[Infowarrior] - A bill to shift cybersecurity to White House

Richard Forno rforno at infowarrior.org
Sun Mar 22 01:53:07 UTC 2009 

March 20, 2009 6:00 PM PDT
A bill to shift cybersecurity to White House
by Stephanie Condon

http://news.cnet.com/8301-13578_3-10200710-38.html
Forthcoming legislation would wrest cybersecurity responsibilities  
from the U.S. Department of Homeland Security and transfer them to the  
White House, a proposed move that likely will draw objections from  
industry groups and some conservatives.

CNET News has obtained a summary of a proposal from Senators Jay  
Rockefeller (D-W.V.) and Olympia Snowe (R-Maine) that would create an  
Office of the National Cybersecurity Advisor, part of the Executive  
Office of the President. That office would receive the power to  
disconnect, if it believes they're at risk of a cyberattack,  
"critical" computer networks from the Internet.

"I regard this as a profoundly and deeply troubling problem to which  
we are not paying much attention," Rockefeller said a hearing this  
week, referring to cybersecurity.

Giving the White House cybersecurity responsibility was one of the top  
recommendations of a commission that produced a report last year to  
advise President Obama on cybersecurity issues. However, the Homeland  
Security Department, which currently has jurisdiction over  
cybersecurity, hasinsisted the reshuffling of duties is not needed.

Given the enormity of cybersecurity threats, the responsibility is a  
natural fit for the White House, said James Lewis, a director and  
senior fellow at the Center for Strategic and International Studies,  
which issued last year's commission report.

"The Obama administration has an adviser on energy and climate change,  
and that's good and important," Lewis said, "but we're still in the  
mode that cyber is less important."

While the bill is still in draft form and thereby subject to change,  
it would put the White House National Cybersecurity Advisor in charge  
of coordinating cyber efforts within the intelligence community and  
within civilian agencies, as well as coordinating the public sector's  
cooperation with the private sector. The adviser would have the  
authority to disconnect from the Internet any federal infrastructure  
networks--or other networks deemed to be "critical"--if found to be at  
risk of a cyberattack.

The private sector will certainly speak out if this provision is  
included in the final draft of the bill, a representative of the  
technology industry who spoke on condition of anonymity said.

"You can be assured that if that idea is put into legislation we would  
certainly have views on it," he said. "It's not trivial."

While the person did not take a stance on whether the White House is  
the appropriate place to put cybersecurity jurisdiction, he said,  
"cybersecurity is a cross-cutting issue, across all government  
agencies, so leadership at the top is useful."

The bill could also make the proposed cyber adviser responsible for  
conducting a quadrennial review of the country's cybersecurity  
program, as well as for working with the State Department to develop  
international standards for improving cybersecurity.

The draft version of the bill also establishes a clearinghouse for the  
public and private sectors to share information about cyberthreats and  
vulnerabilities. It also creates a Cybersecurity Advisory Panel  
consisting of outside experts from industry, academia, and nonprofit  
groups to advise the president.

Because many federal contracting officers do not currently include  
security provisions into federal procurements, the bill could also  
establish a "Secure Products and Services Acquisitions Board" to  
review and approve all federal acquisitions.

At Thursday's hearing, Edward Amoroso, AT&T's senior vice president  
and chief security officer, said the federal procurement process  
"needs to be upgraded to implement sufficient security protections."

Some industry groups are warning, however, that adding customized  
requirements to the government's procurement process may inhibit the  
government's ability to take advantage of the innovations and cost  
benefits available from commercial technology.

"Simply put, the government cannot reach its security goals by  
compromising its access to commercial solutions and processes, nor can  
it technologically or financially afford it," the Business Software  
Alliance wrote in a memoto Melissa Hathaway, the acting senior  
director for cyberspace at the White House National and Homeland  
Security Councils, who is conducting a 60-day review of cybersecurity  
programs for President Obama. "Rather than imposing overbroad security  
requirements, government needs to be selective and limit them to high- 
criticality systems."

The bill may also subject both government and private sector networks  
to cybersecurity standards established by the National Institute of  
Standards and Technology. It may also provide for a professional  
licensing and certification program for cybersecurity professionals.

The senators also want to create greater general awareness of the  
importance of cybersecurity, so the legislation would expand  
scholarships for students studying cybersecurity, create an annual  
cybersecurity competition and prize for students, and initiate a  
cybersecurity awareness campaign. It would also increase cybersecurity  
research and development funding for the National Science Foundation.

Lewis said he is very pleased with the Senate's work on this bill so  
far.

"Having a knowledgeable and powerful group of senators that are  
willing to pick up the ball and run with it is really encouraging," he  
said.

Given the broad nature of the legislation--which spans intelligence  
and homeland security issues, as well as commerce issues--Rockefeller  
may have to work with the leaders of the Senate Homeland Security  
Committee and other leaders in the Senate to shape the final version.

An industry representative said, though, that Rockefeller's previous  
experience chairing the Select Committee on Intelligence will improve  
the bill's chances of advancing.

"His personal credibility and experience allow him to play a role that  
another chairman might necessarily have been able to play," the  
industry representative said.

More information about the Infowarrior mailing list