Cybersecurity Act of 2009 In-Depth – Part 1

September 10th, 2009 by Chris Leave a reply »

There have been quite a few articles on the Cybersecurity Act of 2009. Most have focused on the section that would give the president the power to “shutdown the Internet”. But are there other things in this bill you should be even more concerned about? Is there anything actually useful in the bill? In this two part post I’ll take you through the bill section by section.

The first two sections are simply the index and the findings. One notable quote from section 2:

(1) America’s failure to protect cyberspace is one of the most urgent national security problems facing the country.

This sets the tone for the rest of the section and I have to say I agree with the statement. Security wise we truly are in worse shape than most people want to believe.

Section 3: Cybersecurity advisory panel

These two quotes really say it all:

(a) IN GENERAL- The President shall establish or designate a Cybersecurity Advisory Panel.

(c) DUTIES- The panel shall advise the President on matters relating to the national cybersecurity program and strategy

I have mixed feelings regarding these points. I think that cybersecurity is important enough to deserve high-level visibility. However this bill goes hand in hand with S. 788, a bill to create the position of Cybersecurity Advisor, and H.R. 1910, a bill to create the position of Chief Technology Officer. Both of these positions would report directly to the president, so it seems more useful to have the panel fall under these two rolls in the national org chart. May just be semantics, but one of the issues we have today is parallel tenure with no clear ownership of problems. If all three bills pass I see a higher chance of creating conflicts rather than resolutions.

Section 4: Real time cybersecurity dashboard

I’ve seen little attention given to this item, but there is an easily dismissible statement made in this section:

The Secretary of Commerce shall

(1) in consultation with the Office of Management and Budget, develop a plan within 90 days after the date of enactment of this Act to implement a system to provide dynamic, comprehensive, real-time cybersecurity status and vulnerability information of all Federal Government information systems and networks managed by the Department of Commerce;

A couple of points here, why just the department of commerce? If this will be a truly useful resource, why not extend it’s use beyond this one government office? Also, the statement is a bit vague. This could be as ineffectual as the National Threat level or a subset of the data provided by sites such as DShield or Homeland Security’s Open Source Infrastructure Report. Either way I see this as a long-term failure.

Section 5: State and regional cybersecurity program

Here’s the focus of this section:

(a) CREATION AND SUPPORT OF CYBERSECURITY CENTERS- The Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards. Each Center shall be affiliated with a United States-based nonprofit institution or organization, or consortium thereof, that applies for and is awarded financial assistance under this section.

Sounds good on the first read, but what’s up with the “affiliated with… nonprofit organizations” section? We could easily end up with a non-centralized system with no clear point of contact for their target audience. So if I need help with cybersecurity, I should go to… The Jimmy Fund? Farm Aid? Or maybe it’s the Tennessee Elephant Sanctuary?

Personally, I think these centers should be affiliated with InfraGard. They are established in nearly every state, already have a long history of community outreach, and are already focused on dealing with cybersecurity issues. My guess is that the commerce department wants complete control, while InfraGard is already associated with the FBI.

So what is the goal of creating these centers?

(b) PURPOSE- The purpose of the Centers is to enhance the cybersecurity of small and medium sized businesses in United States

This is an admirable goal. Due to lack of resources, small and medium size businesses are struggling the most. Probably the only demographic that is larger would be home users. If we could take steps to support these organizations, it would go a long way towards fortifying our national security posture.

The centers would support small and medium businesses by:

(1) disseminate cybersecurity technologies, standard, and processes based on research by the Institute for the purpose of demonstrations and technology transfer;

(2) actively transfer and disseminate cybersecurity strategies, best practices, standards, and technologies to protect against and mitigate the risk of cyber attacks to a wide range of companies and enterprises, particularly small- and medium-sized businesses; and

(3) make loans, on a selective, short-term basis, of items of advanced cybersecurity countermeasures to small businesses with less than 100 employees.

Again, I see these activities as a great fit for InfraGard. Deployment would be expedited as there is already a national structure. These would dramatically cut the curve on making these resources available.

Section 6: NIST standards development and compliance

The bill looks to NIST to develop security standards for all government agencies:

(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the National Institute of Standards and Technology shall establish measurable and auditable cybersecurity standards for all Federal Government, government contractor, or grantee critical infrastructure information systems and networks

NIST is already responsible for setting standards. In fact their security documents are considered to be some of the best in the industry. Per the Information Technology Reform Act of 1996, NIST is already charged with developing Federal Information Processing Standards (FIPS).

I’m not a lawyer, but I don’t see anything in this section that has not already been specified by earlier bills except this tid bit under “(d) Compliance enforcement”:

(2) shall require each Federal agency, and each operator of an information system or network designated by the President as a critical infrastructure information system or network, periodically to demonstrate compliance with the standards established under this section.

I’m honestly not sure if the President currently has the power to (arbitrarily?) designate any network or system as “critical” and thus subject to this section. I prefer specific definitions versus subjectively trusting the judgment of a single individual. This way we are covered in both directions, from systems that should have been included but were missed, as well as systems that don’t really belong on the list.

Section 7: Licensing and certification of cybersecurity professionals

This section really scares me as it has the potential to do more harm than good. Here’s the description:

(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.

To me, someone who has no idea of the scope of what is needed to address the problem wrote this section. Cybersecurity is not a single discipline. There are experts that focus on Malware analysis, perimeter security, packet decoding and intrusion analysis, incident handling, host specific security, auditing, forensics, wireless, databases, and the list goes on and on. A national certification and licensing program would end up being one of the following:

  1. So general it really does not mean anything
  2. So difficult “certified” resources would be hard to come by

Because of the diversity of the cybersecurity field, there really is no middle ground. This section then goes on to say:

(b) MANDATORY LICENSING- Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.

Wait a minute. Let’s just take one glaring example. Alan Paller is the Director of Research at SANS, was quoted in this bill (Section 2, #8), and is one of my personal heroes in this industry. He’s provided council to the White House and Congress multiple times. He’s one of those unique individuals that can mediate the gap between folks that speak different languages (geeks, CFO, COO, etc.). While he knows the industry, he’s not the kind of guy that spends time writing Nessus plug-ins or decoding TCP attack streams. Is it truly the intent of this bill to loose resources like Alan if they choose not to certify?

There is a pattern here however. Like so many line items before it, this section puts control in the hands of the commerce department. So I personally think this is less about ensuring we have skilled personnel supporting network security, and more about grabbing power.

Section 8: Review of NTIA domain name contracts

This is another scary section:

(a) IN GENERAL- No action by the Assistant Secretary of Commerce for Communications and Information after the date of enactment of this Act with respect to the renewal or modification of a contract related to the operation of the Internet Assigned Numbers Authority, shall be final until the Advisory Panel–

(1) has reviewed the action;

(2) considered the commercial and national security implications of the action; and

(3) approved the action.

The Internet Assigned Numbers Authority (IANA) is run by The Internet Corporation for Assigned Names and Numbers (ICANN). This is a non-profit international organization that is responsible for guiding (not implementing) high-level operations of the Internet. They take guidance from a number of organizations, including the Internet Engineering Task Force (IETF) who defines the standards for Internet communications. The IETF is an international organization made up of everyone from individual researchers to vendors.

To me, this section sounds like an attempt to bring financial pressure on these organizations. Again, this seems to be an attempt to consolidate more power under the department of commerce. Especially when you combine it with section 9.

Section 9: Secure domain name addresses system

Here’s the clip:

(a) IN GENERAL- Within 3 years after the date of enactment of this Act, the Assistant Secretary of Commerce for Communications and Information shall develop a strategy to implement a secure domain name addressing system. The Assistant Secretary shall publish notice of the system requirements in the Federal Register together with an implementation schedule for Federal agencies and information systems or networks designated by the President, or the President’s designee, as critical infrastructure information systems or networks.

As mentioned in the last section, developing Internet standards in the role of the IETF, not the commerce department. Further, we already have standards to secure the domain name structure (DNSSEC) as well as routing and the IP addressing scheme (sBGP). The problem is their deployment has been extremely slow. What we need is deployment of the existing standards, not competitive ones developed outside of the accepted IETF process.

This section then goes on to say:

(b) COMPLIANCE REQUIRED- The President shall ensure that each Federal agency and each such system or network implements the secure domain name addressing system in accordance with the schedule published by the Assistant Secretary.

OK here’s the problem. In order to secure IP and DNS the solution has to be implemented globally. That’s part of the reason why it has been taking so long. If the federal government today deployed DNSSEC and sBGP it would do little to prevent domain name hijacking or route redirection because attackers could simply work outside of the government’s perimeter.

I have to say I share the frustration in this area. Both DNSSEC and sBGP have been around for 10 years. I think we need to suck it up on the disruptions that may be caused by deployment and just get the job done. Perhaps ICANN needs a fire lit under their butts to create some forward motion. I’m just not convinced these two sections are the way to go about it.

Section 10: Promoting cybersecurity awareness

You knew a PR campaign has to be included in here somewhere, right? Here’s the blurb:

The Secretary of Commerce shall develop and implement a national cybersecurity awareness campaign

Not sure how useful this will be because the news feeds are already full of stories that describe our current state of security. I see this as having the potential to be silly rather than informative. I have these visions of walking into my kid’s school and seeing a poster that states “Billy Bytes Says Don’t Be A H4X0r”. OK, hopefully that will never happen, but you never know. ;)

Section 11: Federal cybersecurity research and development

Here’s the initial statement:

(a) FUNDAMENTAL CYBERSECURITY RESEARCH- The Director of the National Science Foundation shall give priority to computer and information science and engineering research to ensure substantial support is provided to meet the following challenges in cybersecurity:

This section dumps a lot of money into the research and development of cybersecurity techniques. It amends existing bills to increase spending by $265M in 2010, to over $310M by 2014. There are already other programs that fund cybersecurity research, but provided the funds are managed appropriately I see this as being helpful to the cause.

Section 12: Federal cyber scholarship for service program

Here’s the clip:

(a) IN GENERAL- The Director of the National Science Foundation shall establish a Federal Cyber Scholarship-for-Service program to recruit and train the next generation of Federal information technology workers and security managers.

This is no different than many other “scholarship for service” programs. I see this as being beneficial to both the student as well as the government. $50M has been allocated to the program, increasing to $70M by 2014.

Summary

That’s it for now. Tomorrow I’ll post the last half of the bill.

Advertisement

Leave a Reply