[Infowarrior] - Bill Would Federalize Cybersecurity

Richard Forno rforno at infowarrior.org
Wed Apr 1 01:08:27 UTC 2009 

(The "unprecedented authority" mentioned in para 3 is rather  
disturbing .... there is NEVER a black-and-white decision tree during  
a cyber incident....what matters is the context of the given  
incident.  I remain skepticlal.  --rf )

Bill Would Federalize Cybersecurity
Senate Proposal Would Affect Even Some Private Networks

By Joby Warrick and Walter Pincus
Washington Post Staff Writers
Wednesday, April 1, 2009; A04

http://www.washingtonpost.com/wp-dyn/content/article/2009/03/31/AR2009033103684_pf.html

Key lawmakers are pushing to dramatically escalate U.S. defenses  
against cyberattacks, crafting proposals that would empower the  
government to set and enforce security standards for private industry  
for the first time.

The proposals, in Senate legislation that could be introduced as early  
as today, would broaden the focus of the government's cybersecurity  
efforts to include not only military networks but also private systems  
that control essentials such as electricity and water distribution. At  
the same time, the bill would add regulatory teeth to ensure industry  
compliance with the rules, congressional officials familiar with the  
plan said yesterday.

Addressing what intelligence officials describe as a gaping  
vulnerability, the legislation also calls for the appointment of a  
White House cybersecurity "czar" with unprecedented authority to shut  
down computer networks, including private ones, if a cyberattack is  
underway, the officials said.

How industry groups will respond is unclear. Jim Dempsey, vice  
president for public policy at the Center for Democracy and  
Technology, which represents private companies and civil liberties  
advocates, said that mandatory standards have long been the "third  
rail of cybersecurity policy." Dempsey said regulation could also  
stifle creativity by forcing companies to adopt a uniform approach.

The legislation, co-sponsored by Senate Commerce Committee Chairman  
John D. Rockefeller IV (D-W.Va.) and Sen. Olympia J. Snowe (R-Maine),  
was drafted with White House input. While the White House indicated it  
supported some key concepts of the bill, there has been no official  
endorsement.

Many of the proposals were based on recommendations of a landmark  
study last year by the Center for Strategic and International Studies.

Currently, government responsibility for cybersecurity is split: The  
Pentagon and the National Security Agency safeguard military networks,  
while the Department of Homeland Security provides assistance to  
private networks. Previous cybersecurity initiatives have largely  
concentrated on reducing the vulnerability of government and military  
computers to hackers.

A 60-day federal review of the nation's defenses against computer- 
based attack is already underway, and the administration has signaled  
its intention to incorporate private industry into those defenses in  
an unprecedented way.

"People say this is a military or intelligence concern, but it's a lot  
more than that," Rockefeller, a former intelligence committee  
chairman, said in an interview. "It suddenly gets into the realm of  
traffic lights and rail networks and water and electricity."

U.S. intelligence officials have warned that a sustained attack on  
private computer networks could cause widespread social and economic  
havoc, possibly shutting down or compromising systems used by banks,  
utilities, transportation companies and others.

The Rockefeller-Snowe measure would create the Office of the National  
Cybersecurity Adviser, whose leader would report directly to the  
president and would coordinate defense efforts across government  
agencies. It would require the National Institute of Standards and  
Technology to establish "measurable and auditable cybersecurity  
standards" that would apply to private companies as well as the  
government. It also would require licensing and certification of  
cybersecurity professionals.

The proposal would also mandate an ongoing, quadrennial review of the  
nation's cyberdefenses. "It's not a problem that will ever be  
completely solved," Rockefeller said. "You have to keep making higher  
walls."

Last week, Director of National Intelligence Dennis C. Blair told  
reporters that one agency should oversee cybersecurity for government  
and for the private sector. He added that the NSA should be central to  
the effort.

"The taxpayers of this country have spent enormous sums developing a  
world-class capability at the National Security Agency on cyber," he  
said.

Blair acknowledged there will be privacy concerns about centralizing  
cybersecurity, and he said the program should be designed in a way  
that gives Americans confidence that it is "not being used to gather  
private information."

More information about the Infowarrior mailing list