to examine cyber strategy, budget, plans, and policies.
· Require a threat and vulnerability assessment to gain a thorough, comprehensive and coordinated understanding of the threats and vulnerabilities of public systems and private-sector owned critical infrastructure.
2) Promote public awareness and protect civil liberties.
· Promote cybersecurity awareness by initiating a cybersecurity awareness campaign to educate the general public about cybersecurity risks and countermeasures they can implement to better protect themselves.
· Require a comprehensive legal review of the federal statutory and regulatory legal framework applicable to cybersecurity, including recommendations on changes that need to be made to modernize this legal framework.
· Require a report on identity management and civil liberties. The legislation would require the Advisor to review the feasibility of an identity management and authentication program, to include recommendations regarding civil liberties protections.
3) Remake the relationship between government and the private sector on cybersecurity.
· Create a public-private clearinghouse for cyber threat and vulnerability information-sharing. The clearinghouse would responsible for the management and sharing of data between the federal government and private sector critical infrastructure operators.
· Create a Cybersecurity Advisory Panel consisting of outside experts in cybersecurity from industry, academia, and non-profit advocacy organizations to review and advise the President the on cybersecurity related matters.
· Establish enforceable cybersecurity standards. The legislation would require the National Institute of Standards and Technology to establish measureable and auditable cybersecurity standards that would be applicable both to government and the private sector.
· Provide for licensing and certification of cybersecurity professionals. The legislation would require the development and implementation of a professional licensing and certification program for cybersecurity professionals similar to those required for other major professions.
· Create state and regional cybersecurity centers for small and medium sized companies. These centers, modeled off of the Commerce Department’s Hollings Manufacturing Extension Partnership (MEP) programs, would assist small and medium sized businesses in adopting cybersecurity measures.
· Establish international norms and cybersecurity deterrence measures. The legislation would require the Advisor to work with the Secretary of State to develop international standards and techniques for improving cybersecurity.
· Establish a Secure Products and Services Acquisitions Board responsible for certifying that products the federal government purchases will have met standards for security as established by the Board. Many federal contracts do not incorporate cybersecurity provisions, and this Board would eliminate that problem by requiring that all information and communication technologies are reviewed and approved.
4) Foster innovation and creativity in cybersecurity to develop long-term solutions.
· Expand the Scholarship-For-Cyber-Service program focused on recruiting students into a cybersecurity curriculum program. Upon graduation, these students would enter public service, joining an agency or department and leveraging the skills they’ve learned.
· Create cybersecurity competitions and challenges to attract, identify, and recruit individuals to cybersecurity.
· Increase federal cybersecurity research and development at the National Science Foundation.
· Attempt to place a dollar value on cybersecurity risk. The legislation would require the Advisor to provide a report on the feasibility of creating a market for cybersecurity risk management, to include civil liability and government insurance.
