The IT security field today is wide open: anyone can hang out a shingle and declare him/herself a security pro. That may change in the U.S., in light of the Cyber Security Act of 2009, which will place a massive mantle of regulation on companies that provide “critical network infrastructure” and requires cybersecurity professionals to be certified and licensed. All this comes in the wake of warnings from high placed “experts” (I put that in quotes because many of the experts, like many IT security pros in general, are “self made” and without formal training in the subject) that the country is extremely vulnerable to a cyber attack.
Prepare for a shake-up in the security industry if this law passes. In the beginning, it would only be illegal to engage in the business of cybersecurity or be employed as a cybersecurity provider if you provide those services to federally designated “critical infrastructure networks,” but we all know there’s a good chance that would eventually expand to cover all networks. After all, on the Internet they’re all connected to the networks that make up the “critical infrastructure.”
However, it’s not a given that the law will pass in its current incarnation. As its name suggests, it’s been winding its way through the legislature for almost a year now, and it has incurred some powerful opposition on the basis of privacy concerns and government control. The Electronic Frontier Foundation (EFF) came out strongly against it back in April 2009:
The Senate bill is sponsored by Senators John Rockefeller, Evan Bayh, Bill Nelson and Olympia Snow. You can read the full text of the bill here and decide what you think about it: