Melissa Hathaway highlights nine important cyber bills

Published 27 May 2010

Congress is getting more and more involved in cyber issues; Melissa Hathaway, former White House cybersecurity official, examines the pending legislation and highlights nine bills — out of the 40-odd bills at various stages in the legislative process — which she considers to be the most important ones to watch

Melissa Hathaway, former White House cybersecurity official // Source:

With cybersecurity becoming an increasingly visible issue, Congress has added its voice to the growing discussion with a number of bills currently pending. Melissa Hathaway, president of Hathaway Global Strategies and former White House cybersecurity official, recently wrote a study, titled Cybersecurity: The U.S. Legislative Agenda, for the Belfer Center at Harvard’s Kennedy School of Government. Jim Garrettson writes in the New New Internet that the study is a must read for individuals in government and the private sector looking to operate within the cybersecurity field.

Out of the 40-odd bills at various stages in the legislative process, Hathaway finds nine bills to be the most important ones to watch. Along with a synopsis of each bill, she provides an analysis as well.

  • Data Breach Legislation (S. 139): This bill would make a national data breach to standardize the data breach laws in forty-six states. “One issue with this bill is that it would consolidate all reporting to the U.S. Secret Service, which is not helpful for broader information sharing with industry or across government,” Hathaway writes.
  • Data Accountability and Trust Act (H.R. 2221): Recently voted down in the House, this bill requires ISPs to inform users when they become infected. “I believe the Comcast Denver, CO pilot program could be anticipatory market movement associated with this bill (to better understand costs),” Hathaway writes. “It will be interesting to see if this is extended to those services who may also be able to determine if there is anomalous behavior on the broader backbone. As you may know, Germany just passed a law requiring their ISPs to inform their citizens/consumers if they have been infected.”
  • International Cybercrime Reporting and Cooperation Act (S. 1438 and H.R. 4692): These bills, among other things, authorizes the State Department to create a cybersecurity ambassador and “requires the President to produce an annual report to Congress providing an assessment of every country’s level of ICT utilization and development; assesses how each country’s legal, law enforcement and judicial systems address cyber crime and protect commerce and consumers,” according to Hathaway.
  • Cybersecurity Enhancement Act (H.R. 4061): This bill passed the House earlier this year and gives NIST additional responsibility and supports research and development in the cyber realm. “While this is non-controversial piece of legislation because it supports R&D efforts focused on identity management technologies and usability, authentication methods, and privacy, its not clear how the new office will interact with the current OSTP responsibilities,” Hathaway writes.
  • FISMA II (S. 921): This bill is designed to update the current FISMA guidelines which are widely seen as compliance driven. Instead, the new bill will make the guidelines performance based, based upon the tool implemented by John Streufert at the Department of State. “It also affords the department and agency chief information security officer the focus and attention it need and deserve,” Hathaway writes. “Finally, it is possible that FISMA II will address procurement reform.”
  • Intelligence Authorization Act (H.R. 2071): Among other things, this bill looks to strengthen Intelligence Community cybersecurity efforts.
  • Cybersecurity Act of 2009 (S. 773): “The bill combines audits, industry-developed and government-backed standards, increased information-sharing, and other mechanisms to bolster private sector cybersecurity,” Hathaway writes. “It establishes a Cybersecurity Advisory Panel (Presidential Level) and a National Clearinghouse for information sharing. Additionally, it extends the Scholarship for Service program (increases to 1000 scholarships) and increases the National Science Foundation’s budget for R&D.”
  • The Grid Reliability and Infrastructure Defense Act (H.R. 5026): “The bill amends the Federal Power Act and directs the Federal Energy Regulatory Commission to protect the electric transmission and distribution grid from vulnerabilities,” Hathaway writes. “If passed, the legislation will provide a security framework for the Smart Grid.”
  • Energy and Water Appropriations Act 2010 (Law): “It appropriates additional funds for Cybersecurity: $46.5 million for energy delivery cyber security, an increase of $34.5 million from 2009, to develop secure grid technologies as cyber attacks increase worldwide and the grid becomes increasingly network-connected,” Hathaway writes. “It also establishes a National Cyber Center for the grid.”

Garrettson notes that Hathaway concludes her analysis with three key recommendations which include:

  • Need Congressional leadership to set the legislative priorities for cybersecurity
  • Need to clearly articulate the direction for cybersecurity private-public engagement and responsibilities
  • Need broad-based awareness and education campaign for the U.S. population and other like-minded nations