In yesterday’s post I covered the first half of the Cybersecurity Act of 2009. Here’s the write up on the second half of the bill.
Section 13: Cybersecurity competition and challenge
As the name implies, this sets up funding for a series of competitions to help identify the best and the brightest.
(a) IN GENERAL- The Director of the National Institute of Standards and Technology, directly or through appropriate Federal entities, shall establish cybersecurity competitions and challenges with cash prizes in order to–
(1) attract, identify, evaluate, and recruit talented individuals for the Federal information technology workforce; and
(2) stimulate innovation in basic and applied cybersecurity research, technology development, and prototype demonstration that have the potential for application to the Federal information technology activities of the Federal Government.
No red flags here. Prizes cannot exceed $1M without checks and balances kicking in. Don’t get your hopes up. That’s for an entire event, not one specific prize.
Section 14: Public-private clearinghouse
This section seems pretty benign, till you read it closely. Here’s the opening section:
(a) DESIGNATION- The Department of Commerce shall serve as the clearinghouse of cybersecurity threat and vulnerability information to Federal Government and private sector owned critical infrastructure information systems and networks.
Yawn. I see this as something you cannot mandate. If you can provide useful information, users will seek out what you have to say. If you simply reprint what has already been released as open source, then my Google news feed will probably get me the info faster and with a better interface. It is easy to want to ignore this section based on this opening statement, but please read a bit further:
(b) FUNCTIONS- The Secretary of Commerce–
(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access;
What??? This to me is the ultimate power grab. So any network or system that can be deemed “critical infrastructure” has to let the commerce department have unfettered access to their network. This access is without regard to due process or the rule of law. “Relevant” is a highly subjective term that can be applied to anything.
So it comes back to that “critical infrastructure” description that we already stated is the judgment call of a single individual. Maybe Microsoft’s network should be deemed critical infrastructure, as they are the government’s primary desktop vendor. Perhaps Linux development servers should also be deemed “critical” as servers, appliances, and embedded technology is based on this platform. What about Anti-Virus and firewall vendors who supply products to the government? Internet service providers servicing government networks? Telco’s servicing government employees? Universities funded to develop cyber protection techniques? This can be an extremely slippery slope.
To me, this is probably the single most dangerous part of the bill.
Section 15: Cybersecurity risk management report
In short, this section requires the President to produce a report within one year that identifies:
(1) creating a market for cybersecurity risk management, including the creation of a system of civil liability and insurance (including government reinsurance); and
(2) requiring cybersecurity to be a factor in all bond ratings.
This item could be taken in a number of directions. If they are smart, they will look at the feasibility of voiding end user agreements so that software vendors must accept liability for the security failing in their product. Without liability, vendors have little motivation to architect in a security framework from product inception. It is much easier and cheaper to glue it on after paying customers have already encounter problems.
Section 16: Legal framework review and report
This section calls for the President’s office to review existing cybersecurity laws regarding:
the Federal statutory and legal framework applicable to cyber-related activities in the United States
In short, this is a review to see if the laws are still applicable or need updating.
Section 17: Authentication and civil liberties report
Here’s the entire section:
Within 1 year after the date of enactment of this Act, the President, or the President’s designee, shall review, and report to Congress, on the feasibility of an identity management and authentication program, with the appropriate civil liberties and privacy protections, for government and critical infrastructure information systems and networks.
I’m not sure what to make of this section. It reads like they want to find a single sign-on solution for government networks. If that is the case, I don’t understand the “appropriate civil liberties and privacy protections” statement. This implies an application that is geared more towards the general public. Jury is still out on this section as I have not seen any other opinions on it.
Section 18: Cybersecurity responsibility and authority
Here’s the section that everyone is freaking out about. The blurb:
The President–
(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;
Sounds bad, but think of it this way. When planes were crashing into building the President ordered the grounding of all commercial flights. I doubt there was a specific law giving him that specific authority, but given it was an emergency situation no one argued the point or considered it an abuse of power.
I see this provision as being similar. If it is confirmed that attackers have taken control of the power grid and are now systematically shutting it down, no one is going to fault the President for requiring those organizations to isolate themselves from the Internet at large. It may or may not actually fix the problem, but it would be an expected defense posture. This would occur with or without this provision in the bill.
So to me this section is a lot of hoopla about nothing. Some of the previously discussed sections are far scarier.
Another interesting point in this section:
(5) shall direct the periodic mapping of Federal Government and United States critical infrastructure information systems or networks, and shall develop metrics to measure the effectiveness of the mapping process
To some extent, this process has already started as part of the Trusted Internet Connect (TIC) program. I’m actually kind of surprised it is not already a requirement. It is possible this is already being done but that data was unavailable when the bill was written.
Section 19: Quadrennial cyber review
(a) IN GENERAL- Beginning with 2013 and in every fourth year thereafter, the President, or the President’s designee, shall complete a review of the cyber posture of the United States, including an unclassified summary of roles, missions, accomplishments, plans, and programs.
In short, each new president gets to provide commentary on how they think their predecessor performed with regards to cybersecurity. This report would be far more useful if it was required a year earlier. That way it would act as a briefing for the new President. It would give them a better idea of what is required going forward.
Section 20: Joint intelligence threat assessment
Specifies (yet another) annual report on cybersecurity to Congress. Nothing to see here. Move along.
Section 21: International norms and cybersecurity deterrence measures
Here’s the clip:
The President shall–
(1) work with representatives of foreign governments–
(A) to develop norms, organizations, and other cooperative activities for international engagement to improve cybersecurity; and
(B) to encourage international cooperation in improving cybersecurity on a global basis
I see this as being more the role of the Department of Justice. What is needed is better interaction between law enforcement across international borders, not PR snippets and posturing. Think of it this way, what would be more effective in deterring physical crimes over state borders, frequent interaction between state law enforcement agencies, or frequent interaction between Governors?
Section 22: Federal secure products and services acquisitions board
To me, this is probably one of the most positive sections of the bill. Here’s the blurb:
(a) ESTABLISHMENT- There is established a Secure Products and Services Acquisitions Board. The Board shall be responsible for cybersecurity review and approval of high value products and services acquisition and, in coordination with the National Institute of Standards and Technology, for the establishment of appropriate standards for the validation of software to be acquired by the Federal Government.
In short, the government would be using its combined purchasing power to enforce security standards for all software purchases. This can have a profound impact on the commercial industry. Vendors love to complain that it is too expensive to ship secured software. Now if they wish to sell to the government, they will have to meet the appropriate NIST standards. Most likely the secured software would be available for commercial purchase as well. So out of the box you would end up with a more secure product.
Again, I see this as an extremely positive requirement. While vendors may grumble about it, as customers we would all benefit.
Section 23: Definitions
This is simply a definition of terms used in the bill. All are either common terms (like “Internet”) or described in earlier sections.
Exec Summary
There are things to love as well as fear in this bill. It increases funding for cybersecurity research as well as leverages the government’s buying power to generate more secure software for everyone. At the same time it attempts to circumvent established processes (as well as rules of law) that have the potential to make the cybersecurity situation worse rather than better. The bill is currently being reviewed by the Senate Committee on Commerce, Science, and Transportation. Now is the time to voice any praises or concerns you may have.
Related posts:
I believe that certifications have been hurting the field for a long time. I know many talented people who cannot pass the cert tests because their knowledge is more practical than trivial. I guess if you are good at remembering answers to specific questions like in a game show, you will pass the test. But if you are a hands on, let me solve this problem with research and deductive reasoning, then it would be hard to pass the cert. I myself am studying for a cert because of a requirement and am finding I am having to dumb down my thought process because the suggested correct answers are not real world correct answers, but the answers that the test writers felt was the best answer out of the narrow minded options they gave you. My experience with studying is proving a theory I have. That certifications lead to a narrowing of knowledge. Technology changes so fast and I am studying topics that are becoming outdated, this is leading to a lack of diversification. My employer thinks the cert process is great, and once I get it, I will magically bring more to the table. Yet as I am studying I am putting personal research aside on cutting edge virtualization that would have definitely had much more impact on the company than this cert could ever dream of. My brother got out long ago to become an electrician, only needed to take once test and is licensed for life. He works less hours for more money and has free weekends.
Greets name,
First, I want to apologize for the delay in approving your comment. Caught me flying cross country.
If you are looking for a certification that is truly hands on, check out the offerings from Offensive Security:
http://www.offensive-security.com/
This was created by the folks who did BackTrack. The cert is goal orientated, so there are no specific test questions to memorize. Pass/Fail is based on actually being able to do the work. Its different than most courses in that you will not get all the answers handed to you. You are expected to be able to think through problems, same as if you are doing the work in the field. I have no association with the program, but know people who have taken the course and they all speak highly of it.
HTH,
Chris
Security wise we truly are in worse shape than most people want to believe.
When our computers are built in China, with phone-home programming at the chip level that is below all operating systems, and therefore undetectable, and when most if not all of the applications are written by Chinese, Indian, Israeli and Russian programmers, who host the data who-knows-where, isn’t it a bit late to start worrying about security?
One significant thing I see with this bill is that it effectively says that the internet is not covered by the Bill of Rights – an important consideration of our fundamental liberties in a day when the internet is displacing the print and over-the-air broadcast media as the primary source of information for our citizenry and electorate.
In Sectinon 5, you ask what the point of setting up the Cybersecurity Centers as non-profits.
The point is that, since they are non-profits, they are not covered by any sunshine (disclosure) laws that apply to governmental agencies. They are not subject to FOIA disclosures. They also do not have the same kinds of ownership disclosure laws that private corporations have. They are essentially unaccountable and unmonitorable. We don’t know who funds them, or who controls them. The WTO is currently setting up rules to allow NGOs seats at the bargaining table. This appears to be the new favorite way our overlords have to work in the dark, as we’ve learned how to investigate corporations, and put laws in to control governmental organizations.
Section 5′s “support” for small and medium-sized businesses will probably NOT be the altruistic, helpful thing you are hoping for. More likely, it will take the same approach it took to the large businesses – REQUIRING that expensive, resource-heavy modifications be made that will allow intrusive government monitoring and control of all small and medium-sized systems. ISPs and large networks have that in place already. Now they are going after the rest of the systems. Notice that this is *loan* to small businesses, many of whom are having a hard enough time just paying their rent.