Cyber bill would reform FISMA, instate new DHS agency and appoint White House-level authority
A controversial Internet security bill proposed in 2010 by Sen. Joe Lieberman (I-Conn.) could yet become law in the current session of Congress, said Jeff Greene, counsel on the majority staff of the Senate Homeland Security and Governmental Affairs Committee.
"FISMA hasn't necessarily worked out as well as we had hoped," said Greene. "Current structures are disorganized, they're decentralized, they're inefficient and generally speaking, they're fairly weak."
Authorities must be streamlined, structured and formally codified with statutory authorizations, he said, and ideally, that would mean greater authority for the Homeland Security Department. Currently, DHS has no authority to direct cybersecurity regulations for the private sector.
Homeland Security should have an agency--much like the Federal Emergency Management Agency, Secret Service or the Transportation Security Administration--to protect the "dot gov" space, critical systems and critical infrastructure, said Greene. The DHS entity would enforce standards to be carried out by agency chief information officers and chief information security officers, he added.
Federal cybersecurity intervention in private sector critical infrastructure and systems--what some critics have called Lieberman's "kill switch" proposal--would not be taken lightly, said Greene, and would follow the DHS infrastructure protection definition in case of a cyber attack.
"This requires the disruption or destruction of a system that would cause a regional or national catastrophe. Which generally, by DHS regs, has been $25 billion first year damage, 2,500 immediate deaths or mass evacuations or relocations of citizens," said Greene. "So it's a pretty high bar. We're not talking about Amazon going down."
The bill would also instate a "White House-level office," for a presidentially appointed and Senate confirmed head to direct action on cyber issues. "Howard Schmidt, while he has the stature given to someone appointed by the president, has not had that as a legal matter," said Greene.
"We are at great risk, and I think that's something that is not well accepted," he added. "We need people to re-conceptualize what we're talking about with cybersecurity. We're not just talking about identity theft or dollars being stolen, and we're not just talking about cyber espionage."
- see the bill, S.3480 "Protecting Cyberspace as a National Asset Act of 2010"
Lieberman cybersecurity bill goes to Senate floor
Guest Commentary: Bruce Brody cybersecurity reform in the new Congress
Cyber attack effects 'local and temporary,' not global, says study
Smart grid cybersecurity standards still lacking, says GAO
GSA not implementing cybersecurity policies, says IG