Cyber Security Bill of USA
The Cyber Security bill introduced in USA has expectedly
raised strong reactions in US against the enormous powers that the Bill
confers on certain agencies of the Government as well as the President.
Civil Liberty groups are the most worried lot since the security oriented
nature of the Bill threatens to reduce the Privacy protection available to
India has also recently passed amendments to ITA 2000
with several provisions directly related to creating an improved security
infrastructure in Cyber Space. The rules under the Act are being framed at
this point of time. Further the main opposition party viz BJP has also made
Cyber Security a part of its political agenda ahead of a major election. In
the light of these developments, it is interesting to analyse briefly the
salient provisions of the US Cyber Security Bill since it may throw several
suggestions which India can implement during the formation of the rules.
The Cyber Security Bill 2009 is characterized by the
recognition that "Unique nature of Cyber Security requires a new leadership
paradigm" and there is a need to establish a "single voice for Cyber
security within the Government". Yet another point the Bill has taken note
of is the recognition that software development processes have failed to
incorporate security in the development process.
The Bill suggests the setting up of a "Cyber Security
Advisory Panel" which may consist of a panel of representatives from the
industry, academia, NGOs etc as well as State and Local governments. The
panel is expected to provide advise on cyber security research, education,
technology etc. It will also address the Civil Liberty Concerns.
The Bill suggests creation and support of Regional Cyber
security centers for promotion and implementation of Cyber Security
standards in association with NGOs. These centers are expected to enhance
the Cyber Security of small and medium sized businesses through transfer of
necessary technology developed at the National Institute of Standards an
The Bill also proposes setting up of a research
programme to develop Cyber Security Metrics.
One of the interesting proposals is to establish
standards for measuring software security using a prioritized list of
software weaknesses known to lead to exploited and exploitable
vulnerabilities. Recognizing the Cyber terrorist threats to manufacturing
industries, the software security will include measuring security in
embedded software such as that found in industrial control systems.
It is also proposed that a standard will be established
for specifying the configuration of software on computer systems used by
Government, by Government contractors and Grantees, and in private sector
owned Critical infrastructure information systems and networks.
It is also proposed that software vendors should
communicate vulnerability data to software users in real time.
A standard testing and accreditation protocol for
software built by or for the Federal Government, its Contractors and
grantees and private sector owned Critical Infrastructure Information
Systems and networks is also being envisaged.
These developments are likely to have an impact on
Indian software manufacturers who are providing services to US agencies,
since many of their existing software products may need to be accredited
under the new scheme. They will also be required to keep adequate evidences
regarding meeting of the standards.
An appropriate compliance mechanism is expected to be
developed for the meeting of the suggested standards.
Yet another aspect of the Bill which catches our
attention is the proposal that there should be a national licensing policy
for Information Security Professionals. It will be unlawful for any
individual to engage in business in US or to be employed in US as a
provider of Cyber Security Services to any federal agency or a Critical
Another aspect the implications of which are unclear and
may need international debate is the suggestion to introduce "Secure Domain
Name Addressing System".
Consumer education and outreach programmes will be part
of the broadband connectivity programmes according to the Bill. Cyber
Security awareness creation is part of the suggestions to be implemented by
the secretary of commerce.
Fundamental Cyber Security Research is also being
suggested by the Bill including development of new protocols, identifying
the origin of message transmitted over the Internet, addressing internal
threats etc. Research will also be promoted in the area of "Secure Coding".
Education in "Secure Coding" would be encouraged in Colleges. Grants,
Funding, Scholarships etc are also being suggested for the purpose.
Competitions at various levels from Schools to research institutions are
recommended for grants.
It is also envisaged that a "Public-Private Clearing
House" of information exchange on Cyber threats is also suggested through
the department of commerce.
As a part of the implementation of the Cyber Security
responsibilities under the bill, a review of laws such as the Privacy
Protection Act 1980, Electronic Communications Privacy Act 1986, Computer
Security Act 1987, Federal Information Security Management Act of 2005,
E-Governance Act of 2002 is being suggested.
A Comprehensive National Cyber Security Strategy is
expected to be put in place within one year of the passage of the Cyber
Security Act which should have a long term vision on the nation's cyber
security future, participation of private sector in the security programme.
The Bill also envisages a power for declaration of
"Cyber Security Emergency" for the President of US which can order shutting
down of Internet traffic from any compromised Federal Government or
Critical Infrastructure system, designating an agency for recovery of such
The Bill also suggests that from 2013, there should be a
comprehensive review of Cyber Posture of US once in four years.
The Bill also suggests that the President shall work
with representatives of foreign governments to develop norms for
international cooperation in Cyber Security.
If we look at the Bill in totality, it is expected to
bring in major changes in the way Internet and Cyber Space is put to use.
The Bill has a bundle of innovative ideas, many of which have been strongly
supported and promoted by Naavi.org over the last few years.
The Bill also contains several suggestions which can be
introduced in India particularly when the rules under ITA 2008 are being
Naavi.org calls upon the Information Security Community
in India to study the provisions of this Bill, assess its impact on the
Indian IT industry and also pick ideas from it for local implementation.
April 05, 2009
Copy of Cyber Security Bill as
available on April 5, 2009
IT Vision of BJP
Related Articles in Naavi.org:
for BPOs, A Security Solution
Threats to Cyber Security, Vision-2009
Cyber Security Command for India recommended
Unified Approach to National Cyber Security
State level Cyber Law Advisory Group Required
National Netizenís Rights Commission Required in India