Rockefeller promises to address threats to cybersecurity

Senate Commerce Chairman John (Jay) Rockefeller will make cybersecurity a committee priority this year because he regards threats to the government's networks and infrastructure as "a profoundly and deeply troubling problem to which we are not paying much attention."

Rockefeller, who held a hearing Thursday on the topic, is working on legislation with Sen. Olympia Snowe, R-Maine, that he hopes will improve the country's cybersecurity posture.

President Obama's director of national intelligence, Dennis Blair, and Mike McConnell, who had the job under former President George W. Bush, have warned the No. 1 threat to U.S. security is in the cyber realm, said Rockefeller. The West Virginian said that on the campaign trail, Obama spoke of naming a high-level cyber czar "but that has not happened."

Melissa Hathaway, a top adviser to McConnell, is about halfway through a 60-day review of federal cybersecurity efforts.

A draft version of the Rockefeller-Snowe bill would establish a White House cybersecurity office that reports directly to the president; require a comprehensive national cybersecurity strategy; and mandate a quadrennial cybersecurity review modeled after a Defense Department program.

The proposal obtained by CongressDaily would create a clearinghouse for cyber threat information-sharing and set up an advisory panel of industry, academic and nonprofit experts to advise the president.

Additionally, the draft would task the National Institute of Standards and Technology with writing enforceable standards that would apply to government and the private sector. It would create state and regional cybersecurity centers for small and medium-sized companies and establish international norms and deterrence measures in coordination with the State Department.

Cybersecurity student recruitment and the authorization of more R&D funding for the National Science Foundation are also part of the measure.

Security experts who testified agreed the government stressed the need for more federal R&D funding and a better working relationship with the private sector. AT&T Chief Security Officer Ed Amoroso said his company regularly receives requests for proposals from agencies that do not include proper security protocols for a given project.

Eugene Spafford, director of Purdue University's Center for Education and Research in Information Assurance and Security, painted a bleak picture of the nation's preparedness. He said Hurricane Katrina-scale cyber attacks from nation states, organized gangs and individual hackers have been occurring for years and are being ignored. Because of increasing sophistication of attackers, R&D needs to go beyond immediate, incident-specific fixes, Spafford said, touting the importance of long-term, high-risk research.