Will The Cybersecurity Act of 2009 Require IT Security Professionals To Get A License From The Feds?

The Cybersecurity Act of 2009 was just introduced by Senators Jay Rockefeller (D-WV) and Olympia Snowe (R-ME). This bill, if passed, could result in sweeping changes in how IT professionals do their job.

There is a provision within this bill that would require the licensure of cybersecurity professionals by the Federal Government. As far as I know, this would be the first time that a Federal license would be required in an area of information technology work. The boundaries of this provision are very vague. In simple terms, for any IT security task the Feds say impacts critical infrastructure (not defined), this bill could give the Feds the power to control.

I am member of InfraGard. As InfraGard members, we are told that the Feds consider all the following critical infrastructure:  communcations, financial services, health care, agriculture, transportation, education, utilites, energy, and first responders.

As we have covered in the Data Security Podcast, the Federal Government’s own auditors have reported that the Feds have a terrible track record in protecting data. For example, in a September report featured on this site:

The Treasury Inspector General for Tax Administration, the IRS’ internal auditors, report that over 1800 internal web servers on the IRS network had not been approved to connect to the network, and over 2000 internal web servers connected to the network had at least 1 high-, 1 medium-, or 1 low-risk security vulnerability.

For the Feds, failing security grades are the rule, not the exception. Now, the Feds want to tell information security professionals if they are qualified to do their job, and how to do their job. Some would use a Yiddish word when referring to the Federal Government’s attempt to instruct IT security professionals on how to do their job: Chuztpah.

The movement to pass laws to regulate IT security professionals at the state level has passed in a few states. The Texas law has resulted in actions against IT professionals at computer retailers.

In Nevada, a similar bill was proposed in 2007 to regulate the work of IT professionals. It was spearheaded by the private investigator’s lobby. That bill, as introduced, would have required that certain IT professionals buy, and be certified by the vendors of select commercial software packages. That bill passed State Senate committee, and was only stopped by the determined and focused efforts of IT security professionals in Northern Nevada. It appears that only among regulators, and those wishing to limit competition, does there appear to groundswell of support to for the government to license IT professionals.

In the very next episode of the Data Security Podcast (episode 48), we are scheduled to air an interview with Lee Tien of The Electronic Frontier Foundation (EFF) about this bill. Lee Tien and the EFF feel that there are many other areas of the bill to be concerned about, including a sweeping shift by the Feds to transfer cybersecurity from the private sector to the Federal Government, and to transfer responsibility within the Federal Government to the White House. Of great concern, is that the bill is without any specifics of where the powers begin and end. For example, the bill gives the Federal Government to authority to determine which systems stay online and which go offline, in the event of an undefined cyber threat.

Last month, entrepreneur and author Rod Beckström resigned as head of the National Cyber Security Center (”NCSC)”. He said that his job was being stripped of staff and funding. What, about this bill did Rod Beckström know, and when did he know it?

We will keep following this bill, and this story, on the Data Security Podcast. You can also follow updates that EFF is posting on their blog. Read the Cybersecurity Act of 2009, and a summary of the bill.


4 Responses to “Will The Cybersecurity Act of 2009 Require IT Security Professionals To Get A License From The Feds?”

  1. If doing your job wrong can directly kill someone, then regulation makes sense. Otherwise it doesn’t.

    If your code runs electric or gas-distibution systems or nuclear power plants which can literally start a fire or worse if the code is buggy, then your code should be regulated. If you code up medical devices where a failure can kill a patient, your code should be regulated.

    For other infrastructure things like banking, medical billing systems, etc., there’s no need to license IT professionals.

  2. […] Ira speaks with Lee Tien of the Electronic Frontier Foundation. Read more about the Cybersecurity Bill of 2009, including a link to the EFF blog posting on the […]

  3. […] Will The Cybersecurity Act of 2009 Require IT Security Professionals To Get A License From The Feds? […]

  4. Sam Caldwell Says:

    The government regulates the medical and legal industries…and we see how that has increased cost, decreased service and limited the availability of quality medical and legal advice to those with sufficient resources.

    IT will be no different if regulated by the government. Historically, IT has been quite good at self-regulation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: