COMMENTARY

A cyber bill worth enacting

Despite some industry concerns, the Senate cybersecurity bill hits the right marks

We have routinely supported those who call for the overhaul of the Federal Information Security Management Act and highlight the need for more effective, real-time situational awareness in securing federal information systems. So the long-awaited cybersecurity bill (S. 3480) introduced in the Senate June 10 by Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine) and Thomas Carper (D-Del.) is welcome news — and an important milestone that should draw cheers from many quarters.

The 2010 Protecting Cyberspace as a National Asset Act stands out among a recent flurry of congressional efforts to address national cybersecurity, in part for what the bill proposes and what it does not and because of its probability of being enacted.

The legislation, among other measures, would create a White House Office of Cyberspace Policy, led by a Senate-confirmed director, to oversee all federal cybersecurity efforts. It also would create a National Center for Cybersecurity and Communications at the Homeland Security Department to defend .gov networks and oversee the defenses of the nation’s most critical infrastructure. 


Related stories:

FISMA reform would elevate White House’s cyber authority

Consensus is growing for reform of flawed FISMA


Less visible but equally important, the legislation would set up a more clearly defined framework for government and the private sector to develop a baseline of security requirements that DHS would enforce for that infrastructure. It would provide DHS much-needed help in building its cyber workforce. 

The bill also recognizes the role federal procurement can play in getting vendors to do their part in the cyberspace ecosystem by focusing new attention on the potential vulnerabilities in the global supply chain — by requiring language in actual contract specifications, not just the Federal Acquisition Regulation, that addresses the integrity of products delivered to the government.

And it would at last do away with a central flaw of FISMA, by removing the outdated manual reporting requirement that wastes, by some estimates, $500 million every year, and replacing it with a requirement to move toward continuous automated monitoring and a foundation for dynamic cyber defense.

One provision of the bill, not surprisingly, has stirred up vocal concern in industry because it would give the president sweeping authority to order companies to take specific security actions to protect private networks from possible cyberattacks.

The concern is that government is too slow to respond and shouldn’t be telling the private sector how to manage its risks. Admittedly, DHS still has a way to go to prove itself. But the bill would actually help DHS better execute its charge to coordinate the situational awareness and forensics activities needed to respond to national cyberattacks. The intent of the legislation is to isolate catastrophic threats. That should actually provide incentives for key industry players to work more closely with DHS for the greater good, which is what this bill is about and why it deserves to reach the president’s desk and become law.

 

About the Author

Wyatt Kash served as chief editor of GCN (October 2004 to August 2010) and also of Defense Systems (January 2009 to August 2010). He currently serves as Content Director and Editor at Large of 1105 Media.

Reader Comments

Wed, Jun 23, 2010 Michael Hamilton CISO

Hey Feds! The organizational average in the private sector is that the information security budget is 4-7% of the IT budget. So howcome the bill doesn't specify that any grant funding must allocate 5% to information security controls? Seems easy. You must have stupid advisers.

Mon, Jun 21, 2010 Airborne All the Way Springfield, Virginia

Dear Mr. Kash,

The bill you reference actually embodies "regulatory capture!" If a proposition is true then you can insert other terms in it and it still remains true. Base 10 math 2+2=4.

With that idea in mind, suppose for the heads of the 19 agencies we substituted the 19 largest bank holding companies (BHCs) in America and for NIST and the OMB, we substituted the Federal Reserve Board (FRB), FDIC, OCC, and the SEC. For the OIG, we substituted the FRB, FDIC, & OCC BS&R oversight of the 19 BHCs. The 19 BHCs would write their own regulations and exam themselves using methods they specify to report to the US Congress. Further we stated that every two years the BS&R group could audit the 19 BHCs but only using exam methods that the 19 BHCs specified.

If the above description sounds crazy to you, then the proposed cyber security bill is equally crazy.

Sincerely,

Airborne All the Way

Mon, Jun 21, 2010 Blog Smith

Sure, nothing to worry about here: http://blogsmithconsulting.blogspot.com/2010/06/lieberman-us-internet-should-imitate.html Lieberman: The U.S. Internet Should Imitate China

Mon, Jun 21, 2010 D.W. Williams

I'm with Dieter on this bill. It's intention isn't even close to what is being stated. Ultimately, the Fed's want total and absolute control. . . so they can control the information. If it weren't for the Internet, we wouldn't get both sides of the story on what is going on in local, national and international affairs. This all goes back to Benjamin Franklin's quote. I'll paraphrase: If you're willing to give up some liberty for the sake of security, you deserve neither. It IS as simple as that. Too bad most just don't get it, anymore.

Sun, Jun 20, 2010 Dieter Kluge

You obviously haven't thought out the implications of this bill and more than likely haven't even read the summary. This bill will essentially give the president the power to shut off the internet if his new appointee deems it necessary. This is the last thing we need as a nation. This bill is nothing but ill-informed politicians taking advantage of the fear of potential "cyber warfare". What we need is a better defence capability and an offensive force in the cyber realm. In a time of crisis we do not need our communication to the world taken away.I'm sure you agree that it was a good thing that Iran still had internet communications when the government took away all other forms of communication. Not to mention the impact shutting off the internet would have on businesses. This bill requires ISP's to comply with DHS when they deem it necessary to cut of citizens internet connections. This kind of power should not be put into the hands of a few. This one fact nullifies anything good that may be in the bill but it will slide through like so many because this terrible part will be camouflaged by the good. THINK!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above