-------- Original Message -------- Subject: Query from CBS News re: revised Rockefeller/Cybersecurity Act / S.773 Date: Wed, 26 Aug 2009 14:20:11 -0700 From: Declan McCullagh Reply-To: declan@cbsnews.com Organization: CBSNews.com To: charles_stewart@commerce.senate.gov Charles, Thanks for talking a minute ago. I'm reading a revised draft of the Cybersecurity Act/S.773 dated this month and had a few questions: * The original version of the legislation allowed the National Cybersecurity Advisor to disconnect "critical" networks from the Internet. The revised version says the president can "declare a cybersecurity emergency" relating to "nongovernmental" networks and "direct the national response to the cyber threat." That seems vague: does it mean the executive branch does or does *not* have the power to disconnect private networks? * The revised version gives the executive branch 180 days to "implement" a "comprehensive national cybersecurity strategy" and 90 days to develop a plan to implement a "dashboard pilot project." But the mandated legal review won't be done until 1 year. Why not wait until the legal review is done before implementing a "comprehensive national cybersecurity strategy?" * In Silicon Valley and the tech industry in general, lots of employees do not have formal training in computer security (they may studied math or physics, for instance) but nevertheless work in that area. Bill Gates, Steve Jobs, Michael Dell, Larry Ellison, don't have college degrees. Will the cybersecurity certification program be open to non-degreed people? And does the "certified service provider" extend to services like Gmail and Hotmail? * One section says that private sector crit. infrastructure firms "shall share" certain information with the federal government. Is this open-ended, or are there limits to this requirement? Thanks for your help! Best, Declan