Security



The Proposed Federalization of the Computer Security Field
By Larry Seltzer<http://www.eweek.com/cp/bio/Larry-Seltzer/>
2009-04-02

Article Rating: / 2


Proposed legislation would put authority over the security of
government and private networks in the hands of officials reporting to the
President.
President Obama promised in his campaign to take cybersecurity
seriously<http://www.barackobama.com/2008/07/16/remarks_of_senator_barack_obam_9\
5.php> and he appears to be following up on that promise. Legislation just
introduced in the Senate, written with White House input according to the
Washington
Post<http://www.washingtonpost.com/wp-dyn/content/article/2009/03/31/AR200903310\
3684.html>, would federalize the business of computer security. It would give
White House officials the power to shut off private networks, decide what
products could be used for security and set rules for who could practice
computer security.

The legislation is actually in two bills, S.773 and S.778. The
titles of the bills are:

S.773-A bill to ensure the continued free flow of commerce within
the United States and with its global trading partners through secure cyber
communications, to provide for the continued development and exploitation of the
Internet and intranet communications for such purposes, to provide for the
development of a cadre of information technology specialists to improve and
maintain effective cybersecurity defenses against disruption, and for other
purposes.
and
S.778-A bill to establish, within the Executive Office of the
President, the Office of National Cybersecurity Advisor.
I couldn't find the actual text of the legislation yet, but there is
a short PDF describing it in press release
language<http://commerce.senate.gov/public/_files/Cyberbillsummaryonepagerplusth\
reepagesummarypressrelease1Apr090.pdf>. Of course such documents are no
substitute for examining the actual text.

The emphasis of the opening parts of the press release is on matters
about which there is little dispute: government and critical private
infrastructure networks need to be protected. It asserts that they are
vulnerable and that a new public-private partnership is necessary to address the
problem. The advisor created by S.778 would report directly to the president
and, according to the press release, would have "...the authority to disconnect
a Federal or critical infrastructure network from the Internet if they are found
to be at risk of cyber attack."

What are the critical infrastructure networks? The examples provided
are "...banking, utilities, air/rail/auto traffic control,
telecommunications..." Let's think about this. I'm especially curious as to how
you take the telecommunications networks off of the Internet when they are, in
large part, what the Internet is comprised of. And if my bank were taken offline
I would think about going into my branch and asking for all of my deposits in
cash.

The bill would also require a formal national strategy to be
drafted. I guess it's better to have a strategy than not to have one, but I'm
leery about the true value to security, at least before the long term. It would
also require periodic reviews that would politicize the security of private
networks.

A public education campaign on cybersecurity would likely have as
much effect on the average person as most public education campaigns of this
sort, which is not a whole lot.

On the subject of civil rights and cybersecurity it has this cryptic
guidance: "The legislation would require the Advisor to review the feasibility
of an identity management and authentication program, to include recommendations
regarding civil liberties protections." I don't like the sound of that. It
sounds like "can we get away with requiring everyone to have a unique digital
ID?"

The bill creates a "public-private clearinghouse for cyber threat
and vulnerability information-sharing" which sounds like what US-CERT does now.
A Cybersecurity Advisory Panel would advice the Advisor and President.

But then it gets interesting again. "Establish enforceable
cybersecurity standards." It would require NIST (the National Institute of
Standards and Technology) "...to establish measureable [sic] and auditable
cybersecurity standards that would be applicable both to government and the
private sector." In other words, it would make security rules that the private
sector would have to obey. Would some new security regulatory regime be created
to enforce these rules? The potential to force huge costs on industry is a real
concern here; expect the security software business to be largely enthusiastic.
A Secure Products and Services Acquisitions Board would certify products that
meet the standards for federal government purchase. How would they do this? By
testing? Such testing could be a massive new private sector opportunity.

"Provide for licensing and certification of cybersecurity
professionals." What the hell is this? The bill would require "...a professional
licensing and certification program for cybersecurity professionals similar to
those required for other major professions." So in order to do security
functions you'll have to go to Security School and pass your boards? I suppose
if you do something unapproved, like the wrong kind of research, your license
can be revoked. I don't like where this part is going.

I have to say the whole thing smells bad to me. I don't like the
chances of the government improving this situation by taking it over generally,
and I definitely don't like the idea of politicizing this authority by putting
it in the direct control of the President. If it must be done it should be run
through some cabinet agency, probably DHS or Commerce.

I guess I don't mind the standards and research ideas at all; the
government has done a lot of good work in that field over many years, although
very little of it was mandated. As I've written
before<http://www.eweek.com/c/a/Security/In-the-Obama-Era-Routing-Has-to-Change-\
Too/>, there are some problems that we face which need the weight of government
behind them. This is not the same as creating a new federal bureaucracy setting
rules over what computer security has to be and who can do it.

A lot of important legislation has been jammed through Congress in
the last couple of months with little or nothing in the way of hearings. S.773
and S.778 can't be allowed to go that route. Follow the news on this and let
your own representatives know what you think.

Security Center Editor Larry
Seltzer<mailto:larry.seltzer@...> has worked in and written
about the computer industry since 1983.

For insights on security coverage around the Web, take a look at
eWEEK.com Security Center Editor Larry Seltzer's blog Cheap
Hack<http://blogs.eweek.com/cheap_hack/>




Email Article To Friend<javascript:void
window.open('http://www.eweek.com/index2.php?option=content&task=emailform&id=
52692', 'win2',
'status=no,toolbar=no,scrollbars=no,titlebar=no,menubar=no,resizable=yes,width=4\
00,height=200,directories=no,location=no');> ? Print Version Of
Article<javascript:void
window.open('http://www.eweek.com/index2.php?option=content&task=view&id=52692&p\
op=1&hide_ads=1&page=0&hide_js=1', 'win2',
'status=no,toolbar=yes,scrollbars=yes,titlebar=no,menubar=yes,resizable=yes,widt\
h=640,height=480,directories=no,location=no');> ? PDF Version Of
Article<javascript:void
window.open('http://www.eweek.com/index2.php?option=content&do_pdf=1&id=52692',
'win2',
'status=no,toolbar=no,scrollbars=yes,titlebar=no,menubar=no,resizable=yes,width=\
640,height=480,directories=no,location=no');>




[Non-text portions of this message have been removed]