At the beginning of the year, the chances that some sort of cybersecurity legislation would reach the president's desk by the end of 2010 were remote. But as of today, there are a half dozen such bills circulating, and the sense of urgency is there, thanks to a huge and largely unremarked upon public lobbying campaign by the defense industry that may or may not comport with the actual level of threat. I don't mean that as a snide aside; I just don't know how vulnerable we are at this moment.
Today, the Senate Homeland Security and Government Affairs Committee unveils its legislation, which would create a Senate-confirmable cyber director in the executive office of the president and imbue him or her with significant emergency powers.
The Protecting Cyberspace as a National Asset Act of
2010 (PC-NNA ... PC Nana?) is "designed to bring together the disjointed efforts of multiple
federal agencies and departments to prevent cyber theft, intrusions,
and attacks across the federal government and the private sector," its chief author, Sen. Joe Lieberman, will say in prepared remarks today. "The
bill would establish a clear organizational structure to lead federal
efforts in safeguarding cyber networks. And it would build a
public/private partnership to increase the preparedness and resiliency
of those private critical infrastructure cyber networks upon which our
way of life depends."
According to a summary of the legislation, the Act would also create a "responsible" framework for giving the executive branch significant emergency power in the event of a major intrusion or threat.
The President must notify Congress in advance about the threat and the emergency measures that will be taken to mitigate it. Any emergency measures imposed must be the least disruptive necessary to respond to the threat. These emergency measures will expire after 30 days unless the President orders an extension. The bill does not authorize any new surveillance authorities, or permit the government to "take over" private networks.
Industry will read this part of the bill very carefully, as will civil libertarians. The White House believes it already has a lot of these powers, although it welcomes Congress's attempt to codify them, but my sense is that the National Security Staff does not want to create any new cyber infrastructure within the already over-burdened executive office of the president, and isn't keen on having the top two cyber positions be Senate confirmable.
The bill would create another Senate-confirmable position, the head of a new National Cybersecurity and Communications Center inside the Department of Homeland Security; the new NCCC would be responsible for threat prevention and mitigation. It would develop risk-based standards for infrastructure with industry and oversee their implementation. Private entities whose power plants or grids or systems are considered vulnerable and critical could choose among a menu of standards.