Last month The Cybersecurity Act of 2009 raised its head again with the latest draft and revisions.
Original – April 2009
http://www.opencongress.org/bill/111-s773/show
Current Working – August 2009
http://www.nickthompson.com/s773.pdf
I have marked skepticism when government branches and agencies get involved with such an effort. What is also striking is the inability for the press to present a discussion about cyber security without fear mongering headlines.
The past year or so has been particularly newsworthy for IT security. Cyber security, cyber warfare, cyber threats are covered in the news on a daily basis. From stories of the TJX Albert Gonzalez hacking case to North and South Koreas summer dispute using web based attacks, it has become a public very issue.
Those of us who have seen integration of IT systems into our lives are dumfounded that it has taken so long to get a response from the public and the government that something needs to be done about the security of the digital infrastructure.
Dennis C. Blair, Director of National Intelligence in his 2/12/09 – Annual Threat Assessment of the Intelligence Community report for the Senate Select Committee on Intelligence emphasized heavily that there are large threats to our national security due to the weakness of our digital borders.
However…
If there is a realization of the importance of the infrastructure:
The US information infrastructure, including telecommunications and computer networks and systems, and the data that reside on them, is critical to virtually every aspect of modern life.
The perceived threat to our technology infrastructure is so grave:
Further, the growing connectivity between information systems, the Internet, and other infrastructures creates opportunities for attackers to disrupt telecommunications, electrical power, energy pipelines, refineries, financial networks, and other critical infrastructures. Over the past several years we have seen cyber attacks against critical infrastructures abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts.
How long will it take to get something done? We do not have the time or resources for an extended pissing contest between government branches and various compliance and security agencies. There are moments in a nation’s history that require real action and not merely discussion – this is one of them.
Respected journalist Bill Moyers recently cited in an interview that America has a history of slowly enacting change using civil rights as an example. It took more than100 years after the end of slavery to remove racial integration barriers. 100 years. If according to the Threat Assessment Report 81% of all email is SPAM and 15% of all online computers are botnets, while “Over the past year, cyber exploitation activity has grown more sophisticated, more targeted, and more serious” time is not on our side.
The push for The Cybersecurity Act of 2009 at face value seems as though the issues should be tackled head-on because “cybersecurity is the soft underbelly of this country” as stated by the previous Director of National Intelligence, Mike McConnell.
Now there is a lot of noise in the press about the language of the recent Senate bill in both its original April 2009 and August 2009 forms. The Senate has made some marked improvement in the language of the bill:
changing such language as:
may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;
to
In the event of an immediate threat to strategic national interests involving compromised Federal Government or United States critical infrastructure information system or network — [the president] may declare a cybersecurity emergency; and may, if the President finds it necessary for the national defense and security, and in coordination with relevant industry sectors, direct the national response to the cyber threat and the timely restoration of the affected critical infrastructure information system or network.
This is much more progressive and reasoned approach on how to deal with a threat and the chain of events that should take place as a response. However the new language was completely ignored and reported with inflammatory headlines such as:
Senate Cybersecurity Act of 2009 Could Shut Down the Internet
Is Move By Obama to Turn Off the Internet In a Cyber-Emergency a Power Grab?
Cyber security plan gives Obama control of Internet
Really? This is the best we can come up with now that we are talking about security? Can we please just have an intelligent public discourse to address the underlining issues at hand?
There is some great language in the bill about public and private sector co-operation in addressing the most important issues and proposing a cybersecurity workforce plan – the troops on the ground for such actions should be a mix of public and private people that have talent not just titles.
But it does have some negative language such as, “Beginning 3 years after the date of enactment of this Act, it shall be unlawful for an individual who is not certified under the program to represent him or herself as a cybersecurity professional.” There are many groups that are already working toward such goals but this language can be very narrow in focus. For those of us in the cyber security field it is difficult enough to get the time and money for the various SANS, GIAC and ISACA certifications. I would hope that they use these existing and recognized degrees and programs as pre-requisites.
The Government has the logistical ability to get things done when not shooting itself in the foot with political posturing and lobbyist handholding. I would also ask that the Government not feed into the press coverage that stirs up irrational fears about IT security. For this nation make it out of the current economic mess it will need clear unobstructed lanes for information travel. If we keep on this reactionary path to threats instead of proactive measures then we will fail.
There needs to be a top-level initiative about cyber security and the threats that are faced, but it will only work if there is open discussion with people that are in the cyber trenches now who deal with many of these issues. If the Government could just muster the courage to think past an election cycle and work with companies passionate about this, it can be a winning combination. Public can be safe, politicians can put their names on bills and business can grow because of the success of innovation.
We now have the issue on the table and hopefully it will not get politicized, lobbied and news bitten to the point of no effect. I ask that the Government take this seriously and reach out to gain public and private cooperation to make this work.
