S.773 is currently a draft bill. Good news. S.773 is only 55 pages so many members of Congress may read it. Here is the senate’s summary of S.773
“A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective Cybersecurity defenses against disruption, and for other purposes.”
Sounds nice. Here is how it works; S.778 creates within the Executive Office of the President, the Office of National Cybersecurity Advisor. This advisor is positioned; it seems, to be another Czar. A Czar is specially designed to operate outside of normal channels, checks and balances so as to be able to get things done quickly. This Czar will administer the agency formed by S.773. Here are some of the provisions for S.773:
- It creates a certification for Cyber Security Professional. People will be able to access study materials, and pass tests to become certified Cyber Security Professionals. The bill further defines that some public and private networks need to be managed or reviewed by a certified Cybersecurity Professional. It’s nice to have standards.
- It creates an agency that is going to have a real-time Cyber Security Dashboard. Those dashboards are great. The real time part is a little optimistic.
- The Federal Government will periodically “map” public or private networks as needed. The network under scrutiny will need to “share” information as requested.
- During a Cyber Emergency, at risk networks can be disconnected from the Internet
There has been a lot of talk about this bill giving the government “control” over private networks. I did not find such a passage in the text of the bill. There are however, passages allowing the Federal Government to collect information about or to disconnect networks.
I have a few thoughts on this bill:
- I would prefer for the bill to specify its scope more clearly. For example the security of the electrical grid, traffic signals, water supply, airports, hospitals, possibly stock exchanges, and other operations of national interest but it doesn't.
- The bill does not explain what constitutes a Cyber Emergency. Who will define one? What is it? How often do they come along?
- The bill does not define whether the Cyber Security Professional will be an employee of the government or the organization running the network.
- Internet security breaches are a lot like those proverbial horses leaving the barn. The bill does not specify what would trigger a government disconnect of a public or private network, but what’s the point if the horses have the barn? Or will these takeovers be somehow timed before the barn doors are left open? They must have a future telling machine next to their real-time dashboard.
School House Rock, Jack Sheldon:
I'm just a bill.
Yes, I'm only a bill.
And I'm sitting here on Capitol Hill.
Well, it's a long, long journey
To the capital city.
It's a long, long wait
While I'm sitting in committee,
But I know I'll be a law someday
At least I hope and pray that I will,
But today I am still just a bill.