In advanced of a July 25 Senate Commerce Committee hearing on “The Partnership Between NIST and the Private Sector: Improving Cybersecurity,” Chairman Jay Rockefeller (D-WV) and Ranking Member John Thune (R-SD) introduced the “Cybersecurity Act of 2013” (S. 1353).
The bill avoids controversial topics such as information sharing and regulation of critical infrastructure cybersecurity and specifically states that it does not confer regulatory authority on federal, state, tribal, or local governments.
The bill focuses instead on several key issues. First, it extends the mandate Executive Order 13,636 gave to the National Institute for Standards and Technology (“NIST”) to develop cybersecurity standards. NIST is currently working to develop standards pursuant to the Executive Order, and the bill directs NIST to develop, on an ongoing basis, voluntary, industry-led standards and best practices to reduce risk to critical infrastructure. In developing the standards, NIST is instructed to coordinate “closely and continuously” with the private sector, incorporate existing voluntary best practices and international standards, prevent duplication of and conflict with existing regulatory requirements, and ensure that its standards are technology-neutral. The bill further specifies that information provided to NIST for standards-development cannot be used for regulatory purposes.
Second, the bill directs the Office of Science and Technology Policy to build upon existing programs and plans to develop a national cybersecurity research and development plan to meet specified objectives. It also instructs the Office to coordinate its efforts with ongoing research and development at various government agencies and to “work in close cooperation with industry, academia, and other interested stakeholders to ensure, to the extent possible, that Federal cybersecurity research and development is not duplicative of private sector efforts.” In addition, the bill directs the National Science Foundation to support cybersecurity research.
Third, the bill tasks the Secretary of Commerce, Director of the National Science Foundation, and Secretary of Homeland Security with supporting competitions to develop and recruit cybersecurity workers and to stimulate innovation in areas including ethical hacking, penetration testing, vulnerability assessment, and offensive and defensive cyber operations. The bill would also continue a federal cyber scholarship-for-service program and mandate a National Academy of Sciences study of existing cyber training programs.
Finally, the bill directs NIST to continue coordination of a national cybersecurity awareness and preparedness campaign to increase “public awareness of cybersecurity, cyber safety, and cyber ethics” and “the understanding of State and local governments and private sector entities” about risk management, mitigation, and remediation.