There are a bunch of cybersecurity bills trickling through Congress right now; some of them several years in the making.
Senator Rockefeller’s Cybersecurity Act of 2010(S.773) is deemed the most likely to get voted on by the Senate as it was just unanimously passed through the Senate Committee that he chairs, Commerce Science and Transportation.
It is time for the security industry to take a close look at this $1.82 billion bill as it contains some pretty drastic measures that are going to be very disruptive, and I believe detrimental.
The preamble, labeled “Findings” sets the stage with the dramatic language we have become familiar with:
As a fundamental principle, cyberspace is a Vital asset for the nation and the United States should protect it using all instruments of national power, in order to ensure national security, public safety, economic prosperity, and the delivery of critical services to the American public.
Even though there is a definitions section “cyberspace” is never defined in S. 773. And, setting aside the dangling participle, this is a rather broad declariation. All instruments of national power?
There are further claims drawn from various cybersecurity experts including the President, Melissa Hathaway(author of Cyber Policy Review),Dennis Blair(Director of National Intelligence), Howard Schmidt(Cybersecurity Coordinator), Mike McConnell(former Director of National Intelligence), Paul Kurtz(Good Harbor consultant), James Lewis(Senior Fellow, CSIS), Booz Allen Hamilton, Allan Paller(SANS), and various policy think tanks, supporting the claim that cyberspace is a vital asset, and it is not secure or resilient.
If we stipulate for the moment that cyberspace is a vital asset and the government needs to step in to make it secure and resilient let’s examine the rest of the bill to see, if enacted, it would accomplish both those goals.
Section 4 of the act requires the President to define critical infrastructure. Specifically: within 90 days of enactment:
“The President, in consultation with sector coordinating councils, relevant government agencies, and regulatory entities,shall initiate a rulemaking …, to establish a procedure for the designation of any information system the infiltration, incapacitation, or disruption of which would threaten a strategic national interests as a critical infrastructure information system under this Act."
In other words the Act requires the President to convene a bunch of meetings with as yet undefined groups to define a procedure with no timeline to designate what is and is not critical.
Now there is a tough task. But not to worry about the implications, these amorphous bodies are also instructed to “establish a procedure…by which the owner or operator of an information system may appeal.”
This will keep a lot of very high priced lawyers busy for years. Imagine if the NYSE or Mastercard-Visa is designated a “critical information resource.”
Now comes the great regulatory overlay for IT security professionals, TITLE 1 – Workforce Development.
The President will be required to ask the National Academies (National Academy of Sciences (NAS), the National Academy of Engineering (NAE), the Institute of Medicine (IOM), and the National Research Council (NRC)) to conduct a one year study of existing accreditations and report after one year.
From there, within six months, the President will be required to institute accreditation requirements for cybersecurity professionals working within the Federal Government and on designated critical information systems.
There will be semi-annual audits to make sure each system is in compliance and remediation plans will be worked out if a department or agency is not in compliance for two consecutive audits.
The Director of the National Science Foundation (metallurgist Arden L. Bement) shall establish a Federal Cyber Scholarship-for-Service program which will apply to 1,000 students that will receive free-ride scholarships plus stipends and internships.
Promising K-12 students will also be identified for participation in summer work and internships. I am sure the senators do not really mean to include kindergarten students.
Funding for the scholarship program will start at $50 million in 2010 and rise to $70 million in 2014. Fifty thousand dollars a year for each student (and program overhead) should do the job.
Next up is the Cybersecurity Competition and Challenge. The Director of NIST ( physicist Patrick Gallagher) shall establish cybersecurity competitions and challenges with cash prizes not to exceed $5 million.
The competitions will include middles school students. $15 million will be appropriated each year through 2014 for NIST to fund this.
Then comes the Cybersecurity Workforce Plan that requires every Federal agency to devlop a strategic cybersecurity workforce plan with a mindboggling array of requirements for establishing that strategy and measuring its effectiveness.
Title II – Plans and Authority.
This section gives the President 180 days to develop a Comprehensive National Cybersecurity Strategy. The President may declare a cybersecurity emergency that invokes a “collaborative emergency response and restoration plan” to be developed as part of the Strategy.
Note this is the watered down version of the first proposed legislation, the so-called "kill switch."
Biennial Cyber Review
The President shall complete a review of the cyber posture of the United States every two years.
Cybersecurity Dashboard Pilot Project
Within a year the Secretary of Commerce (Gary Locke) shall propose and implement a “system to provide dynamic, comprehensive, real-time, cybersecurity status and vulnerability information of all Federal Government information systems managed by the Department of Commerce including an inventory of such, vulnerabilities of such systems, and corrective action plans for those vulnerabilities.”
Apparently this would include all 15 operating units of the Department of Commerce including the Census Bureau, NOAA, and NIST.
A very nice idea but do not underestimate the momentous size of this task or the disruption to the computing environments of the Commerce Department to pull this off within a year.
NIST Cybersecurity Guidance
This section requires NIST to promote auditable, private sector developed cybersecurity risk management measures. Another laudable goal but I am afraid that cybersecurity risk management solutions that exist today lag the threat landscape by a number of years.
While the Federal sector has to play catch up, the end result of successfully completing this section of the ACT will result (if completely successful) in agencies that can demonstrate they are in compliance with today’s risk management best practices but will still be completely vulnerable to advanced threats.
The requirements of this section will also apply to US Critical Infrastructure Information Systems, creating a huge burden of compliance for an already stressed industry sector.
Joint Intelligence Threat and Vulnerability Assessment
A small section with huge impact reads in total:
“The Director of National Intelligence (Dennis Blair), the Secretary f Commerce (Gary Locke), the Secretary of Homeland Security(Janet Napolitano), the Attorney General (Eric Himpton Holder), the Secretary of Defense(Robert Gates), and the Secretary of State (Hillary Clinton) shall submit to the Congress a joint assessment of, and report on, cybersecurity threats to and vulnerabilities of Federal information systems and United States critical infrastructure information systems.”
No timeline is provided for this monumental task.
Federal Secure Products and Services Acquisitions
The Administrator of the General Services Administration (Martha N. Johnson) shall require that requests for proposals will include cybersecurity risk measurement techniques for Federal information systems products.
Perhaps the time has come for this measure but it will add tremendous overhead to an already burdensome acquisition process.
TITLE III Cybersecurity Knowledge Development
A new cybersecurity awareness campaign that “calls on a new generation of Americans to service in the field of cybersecurity.”
The Secretary of Education (basketball pro Arne Duncan) shall establish K-12 curriculum guidelines to address cyber safety, cybersecurity, and cyber ethics.
The Act also provides for the funding of new cybersecurity research into how to design and build secure software, and test and verify it.
The Cybersecuity Research and Development Act will be amended to provide over $150 million in funds each year. And The Computer and Network Security Centers will receive an additional $50 million per year.
The Computer and Network Security Capacity Building Grants will be enhanced to the tune of $40 million+ per year. The Scientific and Advanced Technology ACT Grants will be bumped up by $5 million+ per year.
The Graduate Traineeships in Computer and Network Security Research will have $20 million+ added. Total new authorization for TITLE III comes to $1.445 Billion through 2014.
TITLE IV Public-Private Collaboration
The first step will be the creation of a Cybersecurity Advisory Panel. This panel will be called on to consult with the President on every other measure in the bill. The members will not be compensated other than for travel expenses.
State and Regional Cybersecurity Centers will be set up to "enhance the cysbersecurity of small and medium sized businesses." The Secretary of Commerce is given 120 days to issue a description of the Centers.
Note that it has been a year already since Congress passed an Act requiring the Small Business Administration to set up an IT Security Advisory Board. The SBA is already six months late in establishing that board.
Public-Private Clearing House
The government will review how threat information is currently shared between public and private sources and reccomend the establishment of a central clearing house for threat and vulnerability information. That is what Infragard and US-CERT are supposed to do today.
That's it. That is the vuanted public-private partnership that Senator Rockefeller is stumping in his latest public presentations and op-ed pieces.
Repercussions
If passed, S.773 will be an unmitigated disaster for the security industry, security professionals, and the security stance of the US government.
Remember Sarbanes-Oxley?
There was one tiny reference to "security frameworks" in that bill that caused every security team at publicly traded companies to drop everything they were doing and document their compliance with ITIL and COBIT.
Some would argue that is a good thing but the end result was not enhanced security postures, but enhanced record keeping.
This bill represents a gargantuan overlay on top of a vibrant industry that is finely tuned to address the rising threats that this bill attempts to address.
It will be a windfall for those involved in cyber security certification, and academics who have been left in the dust by advances in cybersecurity being developed by entreprenurial firms.
If enacted it will create a guild of government certified security professionals that have the luxury of taking the time to qualify.
And of course, those that vote for this Act will be able to point to the proactive stance they took when the next cyber embarassement occurs.
They will not have done anything to prevent the next cyber incident but they will have covered their... backs.
