Bill to centralize cybersecurity

Cnet reports that Sens. John D. Rockefeller IV (D-WV) and Olymbia Snowe have introduced legislation to create a cyberczar position in the White House. According to a press release, the bill would:

establish an Office of the National Cybersecurity Advisor that would take the lead on Internet security matters and coordinate with the intelligence community and the private sector. The legislation also calls for the creation of a Cybersecurity Advisory Panel composed of outside experts from industry, academia, and nonprofit groups that would advise the president, as well as creation of a public-private clearinghouse for cyber threat and vulnerability information sharing, establishment of measurable and auditable cybersecurity standards from the National Institute of Standards and Technology. It would also require that cybersecurity professionals be licensed and certified.

I asked Andrew Storms at nCircle what he thought about all this. Here's his response:

Its a common agreement that in order to begin to seriously address cybersecurity deficiencies, all parties involved need to cooperate. The so called public/private partnerships we heard from Chertoff during the Bush presidency were ideologically spot on. The problem of course is always about the execution. With the average FISMA grade in 2007 being a C and 9 agencies receiving a D or F, most private entities look at bewilderment towards the federal government information security organizations.

The top down approach to cybersecurity, by putting a specialized seat in the whitehouse, that this bill proposes might create more disconnect between the private and public sectors. The person would need to be selected carefully in order to not be a politically motivated position. Compare this approach with what SOX did to publicly traded companies. SOX introduced threats of fines and jail time to company executives. Would the new National Cybersecurity Advisor be just as responsible? Could he or she be put in jail the next time critical infrastructure is breached? The obvious answer is that they would be shielded from any actual liability, resulting in nothing more than another political position. If the federal government wants to start a real working relationship with private sectors that manage critical infrastructure components like banking, utilities, air/rail/auto traffic, then they need to show us a sign of progress beginning with all agencies passing the FISMA report card.