Two new bills have been introduced in the Senate. One would create a new cabinet-level position of national cyber security advisor. The second gives that person sweeping powers to control cyberspace. Sound like a good idea? You tell me.
I've read both bills and they seem to make sense on the surface. Yet, I'm puzzled. Should something as powerful as a bill being introduced to the Senate use ambiguous terms? For example, the bill creating the National Cybersecurity Advisor position explains that the advisor:
"Shall furnish timely and appropriate recommendations, information, and advice to the President in connection with the administration and execution of laws of the United States relating to cybersecurity and otherwise assist the President in the administration of such laws."
So this person is going to be in charge of cyber security. What does that mean? I know that cyber security has been used as a buzz word for many years now. Still it's a buzz word and nowhere in either bill was the term cyber security explained. Neither was cyberspace and that term was used just as much.
That seems odd; it should be second nature for legislators steeped in debate to define important terms. So I spent several hours researching and couldn't find an official .gov definition for cyberspace or cyber security. Hopefully, I just looking in the wrong places and somebody will straighten me out. Until that time, I'd like to start the ball rolling by offering some unofficial definitions I did find.Cyberspace
"Cyberspace: A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts... A graphic representation of data abstracted from banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding."
Sound about right? Well, maybe not. I'd be remiss if I didn't include the Wikipedia definition of cyberspace:
"Cyberspace is the global domain of electro-magnetics accessed through electronic technology and exploited through the modulation of electromagnetic energy to achieve a wide range of communication and control system capabilities."
One of the more official definitions I found was used in the 2003 report "The National Strategy to Secure Cyberspace" written by the Department of Homeland Security (DHS):
"Our Nation's critical infrastructures are composed of public and private institutions in the sectors of agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking and finance, chemicals and hazardous materials, and postal and shipping. Cyberspace is their nervous system-the control system of our country. Cyberspace is composed of hundreds of thousands of interconnected computers, servers, routers, switches, and fiber optic cables that allow our critical infrastructures to work."
I can't see legislators using the Wiki definition so I guess for their sake; we will use the DHS version for now.Cyber security
Unlike cyberspace, I couldn't find cybersecurity in any of the dictionaries I checked. It appears that most organizations split cybersecurity into two words. The most appropriate individual definitions I could find were given by the On-Line Dictionary of Computing where I had to take literary license and stretch cyber into:
"The use of cybernetics, which is the general study of control and communication systems in living organisms and machines, especially the mathematical analysis of the flow of information."
The On-Line Dictionary of Computing defines security as:
"Protection against unauthorized access to, or alteration of, information and system resources including CPUs, storage devices, and programs."
The United States Computer Emergency Readiness Team (US-CERT) gets my vote for the best explanation of cyber security:
"It seems that everything relies on computers and the Internet now - communication (email, cellphones), entertainment (digital cable, mp3s), transportation (car engine systems, airplane navigation), shopping (online stores, credit cards), medicine (equipment, medical records), and the list goes on. How much of your daily life relies on computers? How much of your personal information is stored either on your own computer or on someone else's system?
Cyber security involves protecting that information by preventing, detecting, and responding to attacks."
I was surprised to learn that Wikipedia doesn't have a page for cyber security; it defaults to a page defining computer security and the explanation isn't inclusive enough to not serve our purpose. US-CERT's explanation does though, which is good as US-CERT is tasked with providing response support and defense against cyber attacks.
I wonder how these definitions compare to what the bill's authors understand cyberspace and cyber security to be. It'd be nice to be on the same page. Well, at least we have an idea as to what they should mean, so let's tear into the bill and see what it's about.Cybersecurity Act of 2009
Sen. John Rockefeller and Sen. Olympia Snowe are the two senators that proposed both the bill for creating the cyber security cabinet position as well as the bill titled Cybersecurity Act of 2009. The purpose of the second bill is brought to light in the prologue:
"To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes."Quoting commissioned reports and experts
The bill starts out by providing numerous quotes chosen to point out the sad state of current cyber security. Here are some examples. According to the 2009 Annual Threat Assessment (pdf):
‘‘A successful cyber attack against a major financial service provider could severely impact the national economy, while cyber attacks against physical infrastructure computer systems such as those that control power grids or oil refineries have the potential to disrupt services for hours or weeks'' and that ‘Nation states and criminals target our government and private sector information networks to gain competitive advantage in the commercial sector.''
The bill's authors relied heavily on the 08 December 2008 report titled "Securing Cyberspace for the 44th Presidency" that cited three major findings:
- Cybersecurity is now one of the major national security problems facing the United States.
- Decisions and actions must respect American values related to privacy and civil liberties.
- Only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation.
OK, that's what we have now. Next let's focus on how the bill will improve the situation.Licensing and certification
Of what should be of interest to us IT types is the provision mandating the licensing and certification of cybersecurity professionals:
"Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals."Secure DNS
Since many parts of the federal government are currently initiating the use of DNSSEC, I guess I don't understand why this bill puts forth such a feeble attempt at making secure DNS mandatory. The bill only mentions that:
"Within 3 years after the date of enactment of this Act, the Assistant Secretary of Commerce for Communications and Information shall develop a strategy to implement a secure domain name addressing system."
Three years to figure out what to do? That's not good; DNS spoofing is fast becoming a cyber weapon of choice.Cyber security research
The National Science Foundation will be given responsibility to research all aspects of cyber security, giving priority to computer and information science in the following areas:
- How to design and build complex software intensive systems that are secure and reliable when first deployed.
- How to test and verify that software, whether developed locally or obtained from a third party, is free of significant known security flaws.
- How to test and verify that software obtained from a third party correctly implements stated functionality, and only that functionality.
- How to guarantee the privacy of an individual's identity, information, or lawful transactions when stored in distributed systems or transmitted over networks.
- How to build new protocols to enable the Internet to have robust security as one of its key capabilities.
- How to determine the origin of a message transmitted over the Internet.
- How to support privacy in conjunction with improved security.
- How to address the growing problem of insider threat.
To me this part of the bill is good news and can't come soon enough.NIST compliance
The bill empowers the National Institute of Standards and Technology (NIST) to develop metrics and compliance testing to make sure the entire infrastructure is functioning in a secure manner:
"Within 1 year after the date of enactment of this Act, the National Institute of Standards and Technology shall establish measurable and auditable cybersecurity standards for all Federal government, government contractor, or grantee critical infrastructure information systems and networks"
Security experts seem to be pleased with this section of the bill since NIST is well positioned to do this and has much of the required structure in place already.Internet switch
Anytime disabling the Internet is talked about it raises controversy and this bill is no exception. Page 43 line 17 of the bill explains the new powers that will be given to the Executive branch. Most make sense and aren't new or unusual, but there are two lines that make up for that:
- May declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal government or United States critical infrastructure information system or network.
- May order the disconnection of any Federal government or United States critical infrastructure information systems or networks in the interest of national security.
NetworkWorld's John Fontana has written an article titled "Cries of protest, censorship greet news of cybersecurity bill" which highlights how people feel when the term disconnection and "in the interest of national security" are both used in the same sentence:
"You would be amazed at what the government can consider national security. Let's see. A report about black water goes public on CNN. Government feels report undermines its authority. Next thing you know, CNN is disconnected from the world due to national security."Final thoughts
I think we can all agree that something has to be done to increase on-line security for both public and private entities. It appears that's what these bills are attempting to do. I also understand that the documents are preliminary and obviously need a lot of help. Which is why we need to stay on top of what's being decided on our behalf, otherwise we all may lose something special.
TechRepublic's IT Security e-mail newsletter (delivered every Tuesday) is a great way to keep on top of security issues related to Information Technology. Please make sure to sign up.