S.773 – The Cyber Security Act of 2009 – part 3

Written by SoVaSec on June 12th, 2009

S.773 The Cybersecurity Act of 2009 pt3

This is part three in a series reviewing the proposed cybersecurity legislation.

(e) FCC NATIONAL BROADBAND PLAN- In developing the national broadband plan pursuant to section 6001(k) of the American Recovery and Reinvestment Act of 2009, the Federal Communications Commission shall report on the most effective and efficient means to ensure the cybersecurity of commercial broadband networks, including consideration of consumer education and outreach programs.

At the end of section 6, I decided to carry this last paragraph over to the next article. Under the bailout bill funding will be provided to create new problems for protecting national infrastructure. This includes the new smart grid for energy transfer, and a new advanced air traffic control technology. The FCC is responsible for reporting on the security of the commercial internet, and will receive bailout money for evaluating the network’s security.

SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS.

This is a mandatory national computer and infrastructure security license. It
will include anyone who is engaged in network or computer security at the federal level, and operators of systems deemed critical by the president or his advisor.  Critical systems can include internet operations.  Federal and local emergency response systems are already dependent on the internet. In the case of a national emergency or in wartime the government does reserve the right to commandeer all forms of communication.  This act would require anyone operating any of these systems to receive approved training to qualify for a license to practice the security trade within the United States.  The vague nature of critical systems could mean that anyone who operates publicly accessible private equipment may be required to obtain this license to operate the internet.

SEC. 8. REVIEW OF NTIA DOMAIN NAME CONTRACTS.

The IANA is a government contract. The work is currently being carried out by ICANN. This group has been approved by the Defense Department since the IANA contract was handed over. The bill makes it clear there will be no changing of this situation without review, consideration, and approval.

SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM

This sets a three year timetable to develop a strategy for implementation of a secure Domain Name System (DNS).  This is a political issue.  The industry has already developed methods of securing the domain name addressing system. It is the role of the government to resolve the issues of foreign and domestic implementation. Federal, and critical systems will be required to participate in the secure DNS.  Internationally it would fall under the Department of State and the President to convince other nations to adopt the system.

SEC. 10. PROMOTING CYBERSECURITY AWARENESS.

The national cybersecurity awareness campaign will come complete with mascots and public service announcements. There will be awareness training beginning in the first years of school.  The goal of this is to not only create awareness of potential threats, but also to create an information and technology workforce for the future.

SEC. 11. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.

In an effort to bring the United States to the front of this digital arms race, funding will be directed to research and development. The National Science Foundation will be given priority in researching how to design and build systems that are secure and reliable when first deployed.  They will develop the ability to audit software, so that it “implements stated functionality and only that functionality”. Part of this will involve “selected secure coding education and improvement programs”, where the Director of the Foundation will look at ways to integrate secure coding into the “core curriculum of computer science programs” and “other programs where graduates have a substantial probability of developing software after graduation”. Colleges and universities regularly receive funding from the NSF, if this amount is over one million dollars, these institutions will release to the Foundation their statistics on computer since students, and those in related fields.  These figures will include the number of students likely to enter software design or development, whether or not they received secure coding education, and what classes they were enrolled in.  The NSF would like to evaluate these programs, and measure the effectiveness of the students “to master secure coding and design”.
The NSF will also research identity and information assurance, including the ability to “determine the origin of a message transmitted over the Internet”. The Foundation will provide support towards building new protocols for Internet security. There will be grants awarded for the creation of internet test labs “sufficiently large in order to model the scale and complexity of the real world networks and environments”. These labs will be used for playing war games, or “to support the rapid development of new cybersecurity defenses, techniques, and processes by improving understanding and assessing the latest technologies in a real world environment”.  There will also be work done towards the balance of security and privacy, and the problem of insider threat.

SEC. 12. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.

The Federal Cyber Scholarship-for-Service program pretty much introduces itself.  I can not restrain my self from mentioning this was one of the solutions I reached independently.  I phrased it as “trucker school” like training.  Instead of paying for expensive training, licensing, and equipment, these things are provided with the promise that the student will work for the company for some period of time. This is an alternative solution to the current certification process.  Since operating the Internet is not quite the same as piloting eighteen wheels of Detroit iron, the government plans to start the kids off early.  They will provide “a procedure for identifying promising K-12 students”.  These promising students would be eligible for summer programs and internship “that would lead to certification of Federal information technology workforce standards and possible future employment”.  Just like with trucking school, once the class is complete the job is guaranteed.

SEC. 13. CYBERSECURITY COMPETITION AND CHALLENGE.

The goal of this challenge is to “attract, identify, evaluate, and recruit talented individuals”. The competition would also serve to “stimulate innovation in basic and applied cybersecurity research, technology development, and prototype demonstration”. If they don’t get the recruit, they will still have access to their work.  These widely advertised challenges will be available for high school and college students. Institutions will also be allowed to compete for the millions of dollars in prize money.

SEC. 14. PUBLIC-PRIVATE CLEARINGHOUSE.
The Secretary of Commerce will have access to all internet and critical networks “without regard to any provision of law, regulation, rule, or policy restricting such access”. The Department of Commerce will serve as a clearinghouse of related information, acting as liaison between the government and the private sector.

SEC. 15. CYBERSECURITY RISK MANAGEMENT REPORT.

This section simply gives value to risk.  It will create a market for risk management, require “cybersecurity to be a factor in all bond ratings”.

SEC. 16. LEGAL FRAMEWORK REVIEW AND REPORT.

This section calls for “a comprehensive review of the Federal statutory and legal framework applicable to cyber-related activities in the United States”.  There are several acts specifically mentioned, but it also includes “any applicable Executive Order or agency rule, regulation, or guideline”.

SEC. 17. AUTHENTICATION AND CIVIL LIBERTIES REPORT.
When the government starts discussing an “identity management and authentication program”, they must also address the privacy concerns which follow along with it.

SEC. 18. CYBERSECURITY RESPONSIBILITIES AND AUTHORITY.

The President will develop a strategy for security. This strategy should include a long term plan. It will respect national security, and include the private sector.  In the event of an emergency the President has the power to restrict, shutdown, or disconnect the internet. This applies to Federal and critical systems in time of emergency, or in the interest of national security. The President also will “designate an agency to be responsible for coordinating the response and restoration” of the systems restricted or shut down.  There will also be a department or agency which will “review equipment that would be needed after a cybersecurity attack and develop a strategy for the acquisition, storage, and periodic replacement of such equipment.” There will be “periodic mapping of…..critical infrastructure information systems or networks” to “measure the effectiveness of the mapping process”.  The President will also have the power to enforce regulations, and bestow ‘cyber-related’ certifications to United States people.

SEC. 19. QUADRENNIAL CYBER REVIEW.

Starting in 2013, this review will provide an unclassified summary, and include recommendations for improvement.

SEC. 20. JOINT INTELLIGENCE THREAT ASSESSMENT.

The Director of National Intelligence and the Secretary of Commerce will make a yearly report to Congress on “cybersecurity threats” and “vulnerabilities of critical national information, communication, and data network infrastructure”.

SEC. 21. INTERNATIONAL NORMS AND CYBERSECURITY DETERRANCE MEASURES.

The President would “work with representatives of foreign governments” to encourage global adoption of America’s new standards.

SEC. 22. FEDERAL SECURE PRODUCTS AND SERVICES ACQUISITIONS BOARD.

This section is an attempt to address the ‘supply chain’ vulnerability. There is need for “review and approval of high value products and services”, and so there must be “the establishment of appropriate standards for the validation of software to be acquired by the Federal Government”, including “independent secure software validation and verification”. This act would require the approval of the Secure Products and Services Acquisitions Board for any product or service subject to federal standards.

This marks the end of part 3. A summary will be provided later.

 

Leave a Comment





Twitter links powered by Tweet This v1.8, a WordPress plugin for Twitter.

Get Adobe Flash player