When we spoke to Congressman James Langevin (D-RI) last year, he told us he was “considering legislation right now to codify what the President has introduced in his cyber policy review.” Last week, he introduced the Executive Cyberspace Authorities Act of 2010 to create a National Cyberspace Office within the executive branch.
The new office will “serve as the principal office for coordinating issues relating to achieving an assured, reliable, secure, and survivable information infrastructure and related capabilities for the Federal Government,” and its head would be a cabinet-level appointment and member of the National Security Council, to be confirmed by the Senate.
The Director of the National Cyberspace Office will develop and oversee all agency cyber policies, principles, standards, and guidelines as well as approve all agency cyber budgets annually and coordinating information security training across the federal government.
In the event of a large-scale cyber attack, the Director would coordinate the national response by delegating authority as necessary and removing the jurisdictional questions raised by exercises such as February’s Cyber ShockWave.
Also, DoD and CIA are notable exceptions to the Cyberspace Office’s authority: “systems that are operated by the Department of Defense, a contractor of the Department of Defense, or another entity on behalf of the Department of Defense that processes any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Department of Defense,” DoD has ultimate authority; and “systems operated by the Central Intelligence Agency, a contractor of the Central Intelligence Agency, or another entity on behalf of the Central Intelligence Agency that processes any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on the mission of the Central Intelligence Agency” will remain under CIA control.
The Executive Cyberspace Authorities Act of 2010 is brief, at less than five pages, and comprehensive, removing many of the jurisdictional hurdles faced by agencies in the event of a major cyber attack, and doesn’t overreach, leaving alone networks critical to military or intelligence operations. Effective implementation of the act could mean a faster and more coordinated response to potential cyber attacks.