A bill in the U.S. Senate that would allow President Barack Obama to shut down parts of the Internet during a cybersecurity crisis will likely be rewritten and needs input from private businesses, said a congressional staff member associated with the legislation.
The Cybersecurity Act of 2009, introduced in April by Senators Jay Rockefeller, a West Virginia Democrat, and Olympia Snowe, a Maine Republican, contains “imperfect” language, said Ellen Doneski, chief of staff for the Senate Commerce, Science and Transportation Committee.
The bill, among other things, allows the U.S. president to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network.” The sponsors of the bill are looking for input on that section and other parts of the bill, said Doneski, who works for Rockefeller, the committee chairman.
That section of the bill was an attempt to put into law who has the ultimate authority for protecting U.S. cyberinfrastructure, Doneski said Friday at a cybersecurity forum sponsored by Google and the Center for New American Security, a Washington, D.C., think tank. “We were trying to state the obvious: In an extreme cyberemergency or attack, the president ultimately has constitutional authority to protect the country,” she said. “It really wasn’t meant to go beyond that.”
Other speakers at Friday’s event said they welcomed new attention on cybersecurity by members of Congress and especially Obama. The president’s speech in late May, accompanied by a cybersecurity policy review, was “game-changing,” said Christopher Painter, cybersecurity director at the U.S. National Security Council.
Personal attention by Obama will drive cybersecurity changes in the U.S. government, Painter said.
“By far, the most important part of it was executive attention,” added Philip Reitinger, deputy undersecretary for national protection and programs at the U.S. Department of Homeland Security. “Nothing is more important for driving change in an organization … than executive attention.”
While the White House will get a cybersecurity director under Obama’s plan, DHS will continue to have significant cybersecurity authority. The agency’s cybersecurity goals include hiring more people with network security experience and developing a more comprehensive cybersecurity recovery plan, Reitinger said.
Reitinger and other speakers also talked about an oft-mentioned goal for cybersecurity: public/private partnerships. While Painter suggested that the term has lost its meaning, Reitinger said DHS and private companies need to better share information about attacks and vulnerabilities with each other.
Those partnerships need to be ongoing and sustained, not just come together to respond to an attack, said Liesyl Franz, vice president for information security and global public policy at TechAmerica, a tech trade group. Those partnerships need to be in place “so if something happens, there’s an organic way to respond,” she said.