S 413 Introduced – Cyber Security

Last Thursday Senators Lieberman (D, CT), Collins (R, ME) and Carper (D, DE) introduced S 413, the Cybersecurity and Internet Freedom Act of 2011. This bill would establish the Office of Cyberspace Policy (OCP) in the White House and the National Center for Cybersecurity and Communications (NCCC) in DHS. The OCP Director would have cyber security budget approval authority and the NCCC Director would have regulatory authority over cybersecurity activities within the Federal Government.

While this bill is mainly directed at “information infrastructure” there is one section in Title II that addresses cyber risks to covered critical infrastructure (§248) that very carefully never specifically limits its application to ‘information’ systems. That section requires the Director of the NCCC to “issue interim final regulations establishing risk-based security performance requirements to secure covered critical infrastructure against cyber risks through the adoption of security measures that satisfy the security performance requirements identified by the Director” {§248(b)(1)} within 270 days of passage of this bill.

Generally speaking the wording of this section looks like the crafters intend for establishment of a regulatory scheme similar in construction and operation to the CFATS regulations for high-risk chemical facilities. This nine page section of the bill certainly deserves a more detailed look in future blogs.

According to a press release on the Homeland Security and Governmental Affairs Committee web site, there “is no so-called ‘kill switch’ in our legislation because the very notion is antithetical to our goal of providing precise and targeted authorities to the President”. In fact, §2(c) specifically says that under this legislation “neither the President, the Director of the National Center for Cybersecurity and Communications, or any officer or employee of the United States Government shall have the authority to shut down the Internet”. This kill-switch issue stalled the earlier version of this bill in the last session. Hopefully this bill will now have a chance to move forward in the legislative process.

BTW: The official GPO version of this bill is not yet available. Sen. Lieberman has made a copy of the bill available via a link on the Senate Homeland Security Committee web site.