Senate Panel OKs Bill with Security Standard Mandates

The Cyber Security Research and Development Act, which would authorize the federal government to establish baseline security standards for federal computer systems, has the IT community alarmed.

Senators charged with overseeing commerce and communications this morning approved legislation authorizing the federal government to establish baseline security standards for federal computer systems. Part of an initiative to increase funding for cyber-security research and development, the measure has the information technology community alarmed.

The Cyber Security Research and Development Act would direct the National Institute of Standards and Technology to create a baseline security configuration, which opponents say would put government systems at risk because the mandated technology would not evolve as fast as security threats. They also warn that such federal mandates would have a detrimental effect on technology used by private enterprises.

"Even if you try to update the standard regularly, you would create an outmoded system, and it would be a race to the bottom," said Mario Correa, director of Internet and Network Security Policy at the Business Software Alliance in Washington. "Standards in the federal government can easily migrate to the private sector. Youll be dumbing down security products in the market as a whole."

The standards provision, which received scant support when introduced as a separate bill earlier this year, popped up unexpectedly in the research and development bill and did not generate much public debate on the committee. Sen. George Allen, R-Va., raised concerns that the provision is intended to establish performance benchmarks but would have the unintended consequence of thwarting technology advances. Allen expressed an interest in having the standards language modified before the Senate considers the bill.

Although Congress has traditionally tried to leave standards-setting to the private sector, the current climate of security threats has made lawmakers inclined to intervene more directly in technology. "I do think they want to do the right thing," said Correa. "But this bill points to a general trend in Congress to looking at technology standards as a default solution."

The Senate commerce committee also approved a bill this morning to cut back on unwanted e-mail by making it illegal to disguise the source of a message and by giving users a way to stop receiving spam. The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN SPAM) Act establishes fines and jail time for sending commercial e-mail with fraudulent routing information that has intentionally misleading header information. If the bill is enacted, unsolicited commercial e-mail will have to include an identifier, an opt-out feature and the senders physical address.

The legislation is slated to ease the burden not just on consumers but also on Internet service providers and enterprise network operators, which incur unnecessary costs for storing and handling spam. Not all enterprises welcome Congress intervention, however.

Ron Meyers, manager of Lotus Notes systems at Anixter International Inc. in Skokie, Ill., said spam can be a problem to organizations, consuming resources and slowing down systems. But he said its a problem businesses must solve because any government intervention could have a chilling effect on the Internet, he said.

"One of the reasons the Internet is so valuable is that its wide open. If the government creates more of a burden, then it just becomes more of a place for problems to happen," Meyers said. "Im more in favor of us policing our own systems than Big Brother doing it for us."

Meyers said Anixter does block senders of spam by e-mail, but those senders can simply keep changing addresses. Blocking entire domains gets trickier. "We cant block all e-mails from AOL addresses. Some of our customers use AOL addresses," he said.

Meyers also noted that direct e-mail marketing is becoming a more popular widely used tool to attract and retain customers. Anixter itself uses e-mail marketing to reach customers and prospects.

Related stories:

  • Congress Looks to Amend Security Bill
  • Info Sharing Bill Advances
  • Bill Gives Govt Greater Access to E-Mail