CYBEREYE

Security reform? What security reform?

Government, industry still waiting for clear policy on cybersecurity, but it's not likely to emerge soon

Cybersecurity has been a hot topic for the past couple of years. It has assumed a high profile in the Obama administration, with a cybersecurity coordinator installed in the White House. A number of bills have been introduced in the House and Senate that would lay out clearer lines of authority for information security. After years of carping about the shortcomings of the Federal Information Security Management Act, it seemed likely that Congress would pass some kind of FISMA reform.

But here we are in the closing weeks of the 111th Congress and nothing has happened. But that might not be such a bad thing — it might be better to do nothing than to pass the wrong legislation.

The issue is not quite dead. A comprehensive cybersecurity bill, S. 3480, introduced by Independent Sen. Joseph Lieberman of Connecticut and Republican Sen. Susan Collins of Maine has passed out of committee but has not been acted on by the full Senate. The sitting Congress still has time to consider the bill during the short session, which Collins urged it to do Nov. 17 during a cybersecurity hearing before the Homeland Security and Governmental Affairs Committee. “I personally think it is an ideal issue for the lame duck Congress to take up,” she said.


Related coverage:

Let’s kill the kill-switch debate

 

'One of a kind' Stuxnet worm remains a serious mystery

 


Lieberman expressed little hope that the bill would be passed by this Congress, however. “It’s unfortunate that the clock will run out on us before we have a chance to complete negotiations with other committees and with the administration, who I regret to say did not engage as early in the process of developing this legislation as was necessary,” he said.

Several companion bills already are pending on the House side, and in a last minute Hail Mary effort, Rep. Bennie G. Thompson (D-Miss.), chairman of the House Homeland Security Committee, introduced a new bill last week, the Homeland Security Cyber and Physical Infrastructure Protection Act of 2010, H.R. 6423. The bill would give the Homeland Security Department the authority to establish and enforce risk-based information security standards for government IT systems as well as for private-sector systems design as critical infrastructure.

This bill is not a companion to the Lieberman-Collins bill in the Senate, a spokeswoman for Thompson said. “It’s quite different,” and is not intended to facilitate last minute passage of cybersecurity legislation in both houses, she said. Thomson had been considering introducing a bill this year, and this bill puts him on record with what he is proposing while he still chairs the committee.

It is unlikely that either bill will make it through both houses during a lame-duck session that still has to do something about a federal budget and is wrestling with issues like “don’t ask/don’t tell.”

It is impossible to say at this point what the appetite and ability of the next Congress will be to pass cybersecurity legislation. A few things clearly are needed in this area — most importantly, some clear lines of authority. DHS has been given the nominal lead for civilian government IT security, but little or no authority. By default, the Office of Management and Budget has been doing the heavy lifting through FISMA.

But securing the private-sector portion of the critical infrastructure is more problematic. Standards and help from government are needed, but mandates and regulatory enforcement could do more harm than good.

Outspoken IT consultant Tony Summerlin recently called provisions in the Lieberman-Collins bill for government oversight of private systems, “just short of insane,” and said government first needs to put its own house in order.

“Before they start regulating industry, perhaps they ought to do something about the 30,000 Chinese crawling over their networks every day,” Summerlin said.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Thu, Jan 6, 2011

How about a GED, college major or graduate degree with emphasis on cyberspace security that should be offered in more colleges? The generation of online social networking, particularly the young, would become aware and perhaps more discrete than they are now if they comprehend the risks. Classroom discussions on research/homework and personal experience will enhance awareness and establish best pratices. In addition, a profession on cybersecurity could be a stable IT career that will perhaps stay in the US as well as can be marketable globally.

Wed, Dec 1, 2010 StrangeLoop

We need one of those thousand-page comprehensive reform bills that noone has read. That way, everyone could do whatever they wanted, and it would be OK - or not, but noone would know.

Mon, Nov 22, 2010 Jeffrey A. Williams

Cybersecurity and whqt it is, should be, can be and/or will become is and has been an ongoing debate for many years now. The problem is that the threat's are always changing and 'one size fits all' doesn't and never has worked very well. Such an approach never will, but still folks want to know that that sort of stibility is maintained. Legislation cannot 'Fix' the problem, only good ongoing research, deployment of that research, and really good white hat hackers filling the gaps will keep public, private, and government secrets or PII data secure.

Mon, Nov 22, 2010 CYBERSECADVOCATE

Geez,
How lame is this...the damn Republicans, Democrats and Independents can't craft a basic bill that would enable basic common sense security. This is a bad joke on the tax payers. This is the same insanity that led to the bombing of the twin towers on 911. People in the government saw it coming and just couldn't get their act together. Also, there is no mention of local, county and state enterprise infrastructure; DUH!
Many jurisdictions in this country are host to tens of thousands of DOD workers and other National Critical Infrastructure facilities and those governments require their enterprise networks to be secure as well, to ensure first responder supporting IT technology is available if needed. If the Federal Gov can't get a bill written and passed in 2010 at least they could allocate grants for cyber security so the more nimble local, county and state governments can begin to fund better security of their networks. OH YEAH, by the way, change the damn grant process so any local, county or state government that wins a grant must commit to funding freshmen and sustainment of the CAPX funds for at least ten years.
Good Federal Government isn't rocket science...it just takes thoughtless dedication by individuals willing to work together...any qualified volunteers out there?

Mon, Nov 22, 2010

The end user remains one of the main threats to security. Sensitive records are dropped on a Flash Drive that gets reused and reused until it is lost. Files are e-mailed outside of the parent organization with no check of the idenity of the receipient, much less encryption of the attachment etc.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above