Two US senators last week proposed legislation that would give federal officials new powers to create and enforce data security standards for key parts of the private sector - and even shut down systems in some cases.

The Cybersecurity Act of 2009 would empower the National Institute of Standards and Technology to set "measurable and auditable" security standards for all networks and systems run by federal agencies, government contractors and businesses that support critical infrastructure services.

NIST would also be charged with developing a standard for testing and accrediting software built by or for those groups. In addition, the bill would enable the president to order that critical infrastructure networks be disconnected in the event of cybersecurity emergencies or for reasons of national security.

The bill, which was introduced by senators, Jay Rockefeller (Democrat-West Virginia) and Olympia Snowe (Republican-Maine), doesn't specifically define what would qualify as a critical network or system.

But in a statement, Rockefeller cited a broad set of examples. "We must protect our critical infrastructure at all costs," he said. "From our water to our electricity, to banking, traffic lights and electronic health records - the list goes on."

Snowe added that the public and private sectors "must unite on all fronts," and she warned of a possible "cyber-Katrina" if action isn't taken quickly.

The bill "loosely parallels" a set of cybersecurity recommendations released in December by an outside commission that was set up by the Washington-based Center for Strategic and International Studies, Snowe noted.

Another provision would require the development of a licensing and certification program for government and private-sector security professionals. Meanwhile, a companion bill calls for the addition of a national cybersecurity adviser within the Executive Office of the President.
But Brian Chess, chief scientist at security vendor Fortify Software, isn't convinced that new regulations aimed at the private sector will improve data safeguards. "Security is an attitude," he said, "and it's hard to legislate attitude."