Fwd: [Infowarrior] - WH draft bill expands DHS cyber responsibilities

[Paul Ferguson <fergdawgster () gmail com>]

FYI,

- ferg


---------- Forwarded message ----------
From: Richard Forno <rforno () infowarrior org>
Date: Fri, Apr 15, 2011 at 3:37 PM
Subject: [Infowarrior] - WH draft bill expands DHS cyber responsibilities
To:



White House draft bill expands DHS cyber responsibilities

April 15, 2011

By Jason Miller
Executive Editor
Federal News Radio

http://federalnewsradio.com/index.php?nid=35&sid=2345684

Under a White House plan, the Homeland Security Department will have
far-reaching oversight over all civilian agency computer networks.

The proposal would codify much of the administration's memo from July
2010 expanding DHS's cyber responsibilities for civilian networks.

The White House, however, is taking those responsibilities further,
according to a source familiar with the document. The administration
drafted a legislative proposal to give DHS many, if not all, of the
same authorities for the .gov networks that the Defense Department has
for the .mil networks.

Federal News Radio recently viewed a draft copy of the legislative proposal.

"I have to question why the Executive branch is writing legislation,"
said the source, who requested anonymity because they were not
authorized to talk about it. "This is not a proposal or white paper
like the White House usually sends to Capitol Hill. This is the actual
legislation."

The source said the 100-page document is going through interagency
review. DHS sent the document around to agencies late last Friday and
asked for comments by Monday. The source said few agencies had time to
take a hard look at the document, especially in light of the possible
government shutdown.

Sources on Capitol Hill and in government confirmed the White House is
working on such a proposal.

A DHS spokesman said the agency doesn't comment on pending legislation.

Incorporates Senate cyber bill, OMB memo

The bill would bring together legislative proposals by Sens. Joseph
Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Carper (D-Del.),
as well as Office of Management and Budget's memo from July 2010
expanding DHS's authorities.

"The cybersecurity legislation being developed in Congress is a large,
complex bill with wide-ranging implications, and several Senate
committees are involved in its drafting," said committee spokeswoman
Leslie Phillips. "The two primary committees of jurisdiction -
Homeland Security and Commerce - completed the bulk of their work last
August and ironed out several remaining differences by the end of
March this year. However, other committees and the White House are
critical to the completion of this bill."

In a statement, Lieberman said, "We have been waiting with great
anticipation for the White House to weigh in on the best way to
protect the American people from catastrophic cyber attacks. If the
White House is on the same path we're on, the Senate should be able to
approve comprehensive cybersecurity legislation this year."

Collins said in a floor statement in February about the new bill that
the legislation would make DHS a strong partner in the process of
securing agency networks, but the White House will be the central
point for all cybersecurity across the government.

The Lieberman, Collins and Carper bill would establish a National
Center for Cybersecurity and Communications in DHS.

"It would be located within the Department of Homeland Security to
elevate and strengthen the Department's cyber security capabilities
and authorities," Collins said. "This Center also would be led by a
Senate-confirmed director. The Cyber Center, anchored at DHS, will
close the coordination gaps that currently exist in our disjointed
federal cyber security efforts. For day-to-day operations, the Center
would use the resources of DHS, and the Center Director would report
directly to the Secretary of Homeland Security. On interagency matters
related to the security of federal networks, the director would
regularly advise the President - a relationship similar to the
director of the National Counterterrorism Center on counterterrorism
matters or the chairman of the Joint Chiefs of Staff on military
issues. These dual relationships would give the director sufficient
rank and stature to interact effectively with the heads of other
departments and agencies, and with the private se
 ctor."

A second source said the proposal also gives DHS much of the Federal
Information Security Management Act (FISMA) authorities that currently
fall under OMB, such as policy development and issuance, and the
creation of performance measures, guidelines and training.

The first source said the proposal actually goes further than previous
bills and memos. The source said the DHS secretary would have broad
authorities and oversight responsibilities similar to what Gen. Keith
Alexander has with DoD's U.S. Cyber Command.

DHS oversees all civilian cybersecurity

The bill authorizes DHS, in coordination with OMB, "to exercise
primary responsibility of operational aspects of IT security in
agencies" that is consistent with OMB guidance. The DHS secretary
"shall oversee agency security implementations, the implementation of
policies" and compliance with policy and regulatory requirements.

DHS and OMB also would issue "compulsory and binding directives"
oversee the implementation of agency information security policies,
review agency information security programs, designate a person to
receive information on security threats and issues and address
incident response.

The bill exempts national security and DoD systems from DHS oversight.

Under one version of comprehensive cybersecurity legislation, DHS
would get four senior vice president level executives for
cybersecurity. But this latest proposal from the White House would
change that by adopting DoD's hiring authorities.

The first source said DHS could make direct hires, set compensation
rates as necessary and pay additional benefits and incentives. DHS
also would establish a scholarship program for employees to pursue
college or advanced degrees in cybersecurity, and it reactivates the
industry-to-government and government-to-industry exchange program for
cybersecurity professionals.

The authorities in the bill are similar to those the Office of
Personnel Management approved for DHS in September 2009. DHS received
Schedule A authorities for cyber positions.

The proposal also would give DHS a significant role in cyber-related
procurements. The source said the language in the bill is "vague"
about what kind of role DHS will play.

Google provision around data centers?

Additionally, the source said there is a provision toward the end of
the document that could have far-reaching effects.

The provision states: "Prohibition, no law, rule, regulation or order
or other administrative action of any state or political subdivision
shall require a business entity to house a data center in such state
or political subdivision there of as a condition to certify, licensure
or approval in relating to operation of such entity."

The source said the provision means the government can't stop a
company from doing business in a state, but if the state is doing a
procurement, they can't tell the business to locate a data center in
their state.

The provision also defines what a data center is and says the language
will "promote efficiency and innovation"

The source called it the "Google provision" since the search engine
giant hosts its data in centers around the world.

There are some exceptions, such as, if the data center is being used
only for sate business and not shared among users across business
sectors.

In addition to federal cybersecurity, the bill goes into details about
cyber crime and critical infrastructure security.

For instance under cyber crime, the proposal would expand the Computer
Fraud and Abuse Act to include a series of criminal offensives for
cyber attacks and confidentiality abuses. It also would expand the
Racketeer Influenced and Corrupt Organizations (RICO) Act to establish
criminal penalties for cyber crime.

Under critical infrastructure protection, the bill lets the DHS
secretary decide what is critical infrastructure, assess audit systems
for cyber resilience and create an industry of third-party accreditors
and evaluators to assess private sector owners and operators systems
for meeting cybersecurity requirements.

The proposal also requires the development of voluntary consensus
standards by industry, academic and government experts for each
sector.

The bill states that owners and operators of critical infrastructure
shall develop cybersecurity measures, and a senior accountable
official must sign and attest to their implementation. The bill adds
that form must remain on file and available for review, inspection and
evaluations by third-party evaluators.

The bill continues to move through interagency review and there is no
stated timetable for moving it to the Hill for formal consideration,
sources say.

This story is part of Federal News Radio's daily Cybersecurity Update
brought to you by Tripwire. For more cybersecurity news, click here.
_______________________________________________
Infowarrior mailing list
Infowarrior () attrition org
https://attrition.org/mailman/listinfo/infowarrior



-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.