Summary of the Cyber-Security Act of 2009

S.773 is currently a draft bill. Good news. S.773 is only 55 pages so many members of Congress may read it.  Here is the senate’s summary of S.773

“A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective Cybersecurity defenses against disruption, and for other purposes.”

Sounds nice. Here is how it works; S.778 creates within the Executive Office of the President, the Office of National Cybersecurity Advisor. This advisor is positioned; it seems, to be another Czar.  A Czar is specially designed to operate outside of normal channels, checks and balances so as to be able to get things done quickly. This Czar will administer the agency formed by S.773.  Here are some of the provisions for S.773:

  • It creates a certification for Cyber Security Professional.  People will be able to access study materials, and pass tests to become certified Cyber Security Professionals. The bill further defines that some public and private networks need to be managed or reviewed by a certified Cybersecurity Professional. It’s nice to have standards.
  • It creates an agency that is going to have a real-time Cyber Security Dashboard. Those dashboards are great. The real time part is a little optimistic. 
  • The Federal Government will periodically “map” public or private networks as needed.  The network under scrutiny will need to “share” information as requested.
  • During a Cyber Emergency, at risk networks can be disconnected from the Internet

There has been a lot of talk about this bill giving the government “control” over private networks. I did not find such a passage in the text of the bill.  There are however, passages allowing the Federal Government to collect information about or to disconnect networks.

I have a few thoughts on this bill:

  1. I would prefer for the bill to specify its scope more clearly. For example the security of the electrical grid, traffic signals, water supply, airports, hospitals, possibly stock exchanges, and other operations of national interest but it doesn't. 
  2. The bill does not explain what constitutes a Cyber Emergency. Who will define one? What is it? How often do they come along?
  3. The bill does not define whether the Cyber Security Professional will be an employee of the government or the organization running the network.
  4. Internet security breaches are a lot like those proverbial horses leaving the barn.  The bill does not specify what would trigger a government disconnect of a public or private network, but what’s the point if the horses have the barn?  Or will these takeovers be somehow timed before the barn doors are left open? They must have a future telling machine next to their real-time dashboard. 

The following summary was written by the Congressional Research Service, a well-respected nonpartisan arm of the Library of Congress.


Cybersecurity Act of 2009 - Directs the President to establish or designate a Cybersecurity Advisory Panel to advise the President. Defines "cyber" as: (1) any process, program, or protocol relating to the use of the Internet or an intranet, automatic data processing or transmission, or telecommunication via the Internet or an intranet; and (2) any matter relating to, or involving the use of, computers or computer networks. Directs the Secretary of Commerce to: (1) develop and implement a system to provide cybersecurity status and vulnerability information regarding all federal information systems and networks managed by the Department of Commerce; and (2) provide financial assistance for the creation and support of Regional Cybersecurity Centers for small and medium sized U.S. businesses. Requires the National Institute of Standards and Technology (NIST) to establish cybersecurity standards for all federal government, government contractor, or grantee critical infrastructure information systems and networks. Makes NIST responsible for U.S. representation in all international cybersecurity standards development. Directs the Secretary to develop or coordinate a national licensing, certification, and recertification program for cybersecurity professionals and makes it unlawful to provide certain cybersecurity services without being licensed and certified. Requires Advisory Panel approval for renewal or modification of a contract related to the operation of the Internet Assigned Numbers Authority. Requires development of a strategy to implement a secure domain name addressing system. Requires the National Science Foundation (NSF) to support specified types of research and to establish a program of grants to higher education institutions to establish cybersecurity testbeds. Amends the Cybersecurity Research and Development Act to expand the purposes of an existing program of computer and network security research grants. Requires the NSF to establish a Federal Cyber Scholarship-for-Service program. Requires NIST to establish cybersecurity competitions and challenges to recruit talented individuals for the federal information technology workforce and stimulate innovation. Requires the Department of Commerce to serve as the clearinghouse of cybersecurity threat and vulnerability information. Grants the Secretary access to all relevant data concerning such networks notwithstanding any law or policy restricting access. Directs the President to: (1) develop and implement a comprehensive national cybersecurity strategy; (2) on a quadrennial basis, complete a review of the cyber posture of the United States; and (3) work with representatives of foreign governments to develop norms, organizations, and other cooperative activities for international engagement to improve cybersecurity. Requires the Director of National Intelligence and the Secretary of Commerce to submit to Congress an annual report on cybersecurity threats to and vulnerabilities of critical national information, communication, and data network infrastructure. Establishes a Secure Products and Services Acquisitions Board to review and approve high value products and services acquisition and establish validation standards for software to be acquired by the federal government.