Cybersecurity Working Draft Gives Adviser Power to Cut Off Networks
The cybersecurity bill in development by Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., would go far beyond the education and research funding he proposed in a hearing last week (WID March 20 p2). According to a summary of a staff working draft that we obtained, the bill would create an Office of the National Cybersecurity Adviser in the Executive Office of the President. The adviser would coordinate with the intelligence community and civilian agencies, but apparently not the Defense Department, which isn’t mentioned in the summary. The draft is dated March 18.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The White House adviser would have the authority to disconnect a government or critical infrastructure network from the Internet if it’s found to be at risk of cyber attack. The adviser would lead a review of cybersecurity every four years, modeled after a DoD review on a cycle of the same length. The director of national intelligence and the secretaries of Homeland Security and Commerce would put together an intelligence threat and vulnerability assessment report on private critical infrastructure.
The working draft would create a “clearinghouse” to share data between the government and critical infrastructure operators, as well as a cybersecurity advisory panel with industry, academic and nonprofit representatives to advise the president. The National Institute of Standards and Technology would get the job of setting “enforceable” cybersecurity standards to apply to the government and business. The White House adviser would develop a professional licensing and certification program, and work with the secretary of state to devise international strategy on cybersecurity. State and regional cybersecurity centers would be created to help small and midsized companies take action.
A Secure Products and Services Acquisitions Board would set security standards for federal purchases and certify products as compliant. AT&T Chief Security Officer Edward Amoroso told the committee last week that his company often attaches a security plan to its procurement applications, because agencies don’t always ask security questions. The NTIA would be required to adopt a secure domain-name addressing system, presumably meaning the use of DNS Security Extensions.
The bill would expand a “cyber service” scholarship program authorized by executive order, tripling to 1,000 the number of students headed for federal service after graduation. The government would create an annual cybersecurity competition and prize to draw in recruits and increase cybersecurity R&D at the National Science Foundation. The White House adviser would study the feasibility of creating a market that would place a dollar value on cybersecurity risk.
The working draft includes what appear to be suggestions for revisions. One says a proposal for the White House adviser to make recommendations on protecting civil liberties should be moved up from section four of the working draft to section two. “The privacy crowd is very sensitive and always complains that they look like an afterthought.” That section also would have the White House adviser study the feasibility of an identity management and authentication program. Another comment cautions against the preamble’s description of the government’s “sophisticated systems” to protect its own networks from cyber espionage. “Some gov [sic] networks leak like a sieve,” the comment said. There’s also the touchy matter of who will perform the working draft’s “comprehensive legal review” of the statutory and regulatory framework of cybersecurity. A comment asks whether the adviser, Justice Department or Congress would run the review.
A version of the working draft dated March 19, provided by the committee, makes a few wording changes but otherwise follows the March 18 version we obtained. Notably, it changes the earlier version’s reference to the “sophisticated systems” that protect federal networks to simply “systems.” The later version also scraps the provision requiring the NTIA to adopt a secure domain-name addressing system.
Rockefeller’s proposal shouldn’t be seen as pushing the Department of Homeland Security out of cybersecurity, a committee aide told us. The bill simply moves cybersecurity beyond DHS, with the White House adviser coordinating efforts across DHS, the National Security Agency, DOD, NSF and NIST, the aide said. Jim Lewis, who led the Center for Strategic and International Studies’ influential cybersecurity commission, told us the working draft’s recommendations go further than the commission’s. But the proposal concentrates on “doing all the things DHS didn’t have time to do,” such as creating cybersecurity standards. The U.S. Computer Emergency Readiness Team and National Cyber Security Division at DHS, for example, would seem to be untouched, Lewis said.