Lieberman previews cybersecurity bill

Another day, another cybersecurity bill. Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., previewed the bullet points of a measure he plans to introduce later this year, which includes procurement reform that requires vendors to comply with security standards when selling technology solutions to federal agencies.

In a Friday speech before the Chamber of Commerce Cyber Security Task Force -- and a press announcement released soon after -- Lieberman outlined the five principles of his cybersecurity bill, which he expects to introduce with the Committee's Ranking Member Susan Collins, R-Maine:

• A Senate-confirmed cybersecurity coordinator in the Executive Office of the President
• Authority and personnel for the Homeland Security Department to monitor federal civilian networks and defend against malicious traffic
• A mandatory risk-based approach, established by DHS, to sure the nation's critical infrastructure, including financial systems, electric power, and mass transit, and voluntary guidance for less critical companies
• New acquisition policies to tighten the security of government systems
• Recruitment strategy for hiring, retaining, and training cyber security personnel in the federal government

"We are well behind the curve," Lieberman said in his speech.

He emphasized the need to reform the 2002 Federal Information Security Management Act to "hold each agency accountable for good internal security practices" and "empower the chief information security officers within the agencies to give them the authority and resources to do their jobs."

In private sector, computer network owners and operators should perform risk assessments to identify existing vulnerabilities and work with DHS to mitigate those vulnerabilities, he said, stopping short of recommending any"one-size-fits all" strategy mandate, and DHS should implement a two-way information sharing system with the private sector for exchangin vulnerability and breach information.

He also suggested a voluntary cyber security standards program that encourages private sector companies to certify their solutions as compliant and earn a "seal," much like that used for Good Housekeeping or Energy Star recommended products, and a new acquisition policy to require vendors that sell technology to government to comply with certain security standards.

"We must ensure that federal agencies address security as they procure IT products and services, instead of after-the-fact through costly patches or additional purchases," Lieberman said. "In doing so, we believe we can incentivize the industry to offer more secure products and services to all of their clients."