Wednesday, November 18, 2009

Cybersecurity Act Passes House Committee

Members of Congress introduced legislation earlier this month that would address the increasing need for revamped cybersecurity measures in both the public sector and among industry. H.R. 4061, the Cybersecurity Enhancement Act of 2009, is actually a consolidated version of two separate Committee discussion drafts: the Cybersecurity Research and Development Amendments Act of 2009 and the Cybersecurity Coordination and Awareness Act of 2009. It was referred to the House Committee on Science and Technology on November 7 and passed the committee by a voice vote on Wednesday. The bill would extend and amend the Cyber Security Research and Development Act passed in 2002 to streamline federal investments in cybersecurity research and development. H.R. 4061 would also improve cybersecurity and technical standards in the workforce and encourage cybersecurity partnerships between the public and private sectors.

Cybersecurity has become a major topic of concern among legislators and executive agencies in recent months. On Tuesday, the Senate Committee on the Judiciary's Subcommittee on Terrorism and Homeland Security held a two-panel hearing called “Cybersecurity: Preventing Terrorist Attacks and Protecting Privacy in Cyberspace" to discuss the growing risk of cyber attacks. The first panel included representatives from the Department of Homeland Security (DHS), Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), and the Department of Defense (DOD). The second panel included Senior Counsel of the Center for Democracy and Technology and the President of the Internet Security Alliance. During the hearing, Deputy Assistant Director of the FBI's Cyber Division, Steven Chabinsky, testified that:
the FBI is aware of and investigating individuals who are affiliated with or sympathetic to al-Qaeda who have recognized and discussed the vulnerabilities of the U.S. infrastructure to cyber attack, who have demonstrated an interest in elevating their computer hacking skills, and who are seeking more sophisticated capabilities . . . [I]t is worth remaining mindful that terrorists do not require long term, persistent network access to accomplish some or all of their goals. Rather, a compelling act of terror in cyberspace could take advantage of a limited window of opportunity to access and then destroy portions of our networked infrastructure. The likelihood that such an opportunity will present itself to terrorists is increased by the fact that we, as a nation, continue to deploy new technologies without having in place sufficient hardware or software assurance schemes, or sufficient security processes that extend through the entire lifecycle of our networks.
Philip Reitinger, Deputy Under Secretary of DHS's National Protection and Programs Directorate, agreed, adding that gaps exist in current cybersecurity laws such that new and growing threats are not being addressed.

Members of the panels disagreed, however, on how to best address cybersecurity in new legislation. Larry Clinton of the Internet Security Alliance spoke out against federally-regulated cybersecurity measures at private businesses and in favor of market-based initiatives, stating that "[f]ederally-imposed mandates on the broad private sector will not work and will be seriously counterproductive to both our economic security and our national security." However, Larry Wortzel, Vice Chairman of the U.S.-China Economic and Security Review Commission, testified in favor of some federal mandates of private cybersecurity measures, supporting the position that the National Security Agency (NSA) - as opposed to some other federal agency - should be in charge of regulating cybersecurity, with assistance from DHS.

The Government Accountability Office (GAO) also submitted testimony to the subcommittee, pinpointing weaknesses in federal information system security controls at federal agencies and reiterating previously-made suggestions for cybersecurity improvements.

No comments: