Tuesday, June 15, 2010

More Cybersecurity Bills, More of the Same

With the amount of cybersecurity legislation being proposed these days, one would think that someone would come up with an innovative and fresh perspective on the issue.  Unfortunately, we’ve been largely subjected to more of the same attempts to give the issue more prominence by creating new bureaucracy and slightly more funding and offering largely symbolic mechanisms to respond to incidents.  As an example, the bill entitled “Protecting Cyberspace as a National Asset Act of 2010,” S. 348, offers great promise but falls short when examined more closely.

Among other things, the bill would create “an Office of Cyberspace Policy in the Executive Office of the President run by a Senate-confirmed Director.”  And while I like the fact that the newly created office will have the power to review cyber security budgets of federal agencies, it is only an advisory power, which presumably DHS could do right now if they wanted to.  Moreover, the enforcement power seems a little weak:

"(4) if the policies or activities of a Federal agency are not in compliance with the responsibilities of the Federal agency under the National Strategy— (A) notify the Federal agency; (B) transmit a copy of each notification under subparagraph (A) to the President and the appropriate congressional committees; and (C) coordinate the efforts to bring the Federal agency into compliance;"

We already have inspector generals that are supposed to perform this function as well as GAO.  I'm not sure why adding another oversight body, who will presumably be underfunded anyway, will make much of a difference.  In the end, agencies will just end up punishing those who have been pleading for more funding when there are audit findings.  While we can hope that the Cyberspace Policy Office will be able to force more funding, I'm not optimistic given the current budget constraints.  Moreover, much of the language encourages CYA behavior of agencies that may just lead to the generation of more useless paperwork in response to endless audits.  Additionally, more extensive monitoring, which is generally a good thing, will likely lead to the discovery of more compromises that went unnoticed before, leading to more finger pointing, more audits, and less time spent trying to secure systems.  The better solution is for more individual accountability, which is hard to achieve with CIOs and CISOs bouncing from one agency to another.

On the private sector side, there is even less to be excited about.  Like most previous bills, the Lieberman bill tries to thread the needle by attempting to give the federal government more authority to act in an emergency without taking over private assets.  And according to National Journal, the bill is not intended to provide a "kill switch" for Internet connections but instead provides other mechanisms.  "Such actions might include ordering a private sector operator not to accept incoming traffic from a particular source, Lieberman said."  Of course, without a mechanism to force DHS and other agencies to declassify, de-SBU, or de-FOUO such information, one may wonder if private sector agencies will ever get the instructions needed to block the source.  Moreover, private sector organizations have been clamoring for such actionable information for some time.  Few of them would need to be forced to block such sources of attack.  That's already being done regularly by informal relationships between government and private sector entities facilitated by groups such as the Forum of Incident Responders and Security Teams (FIRST).  What we don't see is any evidence of private sector agencies refusing to take a specific action based on government recommendations.  Instead, what is missing are specific recommendations from government based on threats occurring in real time.  This legislation does nothing to force that to happen.  Moreover, by the time the government has decided what action to take, the private sector organization would have probably already taken the needed action or it will be too late.

Finally, the language on liability protection seems a bit troubling.  According to CNET, "If there's an ‘incident related to a cyber vulnerability’ after the president has declared an emergency and the affected company has followed federal standards, plaintiffs' lawyers cannot collect damages for economic harm. And if the harm is caused by an emergency order from the Feds, not only does the possibility of damages virtually disappear, but the US Treasury will even pick up the private company's tab."  First of all, the government has little knowledge of the private sector's business processes, and while this defense falls within the common law principles of public necessity, this is hardly as simple as tearing down a house to keep the entire city from starting on fire.   Private sector entities will likely use the emergency declaration as a fig leaf to imply that all its actions or failures to act were dictated by the emergency declaration and that the government's failure to prescribe other actions was intentional and precluded them from taking such actions.  Do we really want private sector, or even public sector organizations, blindly accepting an order from DHS and not being held accountable for not telling the government about the potential consequences?  For example, what happens if the government asks an oil pipeline operator to block a TCP port that the operator uses to monitor pressure in the pipeline and as a result, the pipe bursts and millions of gallons of oil spill into an environmentally sensitive area.  Do we want the government to take all the heat for something like that when the pipeline operator knew about the potential consequences?

I hate to pour cold water on all these seemingly genuine, but misguided, efforts to improve cybersecurity, but I've yet to see any evidence that the federal government is capable of doing more than providing intelligence and thought leadership to the private sector and funding research and development into new security technologies.  The only other thing is for laws that demand accountability, but so far we don't seem to be very good at that either if the financial sector reforms are any guide.  Moreover, we can't even definitively say what controls and funding is needed for a given organization to prevent a compromise with any degree of actuarial reliability.

23 comments:

Anonymous said...

free asian dating fetish http://loveepicentre.com/advice.php role play college dating

Anonymous said...

why choose internet dating services http://loveepicentre.com/map.php speed sex dating

Anonymous said...

[url=http://loveepicentre.com/testimonials.php][img]http://loveepicentre.com/uploades/photos/12.jpg[/img][/url]
uk on line dating eco [url=http://loveepicentre.com/advice.php]dating effingham il[/url] katherine dennings dating
underground dating site [url=http://loveepicentre.com/map.php]dating a guy co worker tips[/url] jehovah's witness dating rules
dating service latin women [url=http://loveepicentre.com/map.php]jews dating black women[/url] double your dating derek rake

Anonymous said...

dating rules calling men http://loveepicentre.com/ free online dating and p ersonals

Anonymous said...

dating in the dark billy http://loveepicentre.com matured singles dating site

Anonymous said...

free online dating service love http://loveepicentre.com farrah abraham dating

Anonymous said...

android ebook reader http://audiobookscollection.co.uk/fr/Symmetries-and-Recursion-Operators-for-Classical-and-Supersymmetric-Differential-Equations/p217004/ seth jane roberts ebook [url=http://audiobookscollection.co.uk/it/FireWire-R-System-Architecture-IEEE-1394A-2nd-Edition/p213990/]psychologia rozwoju cz owieka ebook[/url] hair loss no more ebook

Anonymous said...

free ebook conures conures http://audiobookscollection.co.uk/es/Dream-Thief/p228065/ raintree series ebook warez [url=http://audiobookscollection.co.uk/fr/Beyond-the-Shadowlands-C-S-Lewis-on-Heaven-and-Hell/p214077/]clearance ebook readers[/url] kalki purana read ebook english

Anonymous said...

free tom clancy ebook http://audiobookscollection.co.uk/es/I-Love-a-Fire-Fighter-What-the-Family-Needs-to-Know/p228138/ free nateral beauties magazine ebook [url=http://audiobookscollection.co.uk/Business-as-War-Battling-for-Competitive-Advantage/p104256/]theological reflection ministry ebook[/url] a vos mac n97 ebook

Anonymous said...

ebook of computer networks http://audiobookscollection.co.uk/fr/Practical-Programming-in-Tcl-and-Tk/p218363/ ebook 0-495-09635-0 [url=http://audiobookscollection.co.uk/fr/The-Shadow-Out-of-Time/p29986/]the anti-aging industry insider ebook[/url] how to produce more semen ebook

Anonymous said...

ebook the journey to gold mountain http://audiobookscollection.co.uk/fr/Breakthrough-Stories-and-Strategies-of-Radical-Innovation/p106715/ cisco network security ebook [url=http://audiobookscollection.co.uk/Information-A-Very-Short-Introduction-Very-Short-Introductions/p210658/]four taxis facing north ebook[/url] sacred fire ebook

Anonymous said...

level amazon ebook http://audiobookscollection.co.uk/fr/Family-Communication/p112818/ stuart litchman free ebook [url=http://audiobookscollection.co.uk/Breaking-the-Bamboo-Ceiling-Career-Strategies-for-Asians/p165689/]robert crais ebook[/url] sonet sdh ming ebook

Anonymous said...

ebook digital stores http://audiobooksworld.co.uk/fr/Beginner-s-Grub/p223741/ ebook evidence-based orthopaedics [url=http://audiobooksworld.co.uk/fr/authors/?letter=Oe]droid eris ebook[/url] ebook john augustus

Anonymous said...

steve berry ebook nowhereland http://audiobooksworld.co.uk/Charles-Atkins/m18634/ ebook covers costs [url=http://audiobooksworld.co.uk/Social-Movements-and-Democracy-in-Africa-The-Impact-of-Women-s-Struggles-for-Equal-Rights-in-Botswana/p226828/]free ebook conversion downloads[/url] w a harbinson millenium ebook

Anonymous said...

free ebook operational amplifiers sergio franco http://audiobooksworld.co.uk/Honey-Moon/p10318/ no lesser plea ebook [url=http://audiobooksworld.co.uk/The-Abandoned/p20687/]z is for zachariah ebook[/url] the submarine hunters ebook

Anonymous said...

duplicate file clean up software http://buyoem.co.uk/it/product-37372/Absolute-Uninstaller-Pro-5-0-Portable dsv video editing software [url=http://buyoem.co.uk/de/product-35557/Transmit-4-1-MacOSX]tax software costing hundreds[/url] dvr software xp
[url=http://buyoem.co.uk/category-100-106/Server-Software]Server Software - Software Store[/url] p2p ubuntu software
[url=http://buyoem.co.uk/product-33277/Red-Giant-Psunami-1-3-for-Avid-AVX][img]http://buyoem.co.uk/image/4.gif[/img][/url]

Anonymous said...

blackberry project management software free http://buyoemsoftware.co.uk/product-35464/NETGATE-Spy-Emergency-9-0 brightness control pc software [url=http://buyoemsoftware.co.uk/product-19005/SpyZooka-2-5]medicare advantage enrollment software[/url] out of bounds software
[url=http://buyoemsoftware.co.uk/product-31549/Maxprog-iCash-5-1-MAC]Maxprog iCash 5.1 MAC - Cheap Legal OEM Software, Software Sale, Download OEM[/url] broadcast live software
[url=http://buyoemsoftware.co.uk/fr/product-14003/GyazMail-1-5-Mac][img]http://buyoem.co.uk/image/2.gif[/img][/url]

Anonymous said...

dsl computer fax software http://buyoemsoftware.co.uk/de/product-18339/DRM-Dumpster-Disk-Mac garmin gps12 software [url=http://buyoemsoftware.co.uk/it/product-37188/ActiveState-Tcl-Dev-Kit-4-1-for-Windows]acronis disc imaging software[/url] computer software engineers salary
[url=http://buyoemsoftware.co.uk/product-37182/Watermark-Master-1-2]Watermark Master 1.2 - Software Store[/url] medical training software torrent
[url=http://buyoemsoftware.co.uk/product-12431/Ef-Duplicate-Files-Manager-V1-40][img]http://buyoem.co.uk/image/3.gif[/img][/url]

Anonymous said...

dating for lesbians meet and fuck vacation soda can dating
top adult personal dating sites http://freeinternetdating.info/friendship/friendship-valley-elementary-md dating websites for disabled lesbians
new brand of dating sites best christian dating sits emma stone dating teddy geiger

Anonymous said...

dating matchmaking ri romantic california weekends gay dating services melbourne
free dating site belgium http://freeinternetdating.info/matchmaker/gay-matchmaker-au columbia dating
free dating sit in ga are belbin and lysachek dating online dating emails how often

Anonymous said...

uk lesbian dating http://loveepicentre.com/articles/ free aduat dating sites
wife is dating a woman [url=http://loveepicentre.com/map/]asian dating powered by phpbb[/url] asp net software dating
carbon potassium dating [url=http://loveepicentre.com/success_stories/]christian speed dating new york city[/url] popular dating service in trinidad [url=http://loveepicentre.com/user/Sergej/]Sergej[/url] airg dating

Anonymous said...

elaine mcknight dating victoria http://loveepicentre.com/testimonials/ free single parent dating websites
is lisa ann dating robert kardashian [url=http://loveepicentre.com/success_stories/]dating differential dating differential dating differential[/url] meet over drinks dating service review
dating in goose bay [url=http://loveepicentre.com/success_stories/]philipian dating sites[/url] dating a school teacher [url=http://loveepicentre.com/user/Wickfun/]Wickfun[/url] smart woman dating

Anonymous said...

dating quiz for teens http://loveepicentre.com/advice/ dating in bellshill
lexicon of dating [url=http://loveepicentre.com]celebrity dating quizzes[/url] dating safely
why dating magazine [url=http://loveepicentre.com/testimonials/]teen's dating service[/url] emma watson daniel radcliffe dating [url=http://loveepicentre.com/user/rita222/]rita222[/url] dating service pearland texas