Comments on: Senate bill mandates strong federal role to make Internet safer

By: Styrofoam Sheets Â·

Styrofoam Sheets Â· — Mon, 08 Nov 2010 13:34:21 +0000

my job as a computer programmer is a very satisfying job ::

By: jerry

jerry — Thu, 01 Jul 2010 20:47:28 +0000

Are you folks madd?? You would give the power over the exercise of free speech on the internet to one person or agency? What ever happened to privacy? What about checks and balances in our government? Don’t get rid of your printers and typewriters yet. It may be the ONLY way free speech will survive this power grab.

By: Jeff Kalwerisky, Chief Security Evangelist, Alpha Software

Jeff Kalwerisky, Chief Security Evangelist, Alpha Software — Tue, 07 Apr 2009 14:43:48 +0000

The concept of a cabinet-level Federal CISO makes sense, and kudos to the Obama administration. However, like anything else, the devil is in the details.

To date, the Fed’s information security record is decidedly mixed, with numerous examples of great ideas that either never get implemented or which take forever, due to bureaucratic foot dragging.

In the article, Patricia Titus of Unisys, mentions the example of FISMA (the Federal Information Security Management Act) which has taken almost seven years to get working. But keep reading.

In similar vein, HIPAA (the Health Insurance Portability and Accountability Act), which has the laudable goal of protecting patients’ sensitive personal information, was enacted by the U.S. Congress in 1996, yet they only got around to enforcement last year.

The bill tasks NIST (National Institute for Standards and Technology) with developing a framework of metrics (“you can’t understand something unless you can measure it”) and compliance tests. That is an excellent idea since NIST is more immune to political interference than, say the DOD.

However, NIST has already developed and published most of those security concepts over the past several years. Take a look. But most federal agencies seem to have ignored them, attested to by the abysmally low ratings federal departments have received in FISMA audits, mostly Cs, Ds, and Fs, year after dreary year.

FISMA itself has had only limited success. This past February, the DOD and other Federal agencies proposed a new approach in an effort to move away from the annual FISMA security compliance audit: a heavily paper-based process developed by, yes, the NIST.

The proposed Consensus Audit Guidelines (CAG) for assessing network security emphasize automated controls (such as automated inventory of hardware and software), secure configurations for hardware, software and network devices, and continuous vulnerability testing and remediation.

Another question mark over the proposed federal legislation is the usual elephant in the room: BUDGET. Will Congress and the White House mandate adequate dollars for federal agencies to acquire, deploy, and train employees on the necessary hardware and software security tools?

Only time will tell.

By: D.

D. — Sun, 05 Apr 2009 04:54:56 +0000

Well, for all of us that spend their $$ on security certifications like CISSP or GSEC, we can kiss it goodbye because we’ll be felons if we don’t get federally licensed and certified. And since FISMA passed and federal government consistantly gets F grades for their security, how can this bill make anything better, and in 1 year to boot! I may lose my job- I refuse to be a federally licensed employee. Our small company may fold if the “license” and “certification” is too expensive – is it ransom? Did you read the bill, it could be interpreted that the federal government will get their hands into the IT departments of private companies. This is poor legislation. And how about that “government dashboard” of the security performance of ALL FEDERAL networks?.. in 90 days!! LOL. These writers don’t have a clue. Look out computer programmers, you’re next, cause you’re the cause of our vulnerabilities.

By: G.Adams

G.Adams — Sat, 04 Apr 2009 12:34:51 +0000

The government and the WH, we”ll end up with an Orwellian net. No better to suffer. No problem with NIST writting standards that is part of function, but let us tread carefully before granting such broad power to a cabinet (political)level agency.

By: Mandeep Khera

Mandeep Khera — Fri, 03 Apr 2009 20:52:11 +0000

Great post. This bill is very important but at the same time we need to keep privacy rights in mind. Public/Private partnership will bring in great ideas while having the backing of the government backing and infrastructure. You are right – “let’s get it moving forward” before it’s too late

By: Bob Pollock

Bob Pollock — Fri, 03 Apr 2009 20:42:30 +0000

Congratulations to this new Administration and for finally recognizing that our biggest vulnerability is the â€˜Breaching of our Critical Infrastructures.â€ If the LAX Airport breach covering a 48 hour period last year caused massive chaos coupled with major highway disruptions, just imagein what will happen if they took down an assortment of our Critical Infrastructures at once!!! They will defeat us by simply causing one global economic â€œmeltdown.â€ Look what they did to little Estonia & Panama’s Electric Grid last year. Russia finally admitted guilt on the Estonia take down for 24 hours. Even our Utility networks (SCADA) are at risk. Georgia Power nuclear reactors network was breached as well. Then it was Verizonâ€™s Dallas Hub was breached. Just so happens, we protect these as well.

To the parties quoted in this article, what have the Goliaths done for you to make your nets any safer? â€œNothing!â€ because Cisco, RSA, McAfee, etc. only use Layer 2&3 of the OSI Model . These are the S/W layers which Roger Schell PhD (Shannon Lecture Series) & Professor Caeili, and many others define as: â€œthey are hackable, even with encryption.â€ Thanks to small OEM’s like us using â€œ100% Scienceâ€, we can “Prevent” most of these breaches today!

Well Unisys we will give you a second chance, after all we are now past the K street lobby and the B–h/ C—y greed. If we are good enough for the Canadian Govt. Dept of Public Safety (DHS), US Navy, US AF, Irish Allied Bank, the NYBd. Of Trade, Passaic City. NJ Data Centers, etc.,. Itâ€™s about time we woke up, and if we are smart we won’t blow it this time around. Legislation is great but it doesnâ€™t create a solution like ours. The Standards exist, that we used coupled with the Science— OSI-Layer One, Common Criteria, PCI-DSS, & DARPA 98. You may want to consider inviting me to testify & contribute in drafting the proper specifications. America is now on a rollâ€¦â€¦.Letâ€™s finally team and get it right the first time. To that end, we are pleased to License every North American Defense Contractor or OEM as our contribution to being able to fast track hardening up our civilian and regular govt installations with affordable commercial grade H/W & S/W that is 100% transparent to any network running today.
DtX was born in the ashes of 911 and today it’s in production. That’s our contribution..
BobP/CEO
ContinuumP@gmail.com

By: Scayne

Scayne — Fri, 03 Apr 2009 19:13:59 +0000

Cool post. Good to see that some progress is finally being made on the subject.

By: Nicole

Nicole — Fri, 03 Apr 2009 17:37:50 +0000

Excellent post. It is interesting to see the proposed legislation echoing the recommendations delivered last December by the CSIS Commission on Cybersecurity for the 44th Presidency. I look forward to your future postings on this very important legislation.

By: eric johnson

eric johnson — Fri, 03 Apr 2009 17:30:32 +0000

Great to see some progress. Developing the right incentives for a productive public/private partnership is the key to sucess.