Skip to main content

FISMA Gets Teeth - S.773 and S.778 The Cybersecurity Act of 2009



S.773 is currently a draft bill. Good news. S.773 is only 55 pages so many members of Congress may read it.  Here is the senate’s summary of S.773

“A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective Cybersecurity defenses against disruption, and for other purposes.”

Sounds nice. Here is how it works; S.778 creates within the Executive Office of the President, the Office of National Cybersecurity Advisor. This advisor is positioned; it seems, to be another Czar.  A Czar is specially designed to operate outside of normal channels, checks and balances so as to be able to get things done quickly. This Czar will administer the agency formed by S.773.  Here are some of the provisions for S.773:

  • It creates a certification for Cyber Security Professional.  People will be able to access study materials, and pass tests to become certified Cyber Security Professionals. The bill further defines that some public and private networks need to be managed or reviewed by a certified Cybersecurity Professional. It’s nice to have standards.
  • It creates an agency that is going to have a real-time Cyber Security Dashboard. Those dashboards are great. The real time part is a little optimistic. 
  • The Federal Government will periodically “map” public or private networks as needed.  The network under scrutiny will need to “share” information as requested.
  • During a Cyber Emergency, at risk networks can be disconnected from the Internet

There has been a lot of talk about this bill giving the government “control” over private networks. I did not find such a passage in the text of the bill.  There are however, passages allowing the Federal Government to collect information about or to disconnect networks.

I have a few thoughts on this bill:

  1. I would prefer for the bill to specify its scope more clearly. For example the security of the electrical grid, traffic signals, water supply, airports, hospitals, possibly stock exchanges, and other operations of national interest but it doesn't. 
  2. The bill does not explain what constitutes a Cyber Emergency. Who will define one? What is it? How often do they come along?
  3. The bill does not define whether the Cyber Security Professional will be an employee of the government or the organization running the network.
  4. Internet security breaches are a lot like those proverbial horses leaving the barn.  The bill does not specify what would trigger a government disconnect of a public or private network, but what’s the point if the horses have the barn?  Or will these takeovers be somehow timed before the barn doors are left open? They must have a future telling machine next to their real-time dashboard. 

School House Rock, Jack Sheldon:

I'm just a bill.
Yes, I'm only a bill.
And I'm sitting here on Capitol Hill.
Well, it's a long, long journey
To the capital city.
It's a long, long wait
While I'm sitting in committee,
But I know I'll be a law someday
At least I hope and pray that I will,
But today I am still just a bill.


  • Yeah right! 5 years ago

    You know its kinda funny, but in Iran the government has similar power. They actually had a Cyber Emergency recently. They where forced to shut down many bad news sites during the recent election protests. That certainly helped with their security. Not so much for the protesters. I hear protesters are being tried 100 at a time.

  • Sovereign 5 years ago

    You are an Obama stooge or you are just too afraid to say what you think. And if its that you are afraid, then that fear in your gut should be all the more reason to voice your concerns clearly.

    You lay out all the facts but you don't do what you are suppossed to do, which is make a conclusion. A conlusion that for example the bill is just another preparation that will be used to silence opposition when the power grabs are sea changes such as suspension of the Constitution, mass arrests and intimidation of opposing voices, shutdown of talk radio, and so on. You could even have concluded that there is nothing to worry about. Even that would have been better than your column without a conclusion.

  • Jack 5 years ago

    This bill is terrible! Nobody defends the Internet better than the thousands of private, public and freelance citizens do today. Adding red tape, and standards only defaces
    the beauty of the Internet.

  • rybolov 5 years ago

    You're mixing internal and external. S.773 and S.778 are not for Government internal IT systems which are governed by FISMA. The bills are more about workforce development and critical infrastructure (Industrial Controls Systems and telecoms). I have a lengthy analysis of S.773 on my blog at