Senate bill mandates strong federal role to make Internet safer
Posted on | April 3, 2009 | 9 comments
Sen. John Rockefeller and Sen. Olympia Snowe this week introduced proposed cybersecurity legislation that would create a cabinet-level cybersecurity advisor reporting directly to President Obama — and also create extraordinary powers to enable the federal government to take over leadership in making the Internet safer.
This comes with word expected any day now from Melissa Hathaway, the management consultant tasked by President Obama to conduct a 60-day review of U.S. cybersecurity policy.
Rockefeller-Snowe reflects the wide, bi-partisan consensus that has already gelled in the security community about the need for the federal government, directed by the White House, to step forward.
The proposed legislation echoes the recommendations in this report, delivered last December, to then President-elect Obama by the Center for Strategic and International Studies (CSIS), and reinforced by this report delivered earlier this year to the Senate, from the Dartmouth College-based Institute for Information Infrastructure Protection (I3P).
With cyber threats continuing to rise to unprecedented levels, across the board, endangering consumers, all businesses and our national security, LastWatchdog says, “Let the debate begin, and let’s get moving forward!”
Here are some early reactions to the Rockefeller-Snowe cybersecurity bill from folks paying close attention:
Patricia Titus, CISO at Unisys: “I’m impressed by the section of the bill that calls for National Institute of Standards and Technology (NIST) to develop cybersecurity metrics and compliance tests. Most of the framework has already been completed by NIST, so this might be viewed as now ‘operationalizing’ the framework. But I’m concerned because it’s taken us more than seven years to refine the existing Federal Information Security Management Act, and this legislation calls for completion in one year, which seems aggressive. This work is critical, and we need to do it right the first time.”
Mandeep Khera, CMO at CENZIC: “We think this type of a bill is long over due. There’s a virtual war being launched against the United States – both in private and public sectors – from other countries and we are not even aware of our weaknesses. Forget about fighting them, we first need to understand these vulnerabilities at the entire infrastructure layer and understand where most of the attacks are coming from. Once we know the weaknesses, we need to put together a plan to enforce compliance for all organizations and provide help where the smaller companies cannot afford to be compliant by offering special tax breaks or other government aid.”
Leslie Harris, President and CEO at Center for Democracy and Technology: “The cybersecurity threat is real. But such a drastic federal intervention in private communications technology and networks could harm both security and privacy.”
Comments
9 Comments »
RSS feed for comments on this post.
Great to see some progress. Developing the right incentives for a productive public/private partnership is the key to sucess.
Comment by eric johnson — 4/3/2009 @ 11:30 am
Excellent post. It is interesting to see the proposed legislation echoing the recommendations delivered last December by the CSIS Commission on Cybersecurity for the 44th Presidency. I look forward to your future postings on this very important legislation.
Comment by Nicole — 4/3/2009 @ 11:37 am
Cool post. Good to see that some progress is finally being made on the subject.
Comment by Scayne — 4/3/2009 @ 1:13 pm
Congratulations to this new Administration and for finally recognizing that our biggest vulnerability is the ‘Breaching of our Critical Infrastructures.” If the LAX Airport breach covering a 48 hour period last year caused massive chaos coupled with major highway disruptions, just imagein what will happen if they took down an assortment of our Critical Infrastructures at once!!! They will defeat us by simply causing one global economic “meltdown.” Look what they did to little Estonia & Panama’s Electric Grid last year. Russia finally admitted guilt on the Estonia take down for 24 hours. Even our Utility networks (SCADA) are at risk. Georgia Power nuclear reactors network was breached as well. Then it was Verizon’s Dallas Hub was breached. Just so happens, we protect these as well.
To the parties quoted in this article, what have the Goliaths done for you to make your nets any safer? “Nothing!” because Cisco, RSA, McAfee, etc. only use Layer 2&3 of the OSI Model . These are the S/W layers which Roger Schell PhD (Shannon Lecture Series) & Professor Caeili, and many others define as: “they are hackable, even with encryption.” Thanks to small OEM’s like us using “100% Science”, we can “Prevent” most of these breaches today!
Well Unisys we will give you a second chance, after all we are now past the K street lobby and the B–h/ C—y greed. If we are good enough for the Canadian Govt. Dept of Public Safety (DHS), US Navy, US AF, Irish Allied Bank, the NYBd. Of Trade, Passaic City. NJ Data Centers, etc.,. It’s about time we woke up, and if we are smart we won’t blow it this time around. Legislation is great but it doesn’t create a solution like ours. The Standards exist, that we used coupled with the Science— OSI-Layer One, Common Criteria, PCI-DSS, & DARPA 98. You may want to consider inviting me to testify & contribute in drafting the proper specifications. America is now on a roll…….Let’s finally team and get it right the first time. To that end, we are pleased to License every North American Defense Contractor or OEM as our contribution to being able to fast track hardening up our civilian and regular govt installations with affordable commercial grade H/W & S/W that is 100% transparent to any network running today.
DtX was born in the ashes of 911 and today it’s in production. That’s our contribution..
BobP/CEO
ContinuumP@gmail.com
Comment by Bob Pollock — 4/3/2009 @ 2:42 pm
Great post. This bill is very important but at the same time we need to keep privacy rights in mind. Public/Private partnership will bring in great ideas while having the backing of the government backing and infrastructure. You are right – “let’s get it moving forward” before it’s too late
Comment by Mandeep Khera — 4/3/2009 @ 2:52 pm
The government and the WH, we”ll end up with an Orwellian net. No better to suffer. No problem with NIST writting standards that is part of function, but let us tread carefully before granting such broad power to a cabinet (political)level agency.
Comment by G.Adams — 4/4/2009 @ 6:34 am
Well, for all of us that spend their $$ on security certifications like CISSP or GSEC, we can kiss it goodbye because we’ll be felons if we don’t get federally licensed and certified. And since FISMA passed and federal government consistantly gets F grades for their security, how can this bill make anything better, and in 1 year to boot! I may lose my job- I refuse to be a federally licensed employee. Our small company may fold if the “license” and “certification” is too expensive – is it ransom? Did you read the bill, it could be interpreted that the federal government will get their hands into the IT departments of private companies. This is poor legislation. And how about that “government dashboard” of the security performance of ALL FEDERAL networks?.. in 90 days!! LOL. These writers don’t have a clue. Look out computer programmers, you’re next, cause you’re the cause of our vulnerabilities.
Comment by D. — 4/4/2009 @ 10:54 pm
The concept of a cabinet-level Federal CISO makes sense, and kudos to the Obama administration. However, like anything else, the devil is in the details.
To date, the Fed’s information security record is decidedly mixed, with numerous examples of great ideas that either never get implemented or which take forever, due to bureaucratic foot dragging.
In the article, Patricia Titus of Unisys, mentions the example of FISMA (the Federal Information Security Management Act) which has taken almost seven years to get working. But keep reading.
In similar vein, HIPAA (the Health Insurance Portability and Accountability Act), which has the laudable goal of protecting patients’ sensitive personal information, was enacted by the U.S. Congress in 1996, yet they only got around to enforcement last year.
The bill tasks NIST (National Institute for Standards and Technology) with developing a framework of metrics (“you can’t understand something unless you can measure it”) and compliance tests. That is an excellent idea since NIST is more immune to political interference than, say the DOD.
However, NIST has already developed and published most of those security concepts over the past several years. Take a look. But most federal agencies seem to have ignored them, attested to by the abysmally low ratings federal departments have received in FISMA audits, mostly Cs, Ds, and Fs, year after dreary year.
FISMA itself has had only limited success. This past February, the DOD and other Federal agencies proposed a new approach in an effort to move away from the annual FISMA security compliance audit: a heavily paper-based process developed by, yes, the NIST.
The proposed Consensus Audit Guidelines (CAG) for assessing network security emphasize automated controls (such as automated inventory of hardware and software), secure configurations for hardware, software and network devices, and continuous vulnerability testing and remediation.
Another question mark over the proposed federal legislation is the usual elephant in the room: BUDGET. Will Congress and the White House mandate adequate dollars for federal agencies to acquire, deploy, and train employees on the necessary hardware and software security tools?
Only time will tell.
Comment by Jeff Kalwerisky, Chief Security Evangelist, Alpha Software — 4/7/2009 @ 8:43 am
Are you folks madd?? You would give the power over the exercise of free speech on the internet to one person or agency? What ever happened to privacy? What about checks and balances in our government? Don’t get rid of your printers and typewriters yet. It may be the ONLY way free speech will survive this power grab.
Comment by jerry — 7/1/2010 @ 2:47 pm