Senator Jay Rockefeller, along with Senator Olympia J. Snowe, introduced to the Senate a redrafted Cybersecurity Act (of 2009) Bill that makes two significant changes to the one originally introduced as S 773. Essentially it is a complete rewrite of the original bill but the reality is, it covers the same ground.
Several tech giants had serious concerns with the Bill, along with the EFF and EPIC. One of the key sections included legislation that empowered the President to shut down the Internet.
Reuters reports that several other sections have been change or removed.
The new draft put out by Senators John Rockefeller and Olympia Snowe reflects consultation with industry groups and some changes to lessen tech industry opposition, said James Lewis, a technology expert with the think-tank Center for Strategic and International Studies.
The bill, which has gone through several drafts, had been stiffly opposed because, among other things, it allowed the president to shut down the Internet if needed for national security. It also required certification of cyber professionals.
One major change to the bill is that the president would no longer have the power to shut down the Internet unilaterally but would have to work with industry to draw up plans in the event of a national emergency."They've said they'll call industry. They've bent over backwards to make people feel better about that," said Lewis.
Senator Rockefeller's draft included the following ORIGINAL language:
SEC. 18. CYBERSECURITY RESPONSIBILITIES AND AUTHORITY.
The President -
(A) a long-term vision of the Nation’s cybersecurity future; and
(B) a plan that encompasses all aspects of national security, including the participation of the private sector, including critical infrastructure operators and managers
(1) within 1 year after the date of enactment of this Act, shall develop and implement a comprehensive national cybersecurity strategy, which shall include
(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;
(3) shall designate an agency to be responsible for coordinating the response and restoration of any Federal Government or United States critical infrastructure information system or network affected by a cybersecurity emergency declaration under paragraph (2);
(4) shall, through the appropriate department or agency, review equipment that would be needed after a cybersecurity attack and develop a strategy for the acquisition, storage, and periodic replacement of such equipment;
(5) shall direct the periodic mapping of Federal Government and United States critical infrastructure information systems or networks, and shall develop metrics to measure the effectiveness of the mapping process;
(6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security;
(7) shall, through the Office of Science and Technology Policy, direct an annual review of all Federal cyber technology research and development investments;
(8) may delegate original classification authority to the appropriate Federal official for the purposes of improving the Nation’s cybersecurity posture;
(9) shall, through the appropriate department or agency, promulgate rules for Federal professional responsibilities regarding cybersecurity, and shall provide to the Congress an annual report on Federal agency compliance with those rules;
(10) shall withhold additional compensation, direct corrective action for Federal personnel, or terminate a Federal contract in violation of Federal rules, and shall report any such action to the Congress in an unclassified format within 48 hours after taking any such action; and
(11) shall notify the Congress within 48 hours after providing a cyber-related certification of legality to a United States person.
Reuters:One hot button issue that remains is a requirement that cybersecurity professionals be certified, something the tech industry had fought.
In Senator Rockefeller's bill, it stated that any contractor working on U.S. Government Information system involving Security:
SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS.
(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.
(b) MANDATORY LICENSING- Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.
The bill is a long way from going through without further revisions and a vote. It's not clear what organization would manage security certification standards or licenses and it is not clear if the President still has the authority to shut down government access to the Internet during a crisis. It would be logical to assume that he does regardless of what this bill proposes. The National Security Act of 1947 gives the President powerful federal government authority.
Revised Cybersecurity Act announced by Senator Rockefeller and Snowe.
US Strategic Command recognizes cyber security challenges
Intelligence community warns Senate committee of increased terror threats
Internet attack defense: License and registration please...
Homeland Security is based on human control; but demands high-tech logic and speed
Global cyberwar: Installed in your PC at home, the office and government
Internet: A threat to government or the other way around?
New White House cybersecurity chief faces uphill battle
Homeland Security hearing: Senators scratching heads over IT-related testimony