A bill proposed by Senator John Edwards (D-North Carolina) would force federal CIOs to increase the cybersecurity of their departments to an acceptable level—or else. The bill (S.187) was introduced on Jan. 16 by Edwards, who is running for the Democratic presidential nomination. It calls on the National Institute of Science and Technology (NIST) to create guidelines for identifying information security vulnerabilities and to prescribe ways of alleviating them.
If the bill becomes law, federal CIOs would be responsible for quarterly reviews of their departments and would be required to issue annual reports to the Office of Management and Budget (OMB) outlining their findings. Under the bill, the Secretary of Commerce could compel federal CIOs to implement the NIST procedures.
The bill signals a significant shift from previous cybersecurity legislation, said Dan Burton, vice president of government affairs for Entrust, an Internet security vendor.
If it becomes law, he said, for the first time outsiders would be empowered to compel agencies being scrutinized to employ specific measures. Existing laws that deal with cybersecurity and the government—most notably the Federal Information Security Act (FISA) and the Government Information Security Reform Act (GISRA)—are simply frameworks for assessment and internal remedial work, Burton said.
“[The agency] has got to tell NIST, and NIST is going to tell you how to get rid of these things, include a checklist, and in fact may mandate use of these guidelines,” Burton said. “That’s a big change. If they don’t feel the agency has acted appropriately, they can mandate.”
In an e-mail response to questions, Edwards said that the situation is serious. “Organized crime networks are already using cyberspace to attack American interests, and terrorists are anxious to get in on the action. Our computer systems are vulnerable, and we must act now to shore up our defenses.”
Everyone agrees with the bill’s goal of making federal agencies safe from hackers, viruses, and information terrorists. “It’s hard to argue with guidelines that ask people to establish and assess the vulnerability of the IT infrastructure, map out a plan on how to meet those challenges, and do a follow-on investigation to make sure they are meeting the objectives,” said John Worrall, vice president of worldwide marketing for RSA Security, an Internet security firm.
Edwards—while acknowledging that steps have been taken to protect systems from cyberattacks—said that the current situation is unacceptable. “In a recent report, the congressional Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations flunked 16 federal agencies on their computer security efforts,” Edwards said. “Critical departments such as Defense, Transportation, Health and Human Services, and Energy, as well as the Nuclear Regulatory Commission, all received Fs.” (Relevant materials can be found at gao.gov [using GAO-03-303T as a search term] and here.)
However, some suspect a political agenda linked to Edwards’ presidential run. “I think that’s the driver to it,” said Ken Hilving, a consultant with Schooley Mitchell Telecom Consultants.
Hilving said that the bill was poorly written in a number of ways. For instance, he pointed to a statement in the bill that appears impressive: “The number of cyber attacks on Federal Government systems in 2001 was 71 percent greater than the number of such attacks on such systems in 2000.”
“To me, that’s a case of 'lies, damn lies, and statistics,’” Hilving said, invoking a quote variously attributed to Mark Twain and Benjamin Disraeli. “The percentage is really meaningless. Seventy-one sounds huge, but without the actual numbers, it’s a meaningless number.”
In the bigger picture, Hilving takes exception to what he feels is the subtext of the bill, which is that federal cybersecurity is lax. “I disagree with the premise that they are wide open, which is the attitude of this,” Hilving said. “I don’t believe that is the case at all. Yes, there are susceptibilities. Every system in the world is susceptible. But that doesn’t mean it is wide open, by any means.”
Finally, Hilving said that procedures are in place today that can do much of the job the Edwards bill is aimed at. The first step, he said, would be to more tightly control the contact points between internal government systems and the Internet. “I know that’s not being done today,” he said.
Entrust's Burton doesn't share the view of some who say that similar laws already are on the books. “We’re going to see a lot more mandates like this if we don’t make rapid progress in shoring up our cybersecurity,” Burton said. “It’s interesting in and of itself; it’s more interesting as an indicator.”