Bill Breakdown: Cybersecurity Act of 2009

S. 773, the Cyber Security Act of 2009, was introduced by Senator John Rockefeller (D, WV) with Senators Evan Bayh (D, IN), Bill Nelson (D, FL), and Olympia Snowe (R, ME) as cosponsors.

Leslie Harris of the Center for Democracy and Technology (CDT):

"The cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy."

The Electronic Frontier Foundation's Jennifer Granick:

"Essentially, the Act would federalize critical infrastructure security. Since many of our critical infrastructure systems (banks, telecommunications, energy) are in the hands of the private sector, the bill would create a major shift of power away from users and companies to the federal government. This is a potentially dangerous approach that favors the dramatic over the sober response."

In forums and comment threads across the internet, users are typing in all caps, scared that this act will give the president unfettered power to "SHUT DOWN THE INTERNET". I've read the bill, and it is as scary as everybody makes it out to be, but let me remind you:  one cannot simply shut down the Internet, that's virtually impossible.

There are a few ways for you to understand this legislation:

1. Read the full text of the bill, and use your superb linguistic abilities to comprehend it.  Here's the full text.

2. Read this bill breakdown in it's entirety, it'll take awhile, but you'll understand everything about the bill and you'll know pretty well how to talk about the bill with others.  In bold lettering throughout the text, you'll find key points which you can follow if you're speed reading it.

3. If you're lazy, just skip to the summary at the bottom.  You'll get the main points of the bill, but it'll be out of context and you won't be well-read enough to discuss the bill with others.

I've broken the bill down into each section.  I summarize what each section proposes and provide excerpts of the sections.  Have fun.

Section 2, (6):

Paul Kurtz, a Partner and chief operating officer of Good Harbor Consulting as well as a senior advisor to the Obama Transition Team for cybersecurity, recently stated that the United States is unprepared to respond to a ‘cyber-Katrina’ and that ‘a massive cyber disruption could have a cascading, long-term impact without adequate co-ordination between government and the private sector.’.

In the full text, there are 14 "findings" in section 2, listed so as to justify the passing of the bill.  Number 6 is pretty much the line of best-fit for section 2. Section 3 of the bill would have the president create a cybersecurity advisory panel that reports on the state of cybersecurity every 2 years, and this committee is permanent.

Section 3, subsections (b)(1) and (2):

(b) QUALIFICATIONS- The President--

(1) shall appoint as members of the panel representatives of industry, academic, non-profit organizations, interest groups and advocacy organizations, and State and local governments who are qualified to provide advice and information on cybersecurity research, development, demonstrations, education, technology transfer, commercial application, or societal and civil liberty concerns; and
(2) may seek and give consideration to recommendations from the Congress, industry, the cybersecurity community, the defense community, State and local governments, and other appropriate organizations.

Section 4 calls for implementation of a "Real-time cybersecurity dashboard":

The Secretary of Commerce shall--

(1) in consultation with the Office of Management and Budget, develop a plan within 90 days after the date of enactment of this Act to implement a system to provide dynamic, comprehensive, real-time cybersecurity status and vulnerability information of all Federal Government information systems and networks managed by the Department of Commerce; and (2) implement the plan within 1 year after the date of enactment of this Act.

Section 5 would create regional cybersecurity centers, each affiliated with a U.S. based non-profit organization.  These centers would act as a hub between the National Institute of Standards and Technology (NIST) and small/medium size cybersecurity-related businesses/firms.  The centers are subject to periodic evaluations to determine their eligibility for federal grant money to continue operations (the Secretary of Commerce makes the final decision).

Section 5, subsection (b), (1)-(5):

(b) PURPOSE- The purpose of the Centers is to enhance the cybersecurity of small and medium sized businesses in United States through--

(1) the transfer of cybersecurity standards, processes, technology, and techniques developed at the National Institute of Standards and Technology to Centers and, through them, to small- and medium-sized companies throughout the United States;
(2) the participation of individuals from industry, universities, State governments, other Federal agencies, and, when appropriate, the Institute in cooperative technology transfer activities;
(3) efforts to make new cybersecurity technology, standards, and processes usable by United States-based small- and medium-sized companies;
(4) the active dissemination of scientific, engineering, technical, and management information about cybersecurity to industrial firms, including small- and medium-sized companies; and
(5) the utilization, when appropriate, of the expertise and capability that exists in Federal laboratories other than the Institute.

Cybersecurity standards and technologies invented by these regional centers and their affiliates are patentable under chapter 18 of title 35 of United States code.

Section 5, subsection (c)(6):

(6) PATENT RIGHTS TO INVENTIONS- The provisions of chapter 18 of title 35, United States Code, shall (to the extent not inconsistent with this section) apply to the promotion of technology from research by Centers under this section except for contracts for such specific technology extension or transfer services as may be specified by statute or by the President, or the President’s designee.

Section 6 would have NIST establish "measurable and auditable" cybersecurity standards that would be enforced in both the government and private sector.  It's difficult to summarize this section without misleading readers, so here.  Section 6 would essentially make cybersecurity a hybrid government/private industry with the government making the rules for everyone, and I do want to bring one particular section to your attention.

Section 6, subsection (d)(1) and (2):

(d) COMPLIANCE ENFORCEMENT- The Director [of NIST] shall--

(1) enforce compliance with the standards developed by the Institute under this section by software manufacturers, distributors, and vendors; and

(2) shall require each Federal agency, and each operator of an information system or network designated by the President as a critical infrastructure information system or network, periodically to demonstrate compliance with the standards established under this section.

Section 7 would have the Secretary of Commerce develop a certification program for "cybersecurity professionals", that would be legally required in order to provide cybersecurity services to any federal network or "critical information infrastructure" as designated by the president (i.e. the Internet).

Section 7, subsections (a) and (b):

(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.
(b) MANDATORY LICENSING- Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.

Section 8 essentially federalizes the Internet Assigned Numbers Authority (IANA), which means that the U.S. government is the sole authority on any changes made to DNS or Internet Protocol.

Section 8, subsections (a) and (b):

(a) IN GENERAL- No action by the Assistant Secretary of Commerce for Communications and Information after the date of enactment of this Act with respect to the renewal or modification of a contract related to the operation of the Internet Assigned Numbers Authority, shall be final until the Advisory Panel--

(1) has reviewed the action;
(2) considered the commercial and national security implications of the action; and
(3) approved the action.

(b) APPROVAL PROCEDURE- If the Advisory Panel does not approve such an action, it shall immediately notify the Assistant Secretary in writing of the disapproval and the reasons therefore. The Advisory Panel may provide recommendations to the Assistant Secretary in the notice for any modifications the it deems necessary to secure approval of the action.

Section 9 requires the development of a "secure domain name addressing system".

Section 9, subsection (a):

(a) IN GENERAL- Within 3 years after the date of enactment of this Act, the Assistant Secretary of Commerce for Communications and Information shall develop a strategy to implement a secure domain name addressing system. The Assistant Secretary shall publish notice of the system requirements in the Federal Register together with an implementation schedule for Federal agencies and information systems or networks designated by the President, or the President’s designee, as critical infrastructure information systems or networks.

Section 10 calls for a campaign to raise awareness of cybersecurity issues, and how the federal government helps out.

Section 10:

The Secretary of Commerce shall develop and implement a national cybersecurity awareness campaign that--

(1) is designed to heighten public awareness of cybersecurity issues and concerns;
(2) communicates the Federal Government’s role in securing the Internet and protecting privacy and civil liberties with respect to Internet-related activities; and
(3) utilizes public and private sector means of providing information to the public, including public service announcements.

Section 11 consists of a ton of revisions to U.S. code, altering the definitions of higer-learning institutes and whatnot, but the real beef of this section is what NIST will be responsible for should the bill pass.

Section 11, subsections (b), (c), and (d):

(b) SECURE CODING RESEARCH- The Director shall support research that evaluates selected secure coding education and improvement programs. The Director shall also support research on new methods of integrating secure coding improvement into the core curriculum of computer science programs and of other programs where graduates have a substantial probability of developing software after graduation.
(c) ASSESSMENT OF SECURE CODING EDUCATION IN COLLEGES AND UNIVERSITIES- Within one year after the date of enactment of this Act, the Director shall submit to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science and Technology a report on the state of secure coding education in America’s colleges and universities for each school that received National Science Foundation funding in excess of $1,000,000 during fiscal year 2008.
(d) CYBERSECURITY MODELING AND TESTBEDS- The Director shall establish a program to award grants to institutions of higher education to establish cybersecurity testbeds capable of realistic modeling of real-time cyber attacks and defenses. The purpose of this program is to support the rapid development of new cybersecurity defenses, techniques, and processes by improving understanding and assessing the latest technologies in a real-world environment. The testbeds shall be sufficiently large in order to model the scale and complexity of real world networks and environments.

Section 12 details a scholarship-for-service program to recruit and train the next generation of cyber security experts.  Financial grants will be given to 1,000 people per year, and in exchange, the recipients of the grant money must serve the federal government for the length of the scholarship.

Section 12, subsection (a):

(a) IN GENERAL- The Director of the National Science Foundation shall establish a Federal Cyber Scholarship-for-Service program to recruit and train the next generation of Federal information technology workers and security managers.

Section 13 would have NIST organize cybersecurity competitions for high school, undergraduate, graduate, and academic research levels, with cash prizes to encourage research into possible exploits, and fixes of those exploits in cybersecurity standards.

Section 13, subsection (a)(1) and (2):

(a) IN GENERAL- The Director of the National Institute of Standards and Technology, directly or through appropriate Federal entities, shall establish cybersecurity competitions and challenges with cash prizes in order to--

(1) attract, identify, evaluate, and recruit talented individuals for the Federal information technology workforce; and
(2) stimulate innovation in basic and applied cybersecurity research, technology development, and prototype demonstration that have the potential for application to the Federal information technology activities of the Federal Government.

Section 14 contains within it the most senseless part of the entire bill. The Secretary of Commerce will be allowed access to all relevant information concerning critical information infrastructures, in both the public and private sector.

Section 14, subsection (b)(1):

(b) FUNCTIONS- The Secretary of Commerce--

(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access;

Section 15 would set up an insurance market for cybersecurity.

Section 15, subsection (1):

Within 1 year after the date of enactment of this Act, the President, or the President’s designee, shall report to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science and Technology on the feasibility of--

(1) creating a market for cybersecurity risk management, including the creation of a system of civil liability and insurance (including government reinsurance);

Section 16 requires that the president or the presidents designee draft a comprehensive review of the Federal statutory and legal framework applicable to cyber-related activities in the United States.

Section 16, subsection (b):

(b) REPORT- Upon completion of the review, the President, or the President’s designee, shall submit a report to the Senate Committee on Commerce, Science, and Transportation, the House of Representatives Committee on Science and Technology, and other appropriate Congressional Committees containing the President’s, or the President’s designee’s, findings, conclusions, and recommendations.

Section 17 has the president or the presidents designee report on the feasibility of creating an identity management and authentication system.

Section 17:

Within 1 year after the date of enactment of this Act, the President, or the President’s designee, shall review, and report to Congress, on the feasibility of an identity management and authentication program, with the appropriate civil liberties and privacy protections, for government and critical infrastructure information systems and networks.

Section 18 is another controversial section, it gives the president the exclusive authority to limit or shutdown "Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network...". And let's remember that the president gets to decide which information systems and networks are "critical infrastructure" (Section 6, subsection (d)(2)).

Section 18, subsection (2) and (6):

The President--

(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;
(6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security; Section 19 calls for a comprehensive quadrinnial review of the state of cybersecurity in the United States.

Section 19, subsection (a):

(a) IN GENERAL- Beginning with 2013 and in every fourth year thereafter, the President, or the President’s designee, shall complete a review of the cyber posture of the United States, including an unclassified summary of roles, missions, accomplishments, plans, and programs. The review shall include a comprehensive examination of the cyber strategy, force structure, modernization plans, infrastructure, budget plan, the Nation’s ability to recover from a cyberemergency, and other elements of the cyber program and policies with a view toward determining and expressing the cyber strategy of the United States and establishing a revised cyber program for the next 4 years.

Section 20 is more review of cybersecurity progress, on an annual basis.

Section 20:

The Director of National Intelligence and the Secretary of Commerce shall submit to the Congress an annual assessment of, and report on, cybersecurity threats to and vulnerabilities of critical national information, communication, and data network infrastructure.

Section 21 would see that the president work with foreign governments to improve cybersecurity on an international basis.

Section 21, subsections (1)(A)(B) and (2):

The President shall--

(1) work with representatives of foreign governments--

(A) to develop norms, organizations, and other cooperative activities for international engagement to improve cybersecurity; and
(B) to encourage international cooperation in improving cybersecurity on a global basis; and

(2) provide an annual report to the Congress on the progress of international initiatives undertaken pursuant to subparagraph (A).

Section 22 establishes a federal secure products and services acquisition board to ensure that all software and hardware for use in federal government is in compliance with NIST standards and whatnot.

Section 22, subsection (a):

(a) ESTABLISHMENT- There is established a Secure Products and Services Acquisitions Board. The Board shall be responsible for cybersecurity review and approval of high value products and services acquisition and, in coordination with the National Institute of Standards and Technology, for the establishment of appropriate standards for the validation of software to be acquired by the Federal Government. The Director of the National Institute of Standards and Technology shall develop the review process and provide guidance to the Board. In reviewing software under this subsection, the Board may consider independent secure software validation and verification as key factor for approval.

And that's everything.

Summary

What's bad about the bill?

This bill would federalize much of the cybersecurity industry and the shear amount of regulations coming out of NIST, the Secretary of Commerce, the presidents advisory panel, and the aforementioned congressional committees would cripple the competitiveness of the industry.

The "cybersecurity dashboard" that section 4 creates would likely be a very very unconstitutional invasion of our 4th amendment rights, especially considering the Secretary of Commerce would  have unlimited access to all relevant data flowing in and out of any and all information systems (banking records, medical records, police databases, etc...) and networks, including the Internet.

If this bill were to pass into law, the President would get to decide which information systems and networks are "critical infrastructure" and he gets to decide which systems or networks to limit or shutdown, in the name of "national security". it's absurd.  That's much too much power in the hands of one person, and this entire bill would put way too much power in the hands of the executive branch.

The required national certification program is another overreaching proposal that would undoubtedly put a strain on small businesses that offer cybersecurity services.

The fact that IANA wouldn't be able to make a move without U.S. government approval is completely ridiculous. It's unclear whether IANA decisions that do not effect the U.S. would be subject to review by the Secretary of Commerce or not, but down the road, that would likely be the case considering the section about international cooperation.

NIST being involved in determining curriculum for public schools is a little questionable, and the fact that they have to keep track of the successes and failures of the curriculum and change it accordingly, is even weirder.

The bill calls for the eventual creation of an "identification and authentication" system that remains within the bounds of privacy protections and civil liberties.  But how can a system designed solely for the purpose of identifying persons on a network and authenticating their identity, not violate privacy?

International cooperation on this issue would simply mean that our stupid ideas would be worked into the fabric of other countries.

What's good about this bill?

Cybersecurity is definitely an important issue, and secure networks would be a nice addition to the Internet of the future.  But its a pipe-dream.  the EFF makes a good point on this:

...it isn’t clear whether this provision [referring to this section] would require systems to be designed to enable access, essentially a back door for the Secretary of Commerce that would also establish a primrose path for any bad guy to merrily skip down as well.

So, it's the thought that counts.  This bill would be better if you replaced it with a single sentence:

make sure information and the Internet is more secure for the future, and that doesn't mean making a central authority responsible for everything, nor does it mean spying on everyone and everything.