Creates Cyber Director with Sway Over Agency Infosec Budgets

Eric Chabrow, Executive Editor,
February 18, 2011

Legislation to establish a White House Office of Cyberspace Policy, with its Senate-confirmed director to have influence over agencies’ IT security budgets, was introduced late Thursday by the leaders of the Senate Homeland Security and Governmental Affairs Committee.The Cybersecurity and Internet Freedom Act of 2011 also would reform the way IT security would be governed in the federal government, emphasizing real-time monitoring of government IT systems and a move away from paper-compliance under the Federal Information Security Management Act of 2002. The bill would require each agency to designate a qualified, senior official as chief information security officer.

The bill also would prohibit the president from employing a so-called “Internet kill switch.” “The term ‘kill switch’ has become the ‘death panels’ of the cybersecurity debate,” Committee Chairman Joseph Lieberman, ID-Conn., said in a statement accompanying the bill. “There is no so-called ‘kill switch’ in our legislation because the very notion is antithetical to our goal of providing precise and targeted authorities to the president. Furthermore, it is impossible to turn off the Internet in this country.”

The bill’s cosponsors are ranking member Susan Collins, R-Maine; and Thomas Carper, D-Del., who chairs a committee subcommittee with IT security oversight.

Budgeting Authority

Among the responsibilities of the director of cyberspace policy would be the review of the IT security budgets of federal agencies. The director would not have veto power over agencies IT security budgets. But the director could submit a new budget to the Office of Management and Budget if her or she feels the one offered by an agency does not meet the goals of the nation’s cyberspace policy.

A survey by of government IT security practitioners released this week (see Gov’t Infosec Pros Question Fed’s Security Resolve) at the RSA 2011 IT security conference shows that a majority favor granting a White House cybersecurity director budgeting authority.

A spokeswoman for Carper said most of the provisions in the new bill mirror those found in the comprehensive bill (see Senators Unveil Long-Awaited Cybersecurity Bill) the three senators introduced last June, including: Designating the cyberspace policy director as leading and harmonizing federal efforts to secure cyberspace and developing a national strategy that incorporates all elements of cybersecurity policy, including military, law enforcement, intelligence and diplomacy. The director would oversee all federal activities related to the national strategy to ensure efficiency and coordination. The director would report regularly to Congress in the interests of transparency and oversight.

  • Assigning day-to-day authority in implementing government cybersecurity policy to a Senate-confirmed director of the National Center for Cybersecurity and Communications, or NCCC, who would report to the secretary of Homeland Security and to the president through the Office of Cyberspace Policy. The NCCC would also oversee the United States Emergency Response Team, or U.S.-CERT, and lead federal efforts to protect public and private sector cyber and communications networks.

  • Working with the private sector through the NCCC to establish risk-based performance standards to enhance cybersecurity for the nation’s most critical infrastructure. Owners and operators of critical infrastructure covered by the act would be permitted to choose the combination of security measures to meet the risk-based performance standards.

  • Reforming the Federal Information Security Management Act, the 9-year-old law that governs how federal agencies secure their IT systems by jettisoning the paper-based compliance process with one that emphasizes continuous monitoring of computer systems and red-team assaults by “friendly hackers” to test vulnerabilities.

  • Requiring development of a comprehensive supply chain risk management strategy to address cyber risks to the information technology products and services the federal government relies upon. This strategy would allow agencies to make informed decisions when purchasing IT products and services.