Let's Build a Responsible Cyber Society




Cyber Security Bill of USA

The Cyber Security bill introduced in USA has expectedly raised strong reactions in US against the enormous powers that the Bill confers on certain agencies of the Government as well as the President. Civil Liberty groups are the most worried lot since the security oriented nature of the Bill threatens to reduce the Privacy protection available to individuals.

India has also recently passed amendments to ITA 2000 with several provisions directly related to creating an improved security infrastructure in Cyber Space. The rules under the Act are being framed at this point of time. Further the main opposition party viz BJP has also made Cyber Security a part of its political agenda ahead of a major election. In the light of these developments, it is interesting to analyse briefly the salient provisions of the US Cyber Security Bill since it may throw several suggestions which India can implement during the formation of the rules.

The Cyber Security Bill 2009 is characterized by the recognition that "Unique nature of Cyber Security requires a new leadership paradigm" and there is a need to establish a "single voice for Cyber security within the Government". Yet another point the Bill has taken note of is the recognition that  software development processes  have failed to  incorporate security in the development process.

The Bill suggests the setting up of a "Cyber Security Advisory Panel" which may consist of a panel of representatives from the industry, academia, NGOs etc as well as State and Local governments.  The panel is expected to provide advise on cyber security research, education, technology etc. It will also address the Civil Liberty Concerns.

The Bill suggests creation and support of Regional Cyber security centers for promotion and implementation of Cyber Security standards in association with NGOs. These centers are expected to enhance the Cyber Security of small and medium sized businesses through transfer of necessary technology developed at the National Institute of Standards an Technology.

The Bill also proposes setting up of a research programme to develop Cyber Security Metrics.

One of the interesting proposals is to establish standards for measuring software security using a prioritized list of software weaknesses known to lead to exploited and exploitable vulnerabilities. Recognizing the Cyber terrorist threats to manufacturing industries, the software security will include measuring security in embedded software such as that found in industrial control systems.

It is also proposed that a standard will be established for specifying the configuration of software on computer systems used by Government, by Government contractors and Grantees, and in private sector owned Critical infrastructure information systems and networks.

It is also proposed that software vendors should communicate vulnerability data to software users in real time.

A standard testing and accreditation protocol for software built by or for the Federal Government, its Contractors and grantees and private sector owned Critical Infrastructure Information Systems and networks is also being envisaged.

These developments are likely to have an impact on Indian software manufacturers who are providing services to US agencies, since many of their existing software products may need to be accredited under the new scheme. They will also be required to keep adequate evidences regarding meeting of the standards.

An appropriate compliance mechanism is expected to be developed for the meeting of the suggested standards.

Yet another aspect of the Bill which catches our attention is the proposal that there should be a national licensing policy for Information Security Professionals. It will be unlawful for any individual to engage in business in US or to be employed in US as a provider of Cyber Security Services to any federal agency or a Critical Infrastructure system.

Another aspect the implications of which are unclear and may need international debate is the suggestion to introduce "Secure Domain Name Addressing System".

Consumer education and outreach programmes will be part of the broadband connectivity programmes according to the Bill. Cyber Security awareness creation is part of the suggestions to be implemented by the secretary of commerce.

Fundamental Cyber Security Research is also being suggested by the Bill including development of new protocols, identifying the origin of message transmitted over the Internet, addressing internal threats etc. Research will also be promoted in the area of "Secure Coding". Education in "Secure Coding" would be encouraged in Colleges.  Grants, Funding, Scholarships etc are also  being suggested for the purpose. Competitions at various levels from Schools to research institutions are recommended for grants.

It is also envisaged that a "Public-Private Clearing House" of information exchange on Cyber threats is also suggested through the department of commerce.

As a part of the implementation of the Cyber Security responsibilities under the bill, a review of laws such as the Privacy Protection Act 1980, Electronic Communications Privacy Act 1986, Computer Security Act 1987, Federal Information Security Management Act of 2005, E-Governance Act of 2002 is being suggested.

A Comprehensive National Cyber Security Strategy is expected to be put in place within one year of the passage of the Cyber Security Act which should have a long term vision on the nation's cyber security future, participation of private sector in the security programme.

The Bill also envisages a power for declaration of "Cyber Security Emergency" for the President of US which can order shutting down of Internet traffic from any compromised Federal Government or Critical Infrastructure system, designating an agency for recovery of such systems etc.

The Bill also suggests that from 2013, there should be a comprehensive review of Cyber Posture of US once in four years.

The Bill also suggests that the President shall work with representatives of foreign governments to develop norms for international cooperation in Cyber Security.

If we look at the Bill in totality, it is expected to bring in major changes in the way Internet and Cyber Space is put to use. The Bill has a bundle of innovative ideas, many of which have been strongly supported and promoted by Naavi.org over the last few years.

The Bill also contains several suggestions which can be introduced in India particularly when the rules under ITA 2008 are being finalised.

Naavi.org calls upon the Information Security Community in India to study the provisions of this Bill, assess its impact on the Indian IT industry and also pick ideas from it for local implementation.


April 05, 2009

Copy of Cyber Security Bill as available on April 5, 2009

IT Vision of BJP

Related Articles in Naavi.org:

BPO for BPOs, A Security Solution

Threats to Cyber Security, Vision-2009

Cyber Security Command for India recommended

 A Unified Approach to National Cyber Security

State level Cyber Law Advisory Group Required

National Netizenís Rights Commission Required in India