The Rockefeller-Snowe cybersecurity legislation is promising on several fronts, but if you actually plow through the bill's text, you'll find some questionable provisions and parts that beg for clarification.
To be sure, the new draft of the Cybersecurity Act of 2010 (S. 773) is an improvement over last year's version, which included an infamous "kill switch" that would give the president the authority to shut down the Internet in the event of a massive cyberattack. The idea went over like a lead balloon and Sen. Jay Rockefeller, who co-sponsored the revised legislation with Sen. Olympia Snowe (R-Maine), was careful to note that it "does not give any new or broader authority to the president." However, it does allow the president to declare a cybersecurity emergency -- without defining what would constitute a cybersecurity emergency.
Rockefeller says the legislation is designed to prepare the U.S. for a major cyberattack by providing a framework for private-public sector collaboration. Among other things, the bill would support major new R&D into cybersecurity, establish a certification program for security professionals, initiate a new cybersecurity public awareness campaign, and call on the private sector and government to share threat and vulnerability information.
Certainly, the bill takes several positive steps. With new threats emerging all the time, more cybersecurity R&D and increased efforts to develop and recruit the next generation of information security pros are critical. And the bill addresses a long-standing sore spot in the security industry by supporting research into integrating secure coding into core computer science curriculum.
But here's where it gets sketchy. The legislation also includes a plan for "positive recognition" for critical infrastructure companies that report compliance with cybersecurity risk measurement techniques and best practices. NIST is designated as the body to recognize and promote these best practices, but it's unclear what they would be. Moreover, how many companies would be eager to publicly proclaim themselves secure? What about a company that doesn't receive the positive recognition? Either way, a company could become a target for hackers based on public disclosure about the state of their security, says Paul Rohmeyer, a faculty member in the graduate school at Stevens Institute of Technology and consultant. "It's a bad idea all around," he says.
The legislation also doesn't account for differences between industries and doesn't describe how it relates to existing mandates such as Gramm-Leach-Bliley, Sarbanes-Oxley and HIPAA, Rohmeyer says. Also, the creation of a training and certification program for critical infrastructure security pros will create a huge market for trainers, he adds, but there's no provision for how the trainers themselves would be qualified.
Other parts of the bill -- like the call for public-private collaboration on cybersecurity and information sharing -- are nothing new. Perhaps giving certain private sector executives access to classified threat information, as the legislation proposes, would make a difference. However, as industry analyst Richard Stiennon points out, the FBI's InfraGard already provides businesses with threat information.
Ultimately, how much the Cybersecurity Act would prepare the country for a cyberattack is anybody's guess. Rohmeyer for one isn't convinced it would help. He's hesitant to be too critical -- cybersecurity legislation is needed and this bill is generally headed in the right direction, he says -- but it leaves too many unanswered questions.
"If I'm a compliance officer in a company that's in one of the critical infrastructure industries, I don't know what my obligations are under this law," he says.
The Rockefeller-Snowe cybersecurity legislation is a good start but needs some work to truly address the country's pressing cybersecurity needs and not create more compliance headaches for businesses.
Marcia Savage is editor of Information Security. Send comments on this column to firstname.lastname@example.org