WASHINGTON – Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., Ranking Member Susan Collins, R-Me., and Federal Financial Management Subcommittee Chairman Tom Carper, D-De., Thursday introduced comprehensive legislation to modernize, strengthen, and coordinate the security of federal civilian and select private sector critical infrastructure cyber networks.
The Protecting Cyberspace as a National Asset Act of 2010, S.3480, would create an Office of Cyber Policy in the White House with a director accountable to the public who would lead all federal cyberspace efforts and devise national cyberspace strategy. A National Center for Cybersecurity and Communications within the Department of Homeland Security, also led by a director accountable to the public, would enforce cybersecurity policies throughout the government and the private sector. The bill would also establish a public/private partnership to set national cyber security priorities and improve national cyber security defenses.
The Committee will hold a hearing on the legislation June 15, 2010.
“The Internet may have started out as a communications oddity some 40 years ago but it is now a necessity of modern life, and sadly one that is under constant attack,” said Lieberman. “It must be secured, – and today, Senators Collins, Carper, and I have introduced a bill which we believe will do just that. The Protecting Cyberspace as a National Asset Act of 2010 is designed to bring together the disjointed efforts of multiple federal agencies and departments to prevent cyber theft, intrusions, and attacks across the federal government and the private sector. The bill would establish a clear organizational structure to lead federal efforts in safeguarding cyber networks. And it would build a public/private partnership to increase the preparedness and resiliency of those private critical infrastructure cyber networks upon which our way of life depends.
“For all of its ‘user-friendly’ allure, the Internet can also be a dangerous place with electronic pipelines that run directly into everything from our personal bank accounts to key infrastructure to government and industrial secrets. Our economic security, national security and public safety are now all at risk from new kinds of enemies — cyber-warriors, cyber-spies, cyber-terrorists and cyber-criminals.
“The need for this legislation is obvious and urgent.”
Collins said: “As our national and global economies become ever more intertwined, cyber terrorists have greater potential to attack high-value targets. From anywhere in the world, they could disrupt telecommunications systems, shut down electric power grids, and freeze financial markets. With sufficient know-how, they could cause billions of dollars in damage and put thousands of lives in jeopardy. We cannot afford to wait for a “cyber 9/11” before our government finally realizes the importance of protecting our digital resources, limiting our vulnerabilities, and mitigating the consequences of penetrations of our networks.
“Yet, for too long, our approach to cyber security has been disjointed and uncoordinated. Our vital legislation would fortify the government’s efforts to safeguard America’s cyber networks from attack. This bill would build a public/private partnership to promote national cyber security priorities and help prevent and respond to cyber attacks.”
Carper said: “Over the past few decades, our society has become increasingly dependent on the internet, including our military, government, and businesses of all kinds. While we have reaped enormous benefits from this powerful technology, unfortunately our enemies have identified cyber space as an ideal 21st century battlefield. We have to take steps now to modernize our approach to protecting this valuable, but vulnerable, resource. This legislation is a vital tool that America needs to better protect cyber space. It encourages the government and the private sector to work together to address this growing threat and provides the tools and resources for America to be successful in this critical effort.”
Key elements of the legislation include:
2. Creation of a National Center for Cybersecurity and Communications (NCCC) at the Department of Homeland Security (DHS) to elevate and strengthen the Department’s cyber security capabilities and authorities. The Director will regularly advise the President on efforts to secure federal networks. The NCCC will be led by a Senate-confirmed Director, who will report to the Secretary. The NCCC will include the United States Computer Emergency Response Team (US-CERT), and will lead federal efforts to protect public and private sector cyber and communications networks.
3. Updates the Federal Information Security Management Act (FISMA) to modernize federal agencies practices of protecting their internal networks and systems. With strong leadership from DHS, these reforms will allow agencies to move away from the system of after-the-fact paperwork compliance to real-time monitoring to secure critical systems.
4. Requiring the NCCC to work with the private sector to establish risk-based security requirements that strengthen cyber security for the nation’s most critical infrastructure that, if disrupted, would result in a national or regional catastrophe.
5. Requiring covered critical infrastructure to report significant breaches to the NCCC to ensure the federal government has a complete picture of the security of these sensitive networks. The NCCC must share information, including threat analysis, with owners and operators regarding risks to their networks. The Act will provide specified liability protections to owners/operators that comply with the new risk-based security requirements.Creation of a responsible framework, developed in coordination with the private sector, for the President to authorize emergency measures to protect the nation’s most critical infrastructure if a cyber vulnerability is being exploited or is about to be exploited. The President must notify Congress in advance before exercising these emergency powers. Any emergency measures imposed must be the least disruptive necessary to respond to the threat and will expire after 30 days unless the President extends them. The bill authorizes no new surveillance authorities and does not authorize the government to “take over” private networks.
6. Development of a comprehensive supply chain risk management strategy to address risks and threats to the information technology products and services the federal government relies upon. This strategy will allow agencies to make informed decisions when purchasing IT products and services.
7. Requiring the Office of Personnel Management to reform the way cyber security personnel are recruited, hired, and trained to ensure that the federal government has the talent necessary to lead the national cyber security effort and protect its own networks.
Among the bill’s supporters are: anti-virus software company Symantec; Karen Evans, former Administrator for E-Government and IT, Office of Management and Budget; Stewart Baker, former Assistant Secretary for Policy at DHS; the Intelligence and National Security Alliance; the Professional Services Council; and the Coalition for Government Procurement.