April 01, 2009, 8:31 PM — Two U.S. senators have introduced legislation that would overhaul the nation's cybersecurity efforts, and would reportedly allow the government to regulate some private company cybersecurity efforts for the first time.
Senator Jay Rockefeller, a West Virginia Democrat, and Senator Olympia Snowe, a Maine Republican, introduced the legislation Wednesday but some details were not immediately available. Earlier Wednesday, the Washington Post reported that the legislation will include new mandates on government networks and on private networks that control electrical grids, water distribution and other essential services.
A spokeswoman for the Senate Commerce, Science and Transportation Committee, of which Rockefeller is chairman, said Wednesday she had few details about the bill Wednesday afternoon. The bill would establish a new national cybersecurity advisor in the executive office of President Barack Obama, and it would "remake the relationship between the government and the private sector on cybersecurity," a committee news release said.
"We must protect our critical infrastructure at all costs -- from our water to our electricity, to banking, traffic lights and electronic health records -- the list goes on," Rockefeller said in a statement. "It's an understatement to say that cybersecurity is one of the most important issues we face; the increasingly connected nature of our lives only amplifies our vulnerability to cyber attacks and we must act now."
Rockefeller said during a March 19 hearing that he and Snowe were working on a bill, with part of the focus on encouraging more U.S. students to study cybersecurity. But he also complained that few U.S. residents paid attention to the country's cybersecurity problems.
"I regard [cybersecurity] as a profoundly and deep troubling problem to which we are not paying much attention," he said then. "The problem is America is unacceptably exposed to massive cybercrime."
He called then for government leaders and the private sector to work together on cybersecurity. "We need a coordinated public-private response, and currently, one does not exist," Rockefeller said.
Rockefeller and other lawmakers have recently raised concerns that cyberterrorists could attack and bring down U.S. infrastructure, including banks, air traffic control, rail control and telecommunication. The legislation he has introduced roughly follows the guidelines set out in a December report from a commission of cybersecurity experts organized by the Center for Strategic and International Studies (CSIS), a Washington, D.C., think tank, according to the commerce committee news release.
But some cybersecurity experts have questioned whether new regulations for the private sector would improve security. "Security is an attitude and it's hard to legislate attitude," said Brian Chess, founder and chief scientist at Fortify Software, a cybersecurity vendor. "It has more to do with understanding the impact of insecure software on the organization. The companies that are leading in this area are doing it as part of a compliance effort but they recognize it is cheaper to deploy preventative security."
Earlier this week, Fortify released a white paper focused on building security into government software. That report looks at the best practices of organizations that have had good cybersecurity track records, and recommends that government organizations need strong leaders, strong cybersecurity expertise and a focus on preventative security standards.
In addition, government organizations need to push security in their acquisition processes and focus on fixing or replacing their legacy software, the report says.
"The issue is we've got to attach a new sense of urgency on [cybersecurity]," said Howard Schmidt, president and CEO of the Information Security Forum and an advisor to the CSIS cybersecurity group and to Fortify. "We go through this constant cycle of beating ourselves up, beating ourselves up, instead of getting it right from the onset."
Schmidt, a former cybersecurity advisor to eBay, Microsoft and the White House, called the Federal Information Security Management Act (FISMA) of 2003, a law that subjects federal agencies to annual cybersecurity reviews, a largely unsuccessful "exercise in paperwork." FISMA grades federal agencies in several security areas.
Instead of checking off the boxes that are part of the regulations, federal agencies could be working on preventative cybersecurity measures, he said.
"In some sense, it's good to know the house is on fire," added Chess. "But let's stop what's causing the fire."
