The proposed bill, formally known as the Cybersecurity Act of 2009, was filed on Wednesday by Sens. and . The legislation includes a long list of provisions that would give federal officials significant new authority to set and enforce data security standards for federal agencies, government contractors and key parts of the private sector.
For instance, the bill would empower the National Institute of Standards and Technology (NIST) to develop "measurable and auditable" security standards for government entities as well as companies in industries. Meanwhile, a companion bill that also was introduced by Rockefeller and Snowe calls for the addition of a within the Executive Office of the President.
But the provision that is attracting the most attention is buried deep in the 51-page bill, in a section blandly titled "Cybersecurity Responsibility and Authority." It would give the president broad authority to directly intervene in security matters in both the public and private sectors. For starters, the bill would give the president the power to declare security emergencies and then curtail or shut down Internet traffic to and from any compromised federal or critical infrastructure networks.
The measure would also enable the White House to order individual government or critical private-sector networks to be disconnected from the Internet for reasons of national security. In addition, the president could classify any corporate network as a piece of critical infrastructure.
The presidential-powers provision makes the proposed legislation "a sweeping federal takeover of cybersecurity" responsibilities, said Leslie Harris, president and CEO of the Center for Democracy and Technology, a Washington-based think tank and lobbying group. If the bill is signed into law as written, it would give the executive office "unfettered discretion" to exert control over private-sector networks on national security grounds, Harris claimed.
That could result in a "breathtaking power grab" by the White House, added Harris, who said the provision appears to assume that the government is better than the private sector is at identifying security threats and responding to them during emergencies.
Gartner Inc. analyst John Pescatore agreed that as currently written, the cybersecurity bill is a "major overreach." Some aspects of the bill would be welcome if they were focused specifically on improving , he said. NIST, for instance, should be playing a more active rule in developing government security standards, and the shouldn't be in charge of the federal security agenda, according to Pescatore.
"However, trying to have the government enforce cybersecurity standards on private industry would be a major step in the wrong direction," he said. "It would slow down the reaction time to new threats, not speed it up."
The Rockefeller-Snowe bill is loosely modeled on a set of issued last December by a commission that was set up by the Washington-based Center for Strategic and International Studies (CSIS) in late 2007, in an attempt to provide some external guidance to the next president.
James Lewis, director of the technology and public policy program at the CSIS, said that he thinks the proposed legislation does a good job overall of addressing several key security-related issues. "I love the bill," Lewis said. "It is really bold." But the provision granting the president new authority over private-sector networks will "trigger some debate," he conceded. "That is clearly going to be a problem for some people."
Lewis said he sees it as a "no-brainer" for the president to be able to exert whatever control is needed over federal networks in the interests of national security. He noted that the already has the authority to pull the plug on any military network that poses national-security risks. There's no reason why a similar authority shouldn't be extended to the executive office for all federal networks, he said.
"The larger issue is whether [the president] should have similar authority for critical infrastructure," Lewis added. "You have to think carefully about extending [such powers] to non-governmental sectors." Any control over private-sector networks that were granted to the White House under the bill would need to be properly scoped, he said.