The Proposed Federalization of the Computer Security Field

President Obama promised in his campaign to take cybersecurity seriously and he appears to be following up on that promise. Legislation just introduced in the Senate, written with White House input according to the Washington Post, would federalize the business of computer security. It would give White House officials the power to shut off private networks, decide what products could be used for security and set rules for who could practice computer security.

The legislation is actually in two bills, S.773 and S.778. The titles of the bills are:

S.773—A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.

S.778—A bill to establish, within the Executive Office of the President, the Office of National Cybersecurity Advisor.

I couldn't find the actual text of the legislation yet, but there is a short PDF describing it in press release language. Of course such documents are no substitute for examining the actual text.

The emphasis of the opening parts of the press release is on matters about which there is little dispute: government and critical private infrastructure networks need to be protected. It asserts that they are vulnerable and that a new public-private partnership is necessary to address the problem. The advisor created by S.778 would report directly to the president and, according to the press release, would have "...the authority to disconnect a Federal or critical infrastructure network from the Internet if they are found to be at risk of cyber attack."

What are the critical infrastructure networks? The examples provided are "...banking, utilities, air/rail/auto traffic control, telecommunications..." Let's think about this. I'm especially curious as to how you take the telecommunications networks off of the Internet when they are, in large part, what the Internet is comprised of. And if my bank were taken offline I would think about going into my branch and asking for all of my deposits in cash.

The bill would also require a formal national strategy to be drafted. I guess it's better to have a strategy than not to have one, but I'm leery about the true value to security, at least before the long term. It would also require periodic reviews that would politicize the security of private networks.

A public education campaign on cybersecurity would likely have as much effect on the average person as most public education campaigns of this sort, which is not a whole lot.

On the subject of civil rights and cybersecurity it has this cryptic guidance: "The legislation would require the Advisor to review the feasibility of an identity management and authentication program, to include recommendations regarding civil liberties protections." I don't like the sound of that. It sounds like "can we get away with requiring everyone to have a unique digital ID?"

The bill creates a "public-private clearinghouse for cyber threat and vulnerability information-sharing" which sounds like what US-CERT does now. A Cybersecurity Advisory Panel would advice the Advisor and President.

But then it gets interesting again. "Establish enforceable cybersecurity standards." It would require NIST (the National Institute of Standards and Technology) "...to establish measureable [sic] and auditable cybersecurity standards that would be applicable both to government and the private sector." In other words, it would make security rules that the private sector would have to obey. Would some new security regulatory regime be created to enforce these rules? The potential to force huge costs on industry is a real concern here; expect the security software business to be largely enthusiastic. A Secure Products and Services Acquisitions Board would certify products that meet the standards for federal government purchase. How would they do this? By testing? Such testing could be a massive new private sector opportunity.

"Provide for licensing and certification of cybersecurity professionals." What the hell is this? The bill would require "...a professional licensing and certification program for cybersecurity professionals similar to those required for other major professions." So in order to do security functions you'll have to go to Security School and pass your boards? I suppose if you do something unapproved, like the wrong kind of research, your license can be revoked. I don't like where this part is going.

I have to say the whole thing smells bad to me. I don't like the chances of the government improving this situation by taking it over generally, and I definitely don't like the idea of politicizing this authority by putting it in the direct control of the President. If it must be done it should be run through some cabinet agency, probably DHS or Commerce.

I guess I don't mind the standards and research ideas at all; the government has done a lot of good work in that field over many years, although very little of it was mandated. As I've written before, there are some problems that we face which need the weight of government behind them. This is not the same as creating a new federal bureaucracy setting rules over what computer security has to be and who can do it.

A lot of important legislation has been jammed through Congress in the last couple of months with little or nothing in the way of hearings. S.773 and S.778 can't be allowed to go that route. Follow the news on this and let your own representatives know what you think.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack