Late last month the Senate Commerce, Science and Transportation Committee, chaired by Sen. Jay Rockefeller who also serves on the Intelligence Committee, unanimously passed an amended Cybersecurity Act of 2010.
The bill sets out with a dramatic and eye-brow raising flourish (lifted directly from the CSIS Commission on Cybersecurity for the 44th Presidency report) typical of the Washington cybersecurity debate:
“As a fundamental principle, cyberspace is a vital asset for the nation and the United States should protect it using all instruments of national power…”
Eventually, however, the bill gets to detailing extensively workforce development, plans and authority for improving cybersecurity, furthering knowledge development in the field, and enhancing public-private collaboration. It is being criticized by some as a cyber version of the Sarbanes-Oxley act, requiring new certifications and detailed reporting requirements, that will create “an unmitigated disaster for the security industry, security professionals, and the security stance of the US government.”
With regard specifically to Internet governance issues, the bill's language has changed dramatically since its introduction in 2009. It fortunately no longer contains language pertaining to overseeing IANA decisions or promoting DNSSEC adoption, lest Congress be seen as imposing its will on ICANN and the Internet writ large.
But the bill now more clearly identifies what is within reach, relying on the High-Performance Computing Act of 1991 (15 USC 5503), section 4(4) to provide definition of “Internet”, which means “the international computer network of both Federal and non-Federal interoperable data networks.” I.e., just about any Internet protocol network regardless of jurisdiction.
In addition, the bill requires creating a procedure to identify critical infrastructure:
“Within 90 days after the date of enactment…The President, in consultation with sector coordinating councils, relevant government agencies, and regulatory entities, shall initiate a rulemaking…to establish a procedure for the designation of any information system the infiltration, incapacitation, or disruption of which would threaten a strategic national interests as a critical infrastructure information system under this Act.”
According to the bill's text, which reasserts the Commerce Dept's role (remember that 2006 DHS-sponsored specification which kicked off the whole DNSSEC root-signing debate?) in communicating “the Federal Government's role in securing the Internet and protecting privacy and civil-liberties with respect to Internet-related activities,” NIST will work with operators of “critical infrastructure information systems” (CIIS) to develop risk measurement and management techniques, as well as best practices. CIIS will be subject to a federal joint intelligence and threat and vulnerability assessment, and owners and operators of CIIS will have access to classified information, as well as participate in a (to be established) threat and information clearinghouse.
It will be interesting to see how US-based ICANN and other registries, root server operators, and certain ISPs react to the potential of being identified as CIIS.
Another interesting aspect is the research agenda the bill sets. The bill orders NSF, along with OSTP, to develop a federal cybersecurity research and development plan focused on meeting several challenges. It calls generally for work on how to “guarantee the privacy of an individual’s identity, information, or lawful transactions when stored in distributed systems or transmitted over networks” but specifically calls for identifying how to “determine the origin of a message transmitted over the Internet” as well as “build new protocols to enable the Internet to have robust security as one of its key capabilities.”
To accomplish this, it updates the Cybersecurity Research and Development Act (15 USC 7403(a)(1)) to include (among other things) work to “secure fundamental protocols that are at the heart of inter-network communications and data exchange” and allocates $800MM over the next four years for network security research grants. It also provides over $50MM/yr until 2014 for network security research centers.