Key Points in the Cybersecurity Act

By Larry Seltzer  |  Posted 2009-04-10 Print this article Print

Many of the items in the bill, such as the advisory panel, the state and regional "enhancement program" to raise awareness of cyber-security, and the R&D program, are at worst wastes of money. The fact that some of this money is to be distributed regionally tells me that it will be as well-thought-out as homeland security money, much of which goes to areas with no real homeland security problems. Here are the other parts of the bill that caught my eye:

SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE-The basic idea in this long section is that security is too much art and opinion and not enough hard science and engineering and that "measurable and auditable" standards should exist for all decision making in the field. The bill tasks NIST (National Institute of Standards and Technology) with this job. These standards would measure the actual security of a software system, economic impact and effectiveness of security controls, a computer-readable standard for configuration description, definitions of secure standard configurations of systems, and a vulnerability specification language. Conformance with all these standards would be required of all systems and networks covered under the act as discussed a few paragraphs up.

As I already said, much of this work has been done or is in the process of being done. For instance, CVE is something of a vulnerability description system and language, and the Federal Desktop Core Configuration has been ongoing for some time. But most of the standards ideas in this seem impossible to me. Any standard that defines something as controversial and complex as security of a system and the economic impact of a security control is going to be unwieldy.

SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS- I'll include the complete text of this section:

(a) IN GENERAL. Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.

(b) MANDATORY LICENSING. Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President's designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.

The real impact of this will depend on how broad a definition of "critical infrastructure" the president chooses, but the impact on IT professionals could be immense. A very large number of you (that means you, readers) will be required to take a course and pass a test, perhaps every few years, or it will be illegal for you to do your job. How do you feel about that?

SEC. 8. REVIEW OF NTIA DOMAIN NAME CONTRACTS-This section gives the advisory panel created by the act veto power on decisions made by the assistant secretary of commerce for Communications and Information with respect to renewal or modification of the IANA (Internet Assigned Numbers Authority) contract for operation of the DNS (Domain Name System). No objections here, someone should be reviewing it. It's better that they get to review the decision than to make it.

SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM-Within three years after enactment, the aforementioned assistant secretary will formulate a plan to implement DNSSEC, and all systems and networks covered under the act will implement it under a schedule set by the assistant secretary. (The bill doesn't actually say "DNSSEC" but it's clear that's what is meant.) I like the idea in general, but gulp! That's a major undertaking to mandate, and an inconsiderate one to mandate without funding. This will be highly disruptive, which isn't necessarily a reason not to do it.

But a better question to ask about this last provision is, Why is the assistant secretary of commerce in charge of it instead of the national cybersecurity advisor? In fact there is no mention of the NCA in this act, presumably because it's not law. Why are they separate acts? The next section I discuss shows how this text could have been written better.


Within 1 year after the date of enactment of this Act, the President, or the President's designee, shall review, and report to Congress, on the feasibility of an identity management and authentication program, with the appropriate civil liberties and privacy protections, for government and critical infrastructure information systems and networks.

This is bringing up the possibility of a national Digital ID. We have avoided a formal national ID card for exactly the sort of civil rights problems to which the text of the act alludes. Fortunately, all this part of the act does is authorize a study. It's not like there are no good arguments for it, but the rest of the act doesn't put me in a mood disposed to trust the government under the arguments against it.

That covers the really interesting parts, as I see them. I do recommend reading the other parts of the act. It's really not that long. It's indisputable that some agency of the federal government should be paying attention to the security of government and other critical networks. I think it's also indisputable that the reach of this bill is excessive. So get involved when the action heats up on this bill and the future of your job and your industry is decided by a few hundred lawyers.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel