[Senate Report 111-384]
[From the U.S. Government Publishing Office]


111th Congress 
 2d Session                      SENATE                          Report
                                                                111-384
_______________________________________________________________________

                                     

                                                       Calendar No. 707

                       CYBERSECURITY ACT OF 2010

                               __________

                              R E P O R T

                                 OF THE

           COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                                   on

                                 S. 773



                                     

               December 22, 2010.--Ordered to be printed


       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
                     one hundred eleventh congress
                             second session

            JOHN D. ROCKEFELLER IV, West Virginia, Chairman
DANIEL K. INOUYE, Hawaii             KAY BAILEY HUTCHISON, Texas
JOHN F. KERRY, Massachusetts         OLYMPIA J. SNOWE, Maine
BYRON L. DORGAN, North Dakota        JOHN ENSIGN, Nevada
BARBARA BOXER, California            JIM DeMINT, South Carolina
BILL NELSON, Florida                 JOHN THUNE, South Dakota
MARIA CANTWELL, Washington           ROGER F. WICKER, Mississippi
FRANK R. LAUTENBERG, New Jersey      GEORGE S. LeMIEUX, Florida
MARK PRYOR, Arkansas                 JOHNNY ISAKSON, Georgia
CLAIRE McCASKILL, Missouri           DAVID VITTER, Louisiana
AMY KLOBUCHAR, Minnesota             SAM BROWNBACK, Kansas
TOM UDALL, New Mexico                MIKE JOHANNS, Nebraska
MARK WARNER, Virginia
MARK BEGICH, Alaska
                     Ellen Doneski, Staff Director
                   James Reid, Deputy Staff Director
                     Bruce Andrews, General Counsel
                 Ann Begeman, Republican Staff Director
              Brian Hendricks, Republican General Counsel
                Todd Bertoson, Republican Senior Counsel


                                                       Calendar No. 707
111th Congress                                                   Report
                                 SENATE
 2d Session                                                     111-384

======================================================================



 
                       CYBERSECURITY ACT OF 2010

                                _______
                                

               December 22, 2010.--Ordered to be printed

                                _______
                                

     Mr. Rockefeller, from the Committee on Commerce, Science, and 
                Transportation, submitted the following

                                 REPORT

                         [To accompany S. 773]

    The Committee on Commerce, Science, and Transportation, to 
which was referred the bill (S. 773) to enhance the security of 
the information infrastructure of the United States, having 
considered the same, reports favorably thereon with an 
amendment (in the nature of a substitute) and recommends that 
the bill (as amended) do pass.

                          Purpose of the Bill

  The purpose of S. 773, The Cybersecurity Act of 2010, is to 
strengthen the security of American information infrastructure 
by expanding the information security workforce, establishing 
authorities for the Federal government, and enhancing public-
private collaboration.

                          Background and Needs

  Information and communications technology (ICT) is essential 
for the day-to-day operations of companies, organizations, and 
government. Companies large and small increasingly rely on ICT 
to support diverse business processes, ranging from payroll and 
accounting to inventory tracking and management. Critical 
national infrastructure--such as energy, banking and finance, 
defense, law enforcement, water systems, and transportation 
systems--all depend on ICT to maintain daily operations. To 
allow for near real-time exchanges of information, money, 
goods, and services all across the globe, ICT systems are 
increasingly linked to each other through the Internet.
  While open systems connected to the Internet provide great 
societal benefits, owners and operators place the 
confidentiality, integrity, and availability of their 
information and information systems at risk by connecting to 
the Internet. Every day, millions of attacks are launched 
against public and private sector computers. Attackers seek a 
variety of things, from money, to information, to destruction. 
The success of the attack depends on both the skill level of 
the attacker and the sophistication of the defender. 
Unfortunately for defenders, automated tools available online 
provide an added boost for lesser-skilled attackers.
  As the most connected nation in the world, the United States 
is also the most vulnerable. Former Director of National 
Intelligence Michael McConnell testified at a Committee hearing 
in 2009 that, ``If we [the U.S.] went to war today in a 
cyberwar, we would lose. We're the most vulnerable, we're the 
most connected, we have the most to lose.''\1\ Public and 
private sector computer networks within the U.S. are 
increasingly subject to attack. According to the U.S. Computer 
Emergency Readiness Team, Federal civilian agencies reported a 
total of 18,050 cyber incidents in Fiscal Year (FY) 2008, 
compared with 12,986 in FY 2007, and 5,144 in FY 2006.\2\ 
During 2008, there were 54,640 identified attacks against the 
Department of Defense; in 2009, there were 71,661 incidents 
reported; and through June 30 of 2010, there were 60,026 
incidents reported.\3\
---------------------------------------------------------------------------
    \1\ McConnell, Michael (former Director of National Intelligence). 
Quote from Hearing of the Senate Committee on Commerce, Science, and 
Transportation. ``Cybersecurity: Next Steps to Protect Our Critical 
Infrastructure.'' 23 Feb. 2010.
    \2\ Bain, Ben. ``Number of Reported Cyber Incidents Jumps.'' 
Federal Computer Week. 17 Feb. 2009. Web. http://fcw.com/Articles/2009/
02/17/CERT-cyber-incidents.
    \3\ Report to Congress. U.S.-China Economic and Security Review 
Commission. 29 Oct. 2010. Web. http://www.uscc.gov/annual--report/2010/
annual--report--full--10.pdf
---------------------------------------------------------------------------
  Data theft and breaches from cyber crime may have cost 
businesses as much as $1 trillion globally in lost intellectual 
property and expenditures for repairing damage in 2008.\4\ 
According to a group of 500 global information technology 
corporations, companies spend an average of $600,000 responding 
to each security breach leading to the loss of vital 
information.\5\ Because of sophisticated tradecraft and 
inconsistent reporting, however, the total number of attacks is 
unknown.
---------------------------------------------------------------------------
    \4\ Study: Cybercrime cost firms $1 trillion globally, Elinor 
Mills, 28 Jan. 2009. Web. http://news.csnet.com. While S. 773 is 
focused on the cybersecurity of critical infrastructure information 
systems, rather than cybercrime, these statistics underscore the 
vulnerability of ICT systems to cyber attacks.
    \5\ Unsecured Economies: Protecting Vital Information, McAfee, 
Inc., Jan. 2009, page 3.
---------------------------------------------------------------------------
  The private sector owns a large percentage of the nation's 
critical infrastructure, including electricity generation and 
transmission, water and sewer treatment facilities, and 
financial markets and clearinghouses. The computers that run 
these systems are often interconnected and subject to the same 
potential attacks as other networks. Experts suggest that cyber 
attacks against critical infrastructure potentially could 
physically destroy infrastructure, depriving large populations 
of essential goods and services for extended periods of time 
and threatening lives.
  The Department of Homeland Security (DHS) is responsible for 
securing cyberspace and critical infrastructure under Homeland 
Security Presidential Directive 7. Specifically, DHS is 
responsible for: developing a comprehensive national plan for 
critical infrastructure protection; developing and enhancing 
national cyber analysis and warning capabilities; providing and 
coordinating incident response and recovery planning, including 
conducting incident response exercises; identifying, assessing, 
and supporting efforts to reduce cyber threats and 
vulnerabilities, including those associated with infrastructure 
control systems; and strengthening international cyberspace 
security. However, a number of reports demonstrate that DHS has 
not been fully effective in improving cybersecurity throughout 
the private sector. For example, in 2006, DHS issued guidance 
for agencies to develop sector-specific plans for protecting 
cyber and physical critical infrastructure. Agencies issued 
plans in 2007, but the Government Accountability Office (GAO) 
found that none fully addressed all cyber-related criteria. DHS 
asked for the plans to be updated in 2008, but a September 2009 
GAO report found limited progress.\6\
---------------------------------------------------------------------------
    \6\ GAO-09-969, Critical Infrastructure Protection: Current Cyber 
Sector-Specific Planning Approach Needs Reassessment. Sept. 2009.
---------------------------------------------------------------------------
  The U.S. cybersecurity workforce--comprised significantly of 
students who excel at science and engineering--is insufficient 
to meet the cyber threat. For nearly five decades, the domestic 
science and engineering workforce has grown faster than the 
total civilian workforce, reaching about 5.5 million in 2007. 
However, undergraduate and graduate degrees in computer 
sciences have declined since 2004, back to the levels observed 
in 2000.\7\ In addition, an increasing proportion of computer 
science degrees granted in this country are awarded to foreign 
nationals, often from China and India. Competitiveness aside, 
many are concerned with the limited pool of properly educated 
U.S. citizens who maintain an ability to obtain security 
clearances at the highest levels.
---------------------------------------------------------------------------
    \7\ Science and Engineering Indicators 2010. National Science 
Board.
---------------------------------------------------------------------------
  When it comes to specializations in cybersecurity, the 
situation worsens. According to the President's Information 
Technology Advisory Committee (PITAC), there currently are 
fewer than 250 active cybersecurity specialists at U.S. 
academic institutions, and the nation's cybersecurity research 
community is too small to adequately support the cybersecurity 
research and education programs necessary to protect the 
country. The PITAC thus recommended an intense effort to 
promote the recruitment and retention of cybersecurity 
researchers and students at research universities with a goal 
of at least doubling the size of the civilian cybersecurity 
fundamental research community by the end of the decade.\8\
---------------------------------------------------------------------------
    \8\ Report to President. President's Information Technology 
Advisory Committee. Cyber Security: A Crisis of Prioritization. 
Virginia: The Commission. Web. 7 December 2010. http://www.nitrd.gov/
pitac/reports/20050301--cybersecurity/cybersecurity.pdf
---------------------------------------------------------------------------
  Though technology has changed significantly in the last 
decade, America's fundamental policies and strategies for 
addressing the cyber threat have not. The ``National Strategy 
to Secure Cyberspace'' was drafted in 2002, and has not been 
updated or revised since. Many people, including independent 
commissions, independent oversight bodies, and knowledgeable 
observers, have suggested that the time for a new strategy, 
vision, and plan for national cybersecurity is past due. This 
legislation seeks to address these and other information 
security issues in a comprehensive format.

                         Summary of Provisions

  The primary goal of the Cybersecurity Act of 2010 is to 
modernize the public-private sector relationship on 
cybersecurity. As vast majority of our Nation's networks are 
owned and operated by the private sector, securing cyberspace 
must be a collaborative 
effort between our Government and the private sector. Reactive, 
ad hoc responses to the cyber threat leave our country, our 
businesses, and our civil liberties at risk. The Cybersecurity 
Act of 2010 would provide a framework for proactive engagement, 
collaboration, and teamwork between the government and the 
private sector on cybersecurity.
  The bill would raise the priority of cybersecurity throughout 
the Federal government and streamline cybersecurity-related 
government functions, authorities, and laws. The bill would 
protect civil liberties, intellectual property, and businesses' 
proprietary information, while promoting cybersecurity public 
awareness, education, and research and development. The bill 
would foster market-driven cybersecurity innovation and 
creativity to develop long-term technology solutions and train 
the next generation of cybersecurity professionals.
  Sections 101 and 204 would bolster market incentives for 
innovation and excellence in cybersecurity professional 
training and cybersecurity products and services by 
encouraging, coordinating, and building on private sector 
initiatives. They are intended to create a dynamic, ever-
improving cycle of market-driven innovation--not a static 
checklist administered by a slow-moving bureaucracy. Section 
208 would place the purchasing power of the Federal government 
behind these innovations by requiring them to be part of every 
Federal contract for information technology (IT) products and 
services. These sections would require the President to 
collaborate with private sector critical infrastructure 
companies to identify the world's best private sector training 
programs and industry best practices for IT products and 
services. Then, they would require those same companies to 
report the results of independent audits of their compliance 
with these standards--their own standards. These sections also 
call for collaborative remediation of persistent 
vulnerabilities. In practice, this would effectively be a 
government-coordinated, private sector intervention to prevent 
a company that has failed consecutive audits from damaging the 
entire industry sector--and the country's security along with 
it.
  Sections 201 and 403 would require a collaborative effort to 
promote effective, well-coordinated, government-private sector 
teamwork--and protect civil liberties, proprietary rights, and 
confidential and classified information--before, during, and 
after a cybersecurity emergency. Section 201 would require the 
President to collaborate with owners and operators of critical 
infrastructure information systems, through existing 
partnerships, to develop and rehearse detailed cybersecurity 
emergency response and restoration plans. The explicit purpose 
of this section is to clarify roles, responsibilities, and 
authorities of government and private sector actors in the 
event of a cybersecurity emergency that threatens strategic 
national interests. The President's declaration of a 
cybersecurity emergency would trigger the implementation of the 
collaborative emergency response and restoration plans. Section 
201 states explicitly that nothing in the section authorizes 
new or expanded Presidential authorities--it simply seeks to 
avoid the type of dangerous bureaucratic confusion witnessed in 
the aftermath of Hurricane Katrina. To establish greater 
accountability for the President's actions during a declared 
emergency, the section would also require the President to 
report to Congress in writing, within 48 hours of the 
declaration, regarding the circumstances necessitating the 
declaration, and the estimated scope and duration of the 
emergency.
  Section 403 would complement this emergency response 
provision by creating a public-private information sharing 
clearinghouse in which government and private officials would 
share classified and/or confidential cybersecurity threat and 
vulnerability information. This would allow incidents to be 
handled in real-time, or prevent them from occurring 
altogether.

                          Legislative History

  Senators Rockefeller and Snowe introduced S. 773 on April 1, 
2009. The legislation was referred to the Committee, and 
included Senator Nelson (of Florida) as an original cosponsor. 
The bill is also cosponsored by Senators Bayh and Mikulski.
  Chairman Rockefeller held two hearings on cybersecurity at 
the full committee level. The first, held on March 19, 2009, 
was titled ``Cybersecurity: Assessing Our Vulnerabilities and 
Developing an Effective Response,'' and the Committee heard 
from: Dr. James A. Lewis, Director and Senior Fellow, Center 
for Strategic and International Studies (CSIS); Dr. Joseph 
Weiss, Managing Partner, Applied Control Solutions, LLC; Dr. 
Edward G. Amoroso, Chief Security Officer, AT&T and Dr. Eugene 
H. Spafford, Professor and Executive Director of the Center for 
Education and Research in Information Assurance and Security, 
Purdue University.
  The second hearing was held on February 23, 2010, and was 
titled ``Cybersecurity: Next Steps to Protect Our Critical 
Infrastructure.'' At this hearing, witnesses included: Vice 
Admiral Michael McConnell (USN, Ret.), Executive Vice 
President, Booz Allen Hamilton and former Director of National 
Intelligence; Dr. James A. Lewis, Director and Senior Fellow, 
CSIS; Dr. Scott Borg, Director and Chief Economist, U.S. Cyber 
Consequences Unit; Rear Admiral James Arden Barnett Jr. (USN, 
Ret.), Chief, Public Safety and Homeland Security Bureau, 
Federal Communications Commission (FCC); and Ms. Mary Ann 
Davidson, Chief Security Officer, Oracle Corporation.
  On March 24, 2010, the Committee met in Executive Session, 
during which S. 773 was considered with an amendment in the 
nature of a substitute. The committee adopted amendments 
offered by Senators Hutchison, Cantwell, Klobuchar, Udall, and 
Warner. The bill, as amended, was ordered reported by voice 
vote.

                            Estimated Costs

  In accordance with paragraph 11(a) of rule XXVI of the 
Standing Rules of the Senate and section 403 of the 
Congressional Budget Act of 1974, the Committee provides the 
following cost estimate, prepared by the Congressional Budget 
Office:

S. 773--Cybersecurity Act of 2010

    Summary: S. 773 would authorize several National Science 
Foundation (NSF) grant and scholarship programs aimed at 
enhancing cybersecurity (the protection of computers and 
computer networks from unauthorized access) through expanded 
research and workforce development. The bill also would 
authorize the National Institute of Standards and Technology 
(NIST) to carry out certain activities to promote the 
development of new cybersecurity technologies and to enhance 
public awareness of cybersecurity issues. In addition, the bill 
would direct the President to develop and implement a 
comprehensive cybersecurity strategy for the federal 
government. Finally, the legislation would codify certain 
ongoing activities related to cybersecurity.
    Assuming appropriation of the necessary amounts, CBO 
estimates that implementing S. 773 would cost $1.4 billion over 
the 2011-2015 period. Pay-as-you-go procedures do not apply to 
this legislation because it would not affect direct spending or 
revenues.
    S. 773 would impose intergovernmental and private-sector 
mandates, as defined in the Unfunded Mandates Reform Act 
(UMRA), on owners and operators of information systems 
designated as critical infrastructure by the President. Owners 
and operators of such systems would have to comply with new 
security standards and procedures. Because the number of 
entities subject to the mandates would be large, and the costs 
of complying with some of the mandates in the bill would be 
substantial, CBO estimates that the costs to comply would well 
exceed the annual thresholds established in UMRA for 
intergovernmental and private-sector mandates ($70 million and 
$141 million in 2010, respectively, adjusted annually for 
inflation).
    CBO has not reviewed section 201(b) of the bill for 
mandates. Section 4 of UMRA excludes from the application of 
that act any legislative provisions that are necessary for 
national security. CBO has determined that the provisions of 
section 201(b) fall within that exclusion because they would 
allow the President to declare a cybersecurity emergency and 
implement emergency-response and restoration plans.
    Estimated cost to the Federal Government: The estimated 
budgetary impact of S. 773 is shown in the following table. The 
costs of this legislation fall within budget functions 250 
(general science, space, and technology), 370 (commerce and 
housing credit), and 800 (general government).

----------------------------------------------------------------------------------------------------------------
                                                                   By fiscal year, in millions of dollars--
                                                             ---------------------------------------------------
                                                               2011    2012    2013    2014    2015    2011-2015
----------------------------------------------------------------------------------------------------------------
                                  CHANGES IN SPENDING SUBJECT TO APPROPRIATION

National Science Foundation Activities:
    Authorization Level.....................................     339     356     371     388       0       1,454
    Estimated Outlays.......................................      61     210     295     338     297       1,201
Department of Commerce Activities:
    Estimated Authorization Level...........................      38      48      58      68       8         220
    Estimated Outlays.......................................      20      34      44      55      45         198
Other Activities:
    Estimated Authorization Level...........................       7       6       6       6       6          31
    Estimated Outlays.......................................       6       6       6       6       6          30

    Total Spending Under S. 773:
        Estimated Authorization Level.......................     384     410     435     462      14       1,705
        Estimated Outlays...................................      87     250     345     399     348       1,429
----------------------------------------------------------------------------------------------------------------

    Basis of estimate: For this estimate, CBO assumes that the 
legislation will be enacted in 2010 and that the necessary 
amounts will be appropriated for each fiscal year. Estimated 
outlays are based on historical spending patterns for similar 
programs.

National Science Foundation activities

    S. 773 would authorize appropriations totaling about $1.2 
billion over the 2011-2014 period for several existing NSF 
programs related to cybersecurity research. The bill also would 
authorize the appropriation of $250 million over that period 
for the agency to provide scholarships to students who pursue 
higher education in fields related to cybersecurity. Finally, 
the bill would authorize the appropriation of $2 million a year 
over the 2011-2012 period to provide grants for higher 
education institutions to develop cybersecurity curricula. 
Based on information from NSF and assuming appropriation of the 
authorized amounts, CBO estimates that implementing the NSF 
programs authorized under the bill would cost $1.2 billion over 
the 2011-2015 period.

Department of Commerce activities

    S. 773 would authorize the appropriation of $15 million a 
year over the 2011-2014 period for NIST to award cash prizes to 
individuals who develop innovative cybersecurity technologies. 
The bill also would require the agency to establish regional 
cybersecurity centers that would assist businesses in 
implementing cybersecurity best practices. In addition, the 
legislation would require NIST to establish a program to 
promote cybersecurity awareness and education. Finally, the 
bill would require the Secretary of Commerce to develop a 
tracking system to provide the real-time cybersecurity status 
of all federal agencies within the Department of Commerce. 
Based on information regarding the cost of implementing similar 
programs, CBO estimates that carrying out the provisions 
affecting the Department of Commerce would cost $198 million 
over the 2011-2015 period, assuming appropriation of the 
authorized and necessary amounts.

Other activities

    S. 773 would direct the President to establish a national 
cybersecurity strategy and to conduct biennial reviews to 
assess the nation's cybersecurity posture. The legislation also 
would require the President to appoint a panel of academic and 
industry experts to advise the Office of Science and Technology 
Policy on issues related to cybersecurity. Finally, the bill 
would require a study by the National Academies to assess 
workforce development efforts related to cybersecurity. Based 
on information regarding the cost of similar activities, CBO 
estimates that implementing those provisions would cost $30 
million over the 2011-2015 period.
    Pay-as-you-go considerations: None.

Mandates that apply to both intergovernmental and private-sector 
        entities

    Intergovernmental and private-sector impact: S. 773 would 
impose intergovernmental and private-sector mandates, as 
defined in UMRA, on owners and operators of information systems 
designated as critical infrastructure by the President. 
Critical infrastructure could include information systems for 
public and private transportation systems, police and fire 
departments, airports, hospitals, electric utilities, health 
departments, water systems, and financial companies.
    The bill would require those entities to:
           Train employees working in cybersecurity to 
        meet new certification requirements;
           Comply with risk-management techniques and 
        best practices to be established for cybersecurity; and
           Audit their compliance with those 
        requirements on a semi-annual basis and report the 
        results of those audits to the federal government.
    The costs of complying with the mandates would depend on 
future regulations, the extent to which the regulations would 
impose requirements that differ from current practice, and 
which entities would be subject to those requirements. Based on 
information from industry sources, the cost of conducting a 
cybersecurity audit could range from $30,000 to millions of 
dollars per entity, depending on the size of the entity and the 
nature and scope of the audit. For example, such an audit could 
involve ensuring compliance with firewall, encryption, and data 
storage and transfer requirements, among other risk-management 
techniques. Based on information from government and industry 
sources, more than 50,000 public entities could be subject to 
the mandates. Further, according to a study by the Government 
Accountability Office, the private sector owns more than 85 
percent of the nation's critical infrastructure. Because the 
number of entities subject to the mandates could be large and 
the costs of complying with some of the mandates in the bill 
would be substantial, CBO estimates that the aggregate costs to 
comply would well exceed the annual thresholds established in 
UMRA for intergovernmental and private-sector mandates ($70 
million and $141 million in 2010, respectively, adjusted 
annually for inflation).

Provisions excluded under UMRA

    CBO has not reviewed section 201(b) of the bill for 
mandates. Section 4 of UMRA excludes from the application of 
that act any legislative provisions that are necessary for 
national security. CBO has determined the provisions of section 
201(b) fall within that exclusion because they would allow the 
President to declare a cybersecurity emergency and implement 
emergency-response and restoration plans.

Other impacts on State and local governments

    The bill would benefit public institutions of higher 
education by authorizing grants for cybersecurity programs. Any 
costs that those entities incur would result from complying 
with conditions of federal assistance.
    Previous CBO estimate: On December 10, 2009, CBO 
transmitted a cost estimate for H.R. 4061, the Cybersecurity 
Enhancement Act of 2009, as ordered reported by the House 
Committee on Science and Technology on November 18, 2009. S. 
773 contains several provisions that were included in H.R. 
4061; however, the authorization levels for those provisions 
are different. In addition, S. 773 contains additional 
provisions that were not included in H.R. 4061. The CBO cost 
estimates reflect those differences.
    Estimate prepared by: Federal Costs: Jeff LaFave; Impact on 
State, Local, and Tribal Governments: Elizabeth Cove Delisle; 
Impact on the Private Sector: Samuel Wice.
    Estimate approved by: Peter H. Fontaine, Assistant Director 
for Budget Analysis.

                      Regulatory Impact Statement

  In accordance with paragraph 11(b) of rule XXVI of the 
Standing Rules of the Senate, the Committee provides the 
following evaluation of the regulatory impact of the 
legislation, as reported:

                       NUMBER OF PERSONS COVERED

  Private entities designated as CIIS under section 4 of the 
bill would be covered by the requirements of sections 101, 201, 
and 204. CBO has estimated that the number of covered entities 
could be large, but the number is difficult to calculate in 
advance of the rulemaking required by section 4.

                            ECONOMIC IMPACT

  S.773 would authorize $384 million in FY 2011, $410 million 
in FY 2012, $435 million in FY 2013, $462 million in FY 2014, 
and $14 million for FY 2015 in appropriations to the National 
Science Foundation, Department of Commerce, and the President. 
These funding levels are not expected to have a significant 
impact on the nation's economy. Owners and operators of CIIS 
would face compliance costs with new cyber security standards 
and related audits; however, the impact of these costs could 
vary, as some entities may already be acting consistently with 
the standards. Moreover, compliance with the new standards 
should help to prevent or mitigate economic losses from cyber 
attacks. The bill's investments in research and education 
should also have a positive impact on the nation's 
competitiveness.

                                PRIVACY

  The bill would have little, if any, impact on the personal 
privacy of individuals.

                               PAPERWORK

  The bill would create paperwork requirements for owners and 
operators of CIIS through the semi-annual audits established in 
sections 101 and 204. The owners and operators of CIIS would 
also be required to develop and annually update guidance for 
the identification of cybersecurity personnel and requirements 
for their certification. The bill would also require several 
plans, strategies, and reports from the Federal government. 
Section 104 would require the head of each Federal agency to 
complete an annual cybersecurity workforce plan, with hiring 
projections available on the agency's website. Section 105 
would require each Federal agency to measure the effectiveness 
of its cybersecurity hiring efforts, with the results reported 
annually to Congress and the public. Section 201 would require 
the President to develop and implement a national cybersecurity 
strategy in collaboration with relevant stakeholders. Should 
the President declare a cybersecurity emergency as defined in 
the national strategy, the President would then be required to 
report to Congress in writing, within 48 hours of the 
declaration, regarding the circumstances necessitating the 
declaration and its estimated scope and duration. Section 202 
would require a biennial review of the U.S. cyber program, 
modeled after the DoD's Quadrennial Defense Review. Section 204 
would require NIST to review and update cyber audit plans on at 
least a semi-annual basis. The section would also require the 
FCC to report to Congress on effective and efficient means to 
ensure the cybersecurity of commercial broadband networks with 
an additional supplement to its National Broadband Plan. 
Section 205 would require the GAO to complete a comprehensive 
review of the Federal statutory and legal framework applicable 
to cybersecurity, with recommendations regarding changes needed 
to advance cybersecurity and protect civil liberties. Section 
210 would require the President to report to Congress on the 
feasibility of an identity management and authentication 
program with appropriate civil liberties and privacy 
protections. Section 211 would require NIST to issue a public 
report assessing the strategies and best practices for identity 
authentication, with specific attention paid to health 
information applications. Section 401 would require the 
President to establish or designate a Cybersecurity Advisory 
Panel, which would then provide a report to the President every 
two years with recommendations on how the Federal cybersecurity 
effort should be improved. Section 404 would require the 
President to report to Congress on the feasibility of a 
cybersecurity risk management market, including the potential 
role of civil liability and insurance. The bill would also 
establish or enhance several grant programs, for which 
applicants would have to file documents to apply. Key owners 
and operators of CIIS, as identified in section 209, could be 
required to file documents in the security clearance process.

                   Congressionally Directed Spending

  In compliance with paragraph 4(b) of rule XLIV of the 
Standing Rules of the Senate, the Committee provides that no 
provisions contained in the bill, as reported, met the 
definition of congressionally directed spending items under the 
rule.

                      Section-by-Section Analysis


Section 1. Short title; table of contents.

  This section would cite the short title as the 
``Cybersecurity Act of 2010'' and provide a table of contents.

Section 2. Findings.

  This section includes findings guiding the development of 
this legislation.

Section 3. Definitions.

  This section would provide definitions for the terms Advisory 
Panel, cybersecurity, cybersecurity professional, information 
system, internet, and United States critical infrastructure 
information system.

Section 4. Procedure for designation of critical infrastructure 
        information systems.

  This section would initiate a rulemaking in which the 
President, in consultation with sector coordinating councils, 
relevant government agencies, and regulatory entities, would 
establish a procedure for the designation of critical 
infrastructure information systems (CIIS). The infiltration, 
incapacitation, or disruption of these systems would have a 
debilitating impact on national security, including national 
economic security and national public health or safety. The 
process would be governed by the Administrative Procedure Act 
and would, at a minimum, set forth objective criteria for 
designation, provide for emergency and temporary designations, 
ensure protection of privacy and proprietary information, and 
establish an appeal process.

Section 101. Certification and training of cybersecurity professionals.

  This section would direct the President to request a National 
Academies report on cybersecurity accreditation, training, and 
certification programs. This section would direct the President 
to develop and annually update guidance for the identification 
of cybersecurity personnel within the Federal Government and 
requirements for their certification. Department of Defense 
(DoD) Directive 8570, which specifies guidance and procedures 
for the training, certification, and management of all people 
performing security functions on DoD information systems, may 
provide a valuable reference for understanding the challenges 
and potential solutions to cybersecurity certification and 
training.
  This section would also direct the President to require 
owners and operators of Unites States CIIS to develop and 
annually update guidance for the identification of relevant 
cybersecurity personnel and requirements for their 
certification. The Committee believes that this guidance should 
take into account whether the owners or operators are small 
businesses, as small businesses have unique operational 
requirements and constraints.
  This section would require the President to convene sector-
specific working groups to establish auditable, private sector 
developed, accreditation, training, and certification programs 
for critical infrastructure cybersecurity personnel. The 
President would recognize and promote these programs. The 
President would require owners and operators of CIIS to conduct 
semiannual audits of compliance with the accreditation, 
training, and certification programs. Companies demonstrating 
compliance may receive positive recognition. Companies who fail 
to demonstrate substantial compliance through two semiannual 
independent audits would be required to collaborate with sector 
coordinating councils, relevant government agencies, and 
regulatory entities to develop and implement a remediation 
plan. This provision would leverage the existing structure of 
the sector coordinating councils, but would not imbue them with 
any Federal authority.
  This section would require the President to publish a 
reference list of cybersecurity accreditation, training, and 
certification programs whose rigor and effectiveness are 
beneficial to cybersecurity. The Committee believes that the 
general public would benefit from this list.

Section 102. Federal Cyber Scholarship-for-Service Program.

  This section would authorize the Scholarship-For-Service 
program at the National Science Foundation (NSF), which is 
focused on recruiting students into a cybersecurity curriculum 
program. Upon graduation, these students would enter public 
service, joining an agency or department and leveraging the 
skills they have learned. This section would increase the 
number of students from 300 to 1000 annually. The Committee 
supports the Scholarship-For-Service program and believes that 
the program can help to close the talent gap to meet the 
nation's demand for cybersecurity experts.

Section 103. Cybersecurity competition and challenge.

  This section would authorize the Director of the National 
Institute of Standards and Technology (NIST) to establish 
cybersecurity competitions and challenges to attract, identify, 
and recruit talented individuals to the cybersecurity field.

Section 104. Cybersecurity workforce plan.

  This section would require the head of each Federal agency to 
annually complete a cybersecurity workforce plan that details 
recruitment, hiring, and training of cybersecurity employees 
and contractors. Each agency would make its hiring projections 
publicly available on the agency's website.

Section 105. Measures of cybersecurity hiring effectiveness.

  This section would require each Federal agency to measure the 
effectiveness of its cybersecurity recruiting and hiring 
efforts, from the perspective of hiring managers, applicants, 
and new hires. This information would be reported annually to 
Congress and the public.

Section 201. Cybersecurity responsibilities and authorities.

  This section would require the President to develop and 
implement a national cybersecurity strategy. This section would 
also require the President to collaborate with stakeholders to 
develop and rehearse detailed response and restoration plans 
for cybersecurity emergencies, and to define the types of 
events and incidents that would constitute a cybersecurity 
emergency. The section would authorize the President to declare 
a cybersecurity emergency and implement the plans. The 
Committee recognizes that this does not expand any existing 
Presidential authorities, and does not provide an exception to 
the procedures of Title 18, United States Code, sections 119, 
121, and 206, or of Title 50, United States Code, sections 1801 
et seq. The President would be required to report to Congress 
in writing, within 48 hours of declaring an emergency, 
regarding the circumstances necessitating the declaration and 
the estimated scope and duration of the emergency.
  The Committee recognizes that it is virtually impossible to 
prevent each and every cybersecurity incident. Accordingly, 
this section would require the development of strategies and 
plans to quickly and effectively respond and restore all 
capabilities after an incident. The Committee believes it is 
vital that these plans and activities be rehearsed on a regular 
basis to ensure that, in the case of an emergency, the public 
and private sector participants will already be familiar with 
their roles and responsibilities and prepared to act 
appropriately.

Section 202. Biennial cyber review.

  This section would direct the President to conduct a biennial 
review of the U.S. cyber program. The review would examine 
cyber strategy, budget, plans, and policies, and is modeled 
after the DoD's Quadrennial Defense Review. Although the 
Defense Review occurs every four years, the Internet and 
cyberspace are evolving so rapidly that a biennial review is 
appropriate.

Section 203. Cybersecurity dashboard pilot project.

  This section would require the Secretary of Commerce to plan 
and implement a system to provide the real-time cybersecurity 
status of all Federal information systems and networks within 
the Department of Commerce.

Section 204. NIST cybersecurity guidance.

  This section requires NIST to recognize and promote 
auditable, private sector developed, cybersecurity risk 
management techniques, risk management measures, and best 
practices, and to review and update these recognitions not less 
frequently than semiannually. The Committee believes that NIST 
should act transparently and provide relevant stakeholders with 
a meaningful opportunity to participate as it implements this 
section.
  The President would require all Federal departments, 
agencies, and United States CIIS to meet or exceed these 
standards. Critical infrastructure owners and operators who 
meet these standards may be positively recognized by the 
President, and those who fail to demonstrate substantial 
compliance through two semiannual independent audits would be 
required to collaborate with sector coordinating councils, 
relevant government agencies, and regulatory entities to 
develop and implement a remediation plan. This section would 
leverage the existing structure of the sector coordinating 
councils, but would not imbue them with any Federal authority.
  This section directs NIST to engage with international 
standards bodies regarding cybersecurity and to adopt a risk-
based approach to cybersecurity. The Committee believes that it 
is vitally important that NIST adopt a risk-based approach to 
Federal cybersecurity guidance that recognizes techniques and 
best practices without prescribing specific hardware or 
software products.
  This section also requires the FCC to report to Congress on 
effective and efficient means to ensure the cybersecurity of 
commercial broadband networks. The Committee recognizes that 
the FCC has introduced the National Broadband Plan which 
largely meets this requirement, and the FCC may provide an 
additional supplement on cybersecurity.

Section 205. Legal framework review and report.

  This section would require GAO to complete a comprehensive 
review of the Federal statutory and legal framework applicable 
to cybersecurity and to make recommendations regarding changes 
needed to advance cybersecurity and protect civil liberties.

Section 206. Joint intelligence threat and vulnerability assessment.

  This section would require the Director of National 
Intelligence, the Attorney General, and the Secretaries of 
Commerce, Homeland Security, Defense, and State to provide 
assessments on threats to and vulnerabilities of Federal 
information systems and CIIS.

Section 207. International norms and cybersecurity deterrence measures.

  This section would require the President to promote the 
development of international norms, standards and techniques 
for improving cybersecurity.

Section 208. Federal secure products and services acquisitions.

  This section would require that information systems, 
products, and services purchased by the Federal government 
comply with the cybersecurity standards recognized under 
section 204 and the cybersecurity professional certifications 
recognized under section 101.

Section 209. Private sector access to classified information.

  This section would require the President to provide security 
clearances to key private sector operators of CIIS to 
facilitate the sharing of classified threat information with 
these officials. The Committee believes that this provision 
addresses the lack of coordination between civilian and 
national security information system protection efforts 
described in recommendation 23 of the CSIS report titled, 
Securing Cyberspace for the 44th Presidency.

Section 210. Authentication and civil liberties report.

  This section would require the President to report to 
Congress on the feasibility of an identity management and 
authentication program with appropriate civil liberties and 
privacy protections.

Section 211. Report on evaluation of certain identity authentication 
        functionalities.

  This section would require NIST to issue a public report 
assessing the strategies and best practices for identity 
authentication, and to specifically address the application of 
this technology to health information.

Section 301. Promoting cybersecurity awareness and education.

  This section would authorize a cybersecurity awareness 
campaign to educate the general public about cybersecurity 
risks and countermeasures people can implement to better 
protect themselves. It would also direct the Secretary of 
Education to consult with State authorities, private sector 
companies, and nongovernmental organizations to identify and 
promote age appropriate information and programs for grades K-
12 regarding cyber safety, security, and ethics.

Section 302. Federal cybersecurity research and development.

  This section would increase Federal support for cybersecurity 
research and development at the NSF. This section would also 
highlight important areas of research that need to be 
conducted, including secure coding and design.

Section 303. Development of curricula for incorporating cybersecurity 
        into educational programs for future industrial control system 
        designers.

  This section would establish a grant program through the NSF 
to fund the development of undergraduate and graduate level 
curricula that address cybersecurity in modern industrial 
control systems.

Section 401. Cybersecurity Advisory Panel.

  This section would require the President to establish or 
designate a Cybersecurity Advisory Panel consisting of outside 
experts in cybersecurity from industry, academia, and nonprofit 
advocacy organizations who will advise the President on 
cybersecurity related matters. This Panel would review Federal 
cybersecurity efforts and provide advice and direction. The 
Panel would provide a report to the President every two years 
with recommendations on how the Federal cybersecurity effort 
should be improved. The Committee believes that, while there is 
no shortage of advisory panels throughout the Federal 
government, none is specifically focused on cybersecurity. 
Furthermore, the Committee recognizes that the CSIS Securing 
Cyberspace report specifically recommends the creation of a 
Federal Advisory Committee with membership from key cyber 
infrastructures.

Section 402. State and regional cybersecurity enhancement program.

  This section would create State and regional cybersecurity 
centers to assist small- and medium-sized companies in 
addressing cybersecurity issues. This program is modeled on the 
Manufacturing Extension Partnership (MEP). Large companies 
generally have the resources and access to expertise that would 
allow them to properly defend themselves against potential 
cyber intrusions. However, the Committee is particularly 
concerned about the small- and medium-sized businesses that 
often do not have the understanding or expertise to recognize 
that they are at risk, much less the resources to deal with 
this problem. The Committee believes that this program would 
help address such a knowledge gap. At the same time, the 
Committee believes these centers must operate in a manner that 
supplements or coordinates with, and does not compete with or 
duplicate, private sector activities.

Section 403. Public-private clearinghouse.

  This section would create a public-private information 
sharing clearinghouse in which government and private officials 
would share classified and/or confidential cybersecurity threat 
and vulnerability information.

Section 404. Cybersecurity risk management report.

  This section would require the President to report on how to 
create a market for cybersecurity risk management, including 
the potential role of civil liability and insurance.

                        Changes in Existing Law

  In compliance with paragraph 12 of rule XXVI of the Standing 
Rules of the Senate, the Committee states that the bill as 
reported would make no change to existing law.

                                  
