Key Points in the Cybersecurity Act
What Will the Cybersecurity Act of 2009 Do to Your Job and Business?
Not long after I wrote my column on the proposed cyber-security bills in the Senate, the actual text of the legislation became available. As I wrote at the time, my analysis was based on various other materials about the bill made public by the Commerce Committee and sponsoring senators.
Now the text is available in many places, including OpenCongress:
S.778 is short and to the point: the national cybersecurity advisor is an assistant to the president, subject to confirmation by the Senate, has specific duties with respect to advising the president and approval of cyber-security budget items, and has security clearance in relevant matters.
S.773 is where the meat is. It starts out with a collection of provocative quotes from reports and consultants on how vulnerable we are, which is undoubtedly true, although there is the usual hysteria in there with references to 9/11 and a "cyber-Katrina," whatever that is.
The main thing I looked for at first was some guidance about what networks and systems would be subject to oversight by this act. The press materials only referred to government networks and "critical infrastructure" with some examples, but no real definition. No doubt by sheer coincidence, a story in the Wall Street Journal last week asserted (with anonymous quotes but no actual facts) that the U.S. power grid had been hacked by "foreign spies."
The security of such systems, and generally of "SCADA" systems, even if they are privately held, is certainly a national security matter. Concern over this problem is hardly new, nor are vague, unsubstantiated and impossible-to-investigate rumors about it.
What else might qualify for control by the federal government under this bill? Here is the language:
State, local, and nongovernmental information systems and networks in the United States designated by the President as critical infrastructure information systems and networks.
So we won't know what it is until the president says. He can designate bank networks, perhaps critical common carriers, or whatever else he thinks is critical. Then, in the event of "cyber-attack," he can order those shut off or disconnected. I think Congress owes it to us to put a more solid definition in the bill so that it can be discussed in hearings, on the record, rather than letting the president decide unilaterally.
Key Points in the Cybersecurity Act
Many of the items in the bill, such as the advisory panel, the state and regional "enhancement program" to raise awareness of cyber-security, and the R&D program, are at worst wastes of money. The fact that some of this money is to be distributed regionally tells me that it will be as well-thought-out as homeland security money, much of which goes to areas with no real homeland security problems. Here are the other parts of the bill that caught my eye:
SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE-The basic idea in this long section is that security is too much art and opinion and not enough hard science and engineering and that "measurable and auditable" standards should exist for all decision making in the field. The bill tasks NIST (National Institute of Standards and Technology) with this job. These standards would measure the actual security of a software system, economic impact and effectiveness of security controls, a computer-readable standard for configuration description, definitions of secure standard configurations of systems, and a vulnerability specification language. Conformance with all these standards would be required of all systems and networks covered under the act as discussed a few paragraphs up.
As I already said, much of this work has been done or is in the process of being done. For instance, CVE is something of a vulnerability description system and language, and the Federal Desktop Core Configuration has been ongoing for some time. But most of the standards ideas in this seem impossible to me. Any standard that defines something as controversial and complex as security of a system and the economic impact of a security control is going to be unwieldy.
SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS- I'll include the complete text of this section:
(a) IN GENERAL. Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.
(b) MANDATORY LICENSING. Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President's designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.
The real impact of this will depend on how broad a definition of "critical infrastructure" the president chooses, but the impact on IT professionals could be immense. A very large number of you (that means you, readers) will be required to take a course and pass a test, perhaps every few years, or it will be illegal for you to do your job. How do you feel about that?
SEC. 8. REVIEW OF NTIA DOMAIN NAME CONTRACTS-This section gives the advisory panel created by the act veto power on decisions made by the assistant secretary of commerce for Communications and Information with respect to renewal or modification of the IANA (Internet Assigned Numbers Authority) contract for operation of the DNS (Domain Name System). No objections here, someone should be reviewing it. It's better that they get to review the decision than to make it.
SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM-Within three years after enactment, the aforementioned assistant secretary will formulate a plan to implement DNSSEC, and all systems and networks covered under the act will implement it under a schedule set by the assistant secretary. (The bill doesn't actually say "DNSSEC" but it's clear that's what is meant.) I like the idea in general, but gulp! That's a major undertaking to mandate, and an inconsiderate one to mandate without funding. This will be highly disruptive, which isn't necessarily a reason not to do it.
But a better question to ask about this last provision is, Why is the assistant secretary of commerce in charge of it instead of the national cybersecurity advisor? In fact there is no mention of the NCA in this act, presumably because it's not law. Why are they separate acts? The next section I discuss shows how this text could have been written better.
SEC. 17. AUTHENTICATION AND CIVIL LIBERTIES REPORT-
Within 1 year after the date of enactment of this Act, the President, or the President's designee, shall review, and report to Congress, on the feasibility of an identity management and authentication program, with the appropriate civil liberties and privacy protections, for government and critical infrastructure information systems and networks.
This is bringing up the possibility of a national Digital ID. We have avoided a formal national ID card for exactly the sort of civil rights problems to which the text of the act alludes. Fortunately, all this part of the act does is authorize a study. It's not like there are no good arguments for it, but the rest of the act doesn't put me in a mood disposed to trust the government under the arguments against it.
That covers the really interesting parts, as I see them. I do recommend reading the other parts of the act. It's really not that long. It's indisputable that some agency of the federal government should be paying attention to the security of government and other critical networks. I think it's also indisputable that the reach of this bill is excessive. So get involved when the action heats up on this bill and the future of your job and your industry is decided by a few hundred lawyers.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.