Guest Post on Cybersecurity Legislation from Chris Bronk

What follows is a guest post from Chris Bronk, Information Technology Policy Fellow at Rice University’s Baker Institute for Public Policy. He’s a new member of USACM, but the post reflects only his thoughts on the Cybersecurity Act of 2012, and not necessarily those of USACM.

Digesting the New Senate Cybersecurity Legislation

by Chris Bronk

Senators Joe Lieberman, Susan Collins, Jay Rockefeller, and Diane Feinstein introduced another cybersecurity bill in the U.S. Senate on February 14. “The Cybersecurity Act of 2012,” or S.2105, is yet another attempt by the Senate to bring to a vote a major piece of bipartisan legislation on information and communications security. There have been several efforts to produce new law on this front, but debate has often mired on serious sticking points. The “Internet kill switch,” where the President would have the authority to close off the Internet, standing as perhaps the most rhetorically threatening of them. There is no kill switch in S.2105.

Within S.2105, a broad set of issues was considered of interest to the federal government, the IT industry, and the operators of critical infrastructure. The bill lays out some pragmatic planks for determining responsibilities beyond the federal government, further bulking up national cyber security capabilities, and offering a roadmap for regulation of cyber security responsibility.

Significantly, S.2105 emphasizes the Secretary of the Department of Homeland Security (DHS) as the lead official on cybersecurity matters, with the usual exceptions for agencies in the Department of Defense and Intelligence Community. DHS has gradually grown a capability in cybersecurity, and S.2105 would expand it, combining the functions of DHS’s National Cyber National Cyber Security Division, the Office of Emergency Communications, and the National Communications System into a single National Center for Cybersecurity and Communications. Presumably, this new center would operate in a manner similar to the Office of the Director of National Intelligence’s inter-agency function-specific centers, such as the National Counter Terrorism Center.

Beyond the national center, S.2105 addresses another issue of great importance, the vulnerability of critical infrastructure – in both the public and private sectors – to cyber attack. The legislation lays out a process for designating critical infrastructure, assessing risks to it and “promulgat[ing] regulations to enhance the security of covered critical infrastructure against cyber risks.” This component will no doubt attract scrutiny as it assigns responsibilities and assesses liability – and the limitations thereof – with regard to the cybersecurity of critical infrastructure. (S.2105 also lays out standards on criticality, having to do with loss of life, service interruption, and severe economic damage among others).

Other elements of the bill consider the expanded staffing needs and the peculiarities of clearing non-government employees to handle sensitive or classified information. It also considers cybersecurity information sharing issues, reform of the Federal Information Security Management Act (FISMA), and education and R&D initiatives.

This bill may be able to clear previous obstacles and deliver to the President and the Department of Homeland Security the necessary authorities to move beyond piecemeal efforts in cyber security remedy and coordination. The Senate Homeland Security and Governmental Affairs Committee has already held a hearing on the bill, so there is interest in getting this legislation to a Senate vote sooner rather than later.

House Takes Another Crack at Updating NITRD

Yesterday the House Science, Space and Technology Committee approved legislation updating the High Performance Computing Act of 1991. That law, among other things, established the Networking and Information Technology Research and Development program (NITRD). NITRD was established to coordinate federal research and development in computing, and as computing knowledge and technology change, the law should try to keep up.

The House legislation aims to do just that, adding language to the existing law concerning cloud computing and cyber-physical systems, revising language concerning strategic planning for the program and its National Coordination Office and further encourages the National Science Foundation to use its programs to increase education in cybersecurity issues and to increase participation in the field by underrepresented groups.

The bill, H.R. 3834, now moves to the full House for a vote.

Hill Tech Happenings, Week of February 6

February 7

The House Science, Space and Technology Committee will review pending legislation, including a bill to amend the High Performance Computing Act of 1991.
10 a.m., 2318 Rayburn Building

February 8

The Communications and Technology Subcommittee of the House Energy and Commerce Committee will hold a hearing on the cybersecurity of communications networks.
9:30 a.m., 2322 Rayburn Building