A Senate Committee is set to consider a bill that would grant the president emergency power over critical infrastructure networks, in addition to create cybersecurity offices within the White House and U.S. Department of Homeland Security (DHS).
The Protecting Cyberspace as a National Asset Act of 2010, introduced last Thursday by Sens. Joe Lieberman, I-Conn.; Susan Collins, R-Maine and Tom Carper, D-Del, is intended to strengthen and coordinate the security of federal civilian and critical infrastructure networks.
Critics, however, worry the bill may give too much power to government in controlling systems and networks interlinked with the private sector.
The Senate Homeland Security and Governmental Affairs Committee plans to take up the legislation at a hearing Tuesday. Among the many provisions included in the nearly 200-page bill is one that would allow the president to declare a “national cyber emergency.” The president also would be able to authorize emergency measures to protect public or private critical infrastructure in the event or imminent threat of a cyber vulnerability, according to a summary of the legislation.
The bill, however, would not authorize the use of any new surveillance mechanisms or allow the government to take control of private networks.
If enacted into law, the bill also will create a new office within DHS, called the National Center of Cybersecurity and Communications (NCCC), to be headed up by a Senate-confirmed director who would be tasked with leading federal efforts to protect public and private networks. The NCCC would be responsible for enforcing cybersecurity policies throughout government and the private sector.
“The [bill] is designed to bring together the disjointed efforts of multiple federal agencies and departments to prevent cyber theft, intrusions, and attacks across the federal government and the private sector,” Lieberman, chairman of the Senate Homeland Security Committee, said in a statement. “The bill would establish a clear organizational structure to lead federal efforts in safeguarding cyber networks.”
The bill would require the newly-created NCCC to work with the private sector and establish security requirements to strengthen the cybersecurity posture of critical infrastructure. It would require certain critical infrastructure operators to report breaches to the NCCC, which would, in turn, share threat information with critical infrastructure operators.
Additionally, the bill would create an Office of Cyberspace Policy within the president's executive office, which also would be led by a Senate-confirmed director, who would advise the president on cybersecurity matters, oversee all cyberspace activities and be tasked with developing a national cybersecurity strategy.
The proposed law also would implement changes to the Federal Information Security Management Act (FISMA) to update the way agencies protect their networks and systems. Another provision would require the development of a supply chain risk management strategy to address vulnerabilities in technology implemented by the federal government.
The bill has been met with both praise and criticism.
James Lewis, director of technology and public policy at the Center for Strategic International Studies (CSIS), told SCMagazineUS.com on Tuesday that the bill has some worthy goals but contains "a lot of baggage that overcomplicates the effort.”
For example, giving cybersecurity authority to the DHS could pose problems, Lewis said.
“In real life, it's hard for agencies to tell the other agencies to do something,” Lewis said. “I think the White House would have to play a bigger role than the bill gives it.”
Meanwhile, Matt Olney, senior research engineer at network security company Sourcefire, told SCMagazineUS.com on Tuesday that he believes the bill gives the government too much authority over the critical infrastructure.
“When you get into an emergency situation and the government can step in and take over elements of critical infrastructure … it's a probably larger chunk of power than necessary,” Olney said.
TechAmerica, a trade association representing the U.S. IT industry, has questioned the “unintended consequences” that could result from such sweeping legislation.
Provisions of the bill are meant to focus on critical infrastructure, but doing so is impossible because of the interconnected nature of systems and networks, the association said.
“If the bill passes in its current form, it will turn the [DHS] into a significant regulatory agency,” Phil Bond, president and CEO of TechAmerica, said in a statement. “Regulations like these could seriously undermine the very innovation we need to stay ahead of the bad actors and prosper as a nation.”
Tech America did, however, applaud a number of other provisions included in the bill, including those to support research and development in cybersecurity, bolster the federal cybersecurity workforce and address supply chain threats.
Meanwhile, a separate but similar bill introduced last month in the U.S. House of Representatives also seeks to establish a cybersecurity office within the executive branch. The Executive Cyberspace Authorities Act of 2010, introduced by U.S. Reps. Jim Langevin, D-R.I. and Michael McCaul, R-Texas, would create a National Cyberspace Office within the executive branch that would “serve as the principal office for coordinating issues relating to achieving an assured, reliable, secure and survivable information infrastructure and related capabilities for the federal government.”