May 28, 2010 at 9:50 am #101542
Melissa Hathaway’s Nine Cybersecurity Bills to Watch
May 21, 2010 – Eric Chabrow
Melissa Hathaway probably knows more about what’s going on with cybersecurity legislation before Congress than even the lawmakers who sponsor these bills; heck, she likely understands more about these measure than the key staffers who are the brains behind them.
Since leaving the White House last summer, Hathaway – who led President Obama’s 60-day cyberspace review last year – has become involved in a variety of IT security ventures, including becoming a senior adviser at the Belfer Center for Science and International Affair at Harvard University’s Kennedy School of Government. There she conducts research and writes about IT security. One of her projects is to track cybersecurity legislation before Congress.
Hathaway this past week completed a 31-page report documenting some 40 IT security bills before Congress. The report provides an analysis on the wide range of topics they address including organizational responsibilities; compliance and accountability; data accountability, personal data privacy, data breach handling and identity theft; cybersecurity education, research and development and grants; critical electric infrastructure protection and vulnerability analysis; international cooperation on cybercrime; and procurement, acquisition and supply-chain integrity.
Here are nine bills Hathaway characterized as “legislation to watch,” along with her analysis of them:
* Data Breach Notification Act, S 139, would normalize the 46 state data breach laws into one national umbrella. It may be expanded to include more than personal identifiable information. “One issue with this bill is that it would consolidate all reporting to the U.S. Secret Service, which is not helpful for broader information sharing with industry or across government.”
* Data Accountability and Trust Act, HR 2221, was approved by the House in December and requires internet service providers to make victims aware of infections if they see a breach across their networks. “It will be interesting to see if this is extended to those services who may also be able to determine if there is anomalous behavior on the broader backbone.”
* International Cybercrime Reporting and Cooperation Act, S 1438 and HR 4692, requires the president to produce an annual report to Congress providing an assessment of every country’s level of information and communications technology utilization and development; assesses how each country’s legal, law enforcement and judicial systems address cyber crime and protect commerce and consumers. “This bill met discord from software and hardware companies and their associated lobbying organizations (e.g., BSA, Tech America) because there is language that there will be imposed sanctions on countries who have demonstrated five years of ‘bad behavior.'”
* Cybersecurity Enhancement Act, HR 4061, which passed the House in February. Among its key provisions: creating an office for a national coordinator for IT security research and development. “While this is non-controversial piece of legislation because it supports R&D efforts focused on identity management technologies and usability, authentication methods, and privacy, it’s not clear how the new office will interact with the current [White House Office of Science and Technology Policy] responsibilities.”
* FISMA II, S. 921 – also known as the United States Information and Communications Enhancement Act or U.S. ICE – updates the Federal Information Security Management Act of 2002 from compliance driven (check-list) to measures that are performance based and could address IT procurement reform.
* Intelligence Authorization Act, HR 2071, strengthens America’s intelligence capabilities, and improves congressional oversight of our intelligence agencies. The measure also contains multiple congressionally directed actions for the Comprehensive National Cybersecurity Initiative. “It provides our intelligence community with the tools and resources to train more officers, expand language skills, strengthen cybersecurity efforts and more effectively prevent the spread of weapons of mass destruction.”
* Cybersecurity Act of 2009, S 773, combines audits, industry-developed and government-backed standards, increased information-sharing and other mechanisms to bolster private-sector cybersecurity. The measure also known as the Rockefeller-Snowe Bill, establishes a presidential-level cybersecurity advisory panel and a national clearinghouse for information sharing as well as extend the Scholarship for Service program and increases the National Science Foundation’s budget for R&D.
* The Grid Reliability and Infrastructure Defense Act, HR 5026, amends the Federal Power Act and directs the Federal Energy Regulatory Commission to protect the electric transmission and distribution grid from vulnerabilities. In addition to providing authority to address immediate threats, the GRID Act would also give FERC authority to require measures to protect against system vulnerabilities if it finds that the North American Electricity Reliability Corp. standards are insufficient. If enacted, the legislation would provide a security framework for the smart grid.
* Energy and Water Appropriations Act 2010 has already been signed by President Obama. It appropriates $46.5 million for energy delivery cybersecurity, an increase of $34.5 million from 2009, that will be used to develop secure grid technologies as cyber attacks increase worldwide and the grid becomes increasingly network-connected. It also establishes a National Cyber Center for the grid.
Hathaway concludes her report, calling on congressional leaders to set legislative priorities for cyberspace.
You must be logged in to reply to this topic.