Additional Titles







Proposed Bill: Cybersecurity Act of 2009 (SB773)






By John 'J' Trinckes
June 10, 2010

First, let me apologies to my NWV readers for being away for so long. I’ve been pretty busy and things have been somewhat quiet on the Internet front, with the exception of a couple recent developments. As my readers are aware, I primarily concentrate my interests and opinions to cyber related topics. As such, I wanted to make you all aware of some new steps that our government is taking to control the Internet. It is my belief that the Internet is still one of the last areas of true freedom. The Internet, or what is now being called Cyberspace, is still pretty much unregulated; however, this is going to be dramatically changed in the near future.

Cybersecurity Reforms

The House has just voted for some Cybersecurity Reforms. This new bill, which was an amendment offered by Rep. Jim Langevin (D-RI) and Dianne Watson (D-CA), made its way into the annual defense spending bill. It passed the house by a fairly close margin of 229 to 186. The Senate, of course, passed their own version of the defense bill which did not contain the Watson-Langevin amendment, but this can all be reconciled in conference before it is signed into law. This amendment creates a permanent National Office for Cyberspace and Office of the Federal Chief Technology Officer (CTO) within the White House assigning specific responsibilities to each new director. It also adds new cybersecurity requirements for federal agencies. According to the amendment, the Director of the National Office for Cyberspace will develop and oversee implementation of cybersecurity policies. The director will be appointed by the President and confirmed by the Senate. This position appears to have the same roles as the newly appointed White House Cybersecurity Coordinator, Howard Schmidt, but would have greater powers. (It will be curious to see if Mr. Schmidt gets nominated for this newly created position.)

The Federal CTO position blurs the lines between the federal CIO, Vivek Kundra, and federal CTO, Aneesh Chopra. The Federal CTO will advise the President, agencies, and other governmental CIO/CTOs on IT issues and establish public-private partnerships to “achieve knowledge of tech available to be used for improving government operations and information technology research and development activities”. (Here we go with the public-private partnerships again, but I think we all know what this means.)

The amendment also calls for the replacement of ‘periodic testing’ of cybersecurity to automated/continuous monitoring of controls. (I’m always nervous when the government calls for monitoring, but I digress.) In addition, the bill creates standards for training and qualifications of cybersecurity officials and formal designation of a Chief Information Security Officer (CISO) for each agency.


Being in the security industry, I do agree with some of these ideas, but I am concerned about the ‘scope creep’ that may develop with the new powers granted to these Directors, especially with the new Lieberman Bill being proposed. Is this amendment just laying the foundation for the ultimate power grab over cyberspace? I believe this may be the case, as you will see in a moment.

As some of you may remember, I wrote about a bill proposed by Senators Jay Rockefeller and Olympia Snow that gave the power to the feds to disconnect any Federal Government or US critical infrastructure information system/network in the interest of national security. It warms my heart to hear that due to the public outcry, it appears that these provisions have been tamed down. Unfortunately, the Lieberman Bill, co-sponsored by Senators Lieberman and Susan Collins, provides the Department of Homeland Security broad authority “to take over civilian networks’ security, if there’s an ‘imminent cyber threat’.” In this proposal, if the President issues a declaration of an imminent cyber threat covering critical infrastructures, the Director of DHS National Center for Cybersecurity and Communications is supposed to “develop and coordinate emergency responses” and “mitigate or remediate the potential disruption.”

Now, you may think that this would be a good thing, but the bill further adds that the covered critical infrastructure “shall comply with any emergency measure or action developed by the Director”. In other words, the Director can take over the information system/network it deems to be under an imminent cyber threat. This emergency measure is not supposed to exceed more than thirty (30) days; however, the bill states that it can be “extended indefinitely, a month at a time.” Why does the government feel that private organizations can’t take care of these issues themselves? Being in the security industry, I know that most companies, especially those dealing with critical infrastructure assets, have business continuity plans in place to react to all kinds of situations. Companies have to follow these plans and keep their businesses open in any kind of situation or they won’t be in business for long.

It appears that Senate staffers familiar with the bill DO acknowledge that it grants broad powers over private businesses; however, they say the emergency powers will only apply to a relatively small number of companies, and only in the most extreme cases. Seriously? I guess these staffers don’t realize that 80% of the assets considered part of the national critical infrastructure are owned and operated by private organizations. In addition, what constitutes the most extreme cases?

Subscribe to the NewsWithViews Daily News Alerts!

Enter Your E-Mail Address:

The staffers go on to describe what may or may not constitute an emergency situation, but this is pretty subjective and would definitely be determined ‘on-the-fly’ as situations occur. Since technology is ever advancing and attackers find new ways to disrupt cyber systems, it is going to be a never ending battle to determine what constitutes emergencies and what private companies are considered part of the national critical infrastructure. There is definitely a fine line between security and freedom. We are now on the forefront of testing these boundaries.

“This is just one of those reasons why I hate stupid people.”

2010 John 'J' Trinckes - All Rights Reserve

E-mail This Page

Sign Up For Free E-Mail Alerts
E-Mails are used strictly for NWVs alerts, not for sale

John 'J' Trinckes, Jr. (CISSP, CISM, CEH, NSA-IAM/IEM, MCSE-NT, A+)

John ("Jay") is a Senior Information Security Consultant and former law enforcement officer. Jay is the author of a new book, “The Executive MBA in Information Security”, published by CRC Press, Taylor & Francis Group, An Aurbach Book, due out in October, 2009. Jay holds a Bachelor’s Degree in Business Administration/Management Information Systems from the Union Institute and University and has been a member of numerous security industry associations such as the FBI's InfraGard®, Information Systems Security Association (ISSA), International Association of Technology Professionals (IATP), Information Systems Audit and Controls Association (ISACA ®), and the International Information Systems Security Certification Consortium (ISC2). When Jay isn’t working, he likes to spend his spare time with his family and friends.









First, let me apologies to my NWV readers for being away for so long. I’ve been pretty busy and things have been somewhat quiet on the Internet front, with the exception of a couple recent developments.