Cybersecurity legislation clears Senate committee

Bill includes certification and compliance mandates for the private sector.

032410rockefellerNGins Sen. John Rockefeller, D-W.Va., is one of two sponsors of the 2009 Cybersecurity Act. Haraz N. Ghanbari/AP

The Senate Commerce, Science and Transportation Committee on Wednesday passed legislation that would raise the profile of cybersecurity in the federal government and expand public-private partnerships against cyber threats.

The 2009 Cybersecurity Act ( S. 773 ), approved by voice vote, would create a Cybersecurity Advisory Panel, establish a dashboard to monitor federal government information systems in real time, encourage information sharing between the private and public sectors, and regulate how agencies and businesses protect their networks. Ninety percent of critical infrastructure is owned and operated by the public sector.

Since Sens. John D. Rockefeller, D-W.Va., chairman of the committee, and Olympia Snowe, R-Maine, introduced the bill last April, it has undergone numerous changes, including putting into place steps to implement certification standards for cybersecurity professionals.

"All this will radically improve secure coding -- and everything in secure coding will help eliminate cyber threats," said Alan Paller, director of research at the SANS Institute, a cybersecurity training school.

"Our nation's answer in the past few threats has amounted to little more than a reactive hodgepodge of government directives and bureaucratic confusion," Snowe said. "So let it be known today that organizing a federal security strategy is a monumental undertaking."

The bill's most controversial aspects involve certification and compliance mandates imposed on the private sector. Employees in businesses that provide cybersecurity services to federal agencies would have to meet new national licensing standards if the current bill is passed. And software built for the federal government and systems owned by the private sector that are designated as "critical infrastructure information systems" would have to pass National Institute of Standards and Technology standards.

In a March 23 letter to Rockefeller and Snowe, leaders of the Business Software Alliance, Information Technology Industry Council and TechAmerica voiced concerns "regarding whether government can rapidly recognize best practices without defaulting to a one-size-fits-all approach."

The legislation "creates a compliance-focused framework that we think could hamper effective risk management, which we understand is not the intent," the letter stated.

Sen. Kay Bailey Hutchison, R-Texas, expressed concern during the markup, noting, "I think we need to carefully consider the connection between mandates on training for a small part of the workforce and potential gains to security. That linkage has not been established in my mind and I worry about the costs to small and midsize businesses."