Bills call for cyber adviser, private network security regulations

Sen. Olympia Snowe, R-Maine, introduced the legislation with Sen. John D. Rockefeller. Scott J. Ferrell/CQ/Newscom

Two senators introduced bills on Wednesday that would establish a direct cybersecurity adviser to the president and regulate how governments and businesses protect their networks from attack, strong actions that security professionals said are necessary to thwart global threats.

Sens. John D. Rockefeller, D-WVa, and Olympia Snowe, R-Maine, jointly introduced two bills, one of which raises the profile of cybersecurity within the federal government, while the other streamlines cyber-related functions and authorities and tightens the relationship between government and the private sector on cybersecurity, according to a summary document .

The bills "could do more to improve cybersecurity than any action in the last decade," said Jim Lewis, director and senior fellow for the technology and public policy program at the Center for Strategic and International Studies.

Lewis served as program director for the CSIS Commission on Cybersecurity for the 44th Presidency, which released recommendations in December 2008 for improving cybersecurity practices in government, a number of which are included in the bills.

"This looks like the game-changer -- or at least the conversation-changer," said Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research group based in Bethesda, Md. "Its reach is far greater than any cyber bill I have ever seen, extending deep into corporate America."

The first bill , which has no title, establishes a national cybersecurity adviser within the White House to "serve as the principal advisor to the president for all cybersecurity-related matters. The adviser would "furnish timely and appropriate recommendations, information and advice to the president in connection with the administration and execution of laws relating to cybersecurity."

The new position also would have full access to information from all federal cyber program activities, and review and approve cybersecurity related budget requests.

The second bill, titled the 2009 Cybersecurity Act , is more comprehensive. It calls for the president to establish an advisory panel made up of qualified specialists from the public and private sectors who would offer advice on cybersecurity. The bill also requires a threat and vulnerability assessment of government systems and the corporations that own the nation's critical infrastructure such as electric utilities, energy producers and transportation systems. A public-private clearinghouse would be established so the federal government and owners of the critical infrastructure could share information on cyber threats and vulnerabilities.

"The bill serves to raise the visibility of this critical national issue," said Bruce McConnell, former IT policy chief at the Office of Management and Budget and a member of the CSIS commission. "Government must take the lead, in close partnership with private sector owners and operators, to protect our critical infrastructures from the growing cyber threat."

The Cybersecurity Act would require the National Institute of Standards and Technology to develop cybersecurity standards for government, contractors and operators of the systems that control the nation's critical infrastructure. A newly created acquisitions board would certify that products the federal government purchased meet security standards, and regional cybersecurity centers would be set up to support small- and medium-size businesses complying with the standards.

Corporations currently oversee the security of their computer networks, although some industries have established standards for protecting information.

"The market has failed by definition and thus public policy is necessitated," said Tom Kellermann, vice president of security awareness at Core Security Technologies and former senior data risk management specialist for the World Bank treasury security team. "Hopefully, the private sector will comprehend that legislation like this creates long-term comparative advantage for American industry and subsequent technological sustainability."

Once a cybersecurity plan is developed, the bill calls for the national cybersecurity adviser to review the U.S. cybersecurity program every four years, including strategy, budget, plans and policies, to ensure federal efforts address both existing and emerging threats.