Amid calls for a comprehensive national strategy on cyber security, as well as stronger government leadership to ensure that security initiatives are implemented effectively, Sen. John D. Rockefeller IV and Sen. Olympia Snowe proposed a sweeping piece of legislation to address this significant and growing threat to the United States. This legislation comes in the wake of attacks on the Pentagon late last year and in the shadow of recent news of massive cyber espionage efforts spanning over 100 countries.
The following represent the major provisions of the proposed legislation at this time. Everyone should expect changes to be made as it works its way through the legislative process.
- Legislation proposed by Senator John D. Rockefeller IV and Senator Olympia Snowe calls for the establishment of an Office of the National Cyber Security Advisor that would take the lead on Internet security matters and coordinate with the Defense Department, intelligence community and the private sector.
- The proposed legislation calls for the creation of a Cyber Security Advisory Panel that is composed of outside experts from industry, academia, and nonprofit groups that would advise the president on related matters.
- The proposed legislation calls for the creation of a public/private clearinghouse for cyber threats and vulnerability information sharing, establishment of measurable and auditable cyber security standards from the National Institute of Standards and Technology.
- The proposed legislation would also require that cyber security professionals be licensed and certified.
Provision: The proposed legislation would also require that the Cyber Security Adviser conduct a review of the U.S. cyber security program every four years and require officials to complete a number of reviews and reports. - The proposed legislation calls for the creation of state and regional cyber security centers to help small and midsize businesses adopt security measures.
- The proposed legislation would establish a Secure Products and Services Acquisitions Board that would to review and approve the security and integrity of products purchased by the federal government.
- The proposed legislation would require government and private sector networks that control the critical infrastructure to comply with a set of cyber security standards established by the National Institute of Standards and Technology (NIST).
This legislation is past due! Report after report has highlighted the increased complexity and frequency of cyber attacks on business, government and our critical infrastructure. Delays in pushing this legislation through could have serious consequences. So time is of the essence in preparing for the passage and enactment of this legislation.
I offer the following recommendation for consideration in order to strengthen the proposed legislation. The legislation as it stands does not address mandatory reporting requirements of cyber security breaches, data and information theft and other cyber security related issues. If we are to track our progress, learn from these events and rapidly identify new cyber threats, mandatory reporting within 24 hours of discovery is critical. Another area of concern is training. While the proposed legislation touches on training, it does not specifically address continuing education. Cyber attack techniques and criminal scams are highly dynamic and rapidly evolving.
These factors combine to make continuing education necessary to stay aware of the latest developments in cyber security. A third concern rests in the area of testing, validation and verification of hardware and software. While this is not specifically addressed, it may be bundled into support and funding for research and development of new validation and verification capabilities that are needed to mitigate this threat. The visibility of this issue has risen significantly after Alex Allan, Chairman of the British Joint Intelligence Committee, expressed his growing concern because government departments, the intelligence services and the military were all exposed to threats from computer and network hardware that came from foreign (citing the new BT Telecom network).
Finally, I was disappointed the legislation did not address an appointee to coordinate and push for an international accord that establishes open cooperation during investigations of cyber attacks and crime and also to stem the development of strategic cyber weapons.
While the devil is in the details, I think the proposed legislation modified to include the four areas identified above is a huge step in securing our nation against cyber threats. And while the proposed legislation is mainly reactive, proactive measures can go a long way to reducing risks.
