With the amount of cybersecurity legislation being proposed these days, one would think that someone would come up with an innovative and fresh perspective on the issue. Unfortunately, we’ve been largely subjected to more of the same attempts to give the issue more prominence by creating new bureaucracy and slightly more funding and offering largely symbolic mechanisms to respond to incidents. As an example, the bill entitled “Protecting Cyberspace as a National Asset Act of 2010,” S. 348, offers great promise but falls short when examined more closely.
Among other things, the bill would create “an Office of Cyberspace Policy in the Executive Office of the President run by a Senate-confirmed Director.” And while I like the fact that the newly created office will have the power to review cyber security budgets of federal agencies, it is only an advisory power, which presumably DHS could do right now if they wanted to. Moreover, the enforcement power seems a little weak:
"(4) if the policies or activities of a Federal agency are not in compliance with the responsibilities of the Federal agency under the National Strategy— (A) notify the Federal agency; (B) transmit a copy of each notification under subparagraph (A) to the President and the appropriate congressional committees; and (C) coordinate the efforts to bring the Federal agency into compliance;"
We already have inspector generals that are supposed to perform this function as well as GAO. I'm not sure why adding another oversight body, who will presumably be underfunded anyway, will make much of a difference. In the end, agencies will just end up punishing those who have been pleading for more funding when there are audit findings. While we can hope that the Cyberspace Policy Office will be able to force more funding, I'm not optimistic given the current budget constraints. Moreover, much of the language encourages CYA behavior of agencies that may just lead to the generation of more useless paperwork in response to endless audits. Additionally, more extensive monitoring, which is generally a good thing, will likely lead to the discovery of more compromises that went unnoticed before, leading to more finger pointing, more audits, and less time spent trying to secure systems. The better solution is for more individual accountability, which is hard to achieve with CIOs and CISOs bouncing from one agency to another.
On the private sector side, there is even less to be excited about. Like most previous bills, the Lieberman bill tries to thread the needle by attempting to give the federal government more authority to act in an emergency without taking over private assets. And according to National Journal, the bill is not intended to provide a "kill switch" for Internet connections but instead provides other mechanisms. "Such actions might include ordering a private sector operator not to accept incoming traffic from a particular source, Lieberman said." Of course, without a mechanism to force DHS and other agencies to declassify, de-SBU, or de-FOUO such information, one may wonder if private sector agencies will ever get the instructions needed to block the source. Moreover, private sector organizations have been clamoring for such actionable information for some time. Few of them would need to be forced to block such sources of attack. That's already being done regularly by informal relationships between government and private sector entities facilitated by groups such as the Forum of Incident Responders and Security Teams (FIRST). What we don't see is any evidence of private sector agencies refusing to take a specific action based on government recommendations. Instead, what is missing are specific recommendations from government based on threats occurring in real time. This legislation does nothing to force that to happen. Moreover, by the time the government has decided what action to take, the private sector organization would have probably already taken the needed action or it will be too late.
Finally, the language on liability protection seems a bit troubling. According to CNET, "If there's an ‘incident related to a cyber vulnerability’ after the president has declared an emergency and the affected company has followed federal standards, plaintiffs' lawyers cannot collect damages for economic harm. And if the harm is caused by an emergency order from the Feds, not only does the possibility of damages virtually disappear, but the US Treasury will even pick up the private company's tab." First of all, the government has little knowledge of the private sector's business processes, and while this defense falls within the common law principles of public necessity, this is hardly as simple as tearing down a house to keep the entire city from starting on fire. Private sector entities will likely use the emergency declaration as a fig leaf to imply that all its actions or failures to act were dictated by the emergency declaration and that the government's failure to prescribe other actions was intentional and precluded them from taking such actions. Do we really want private sector, or even public sector organizations, blindly accepting an order from DHS and not being held accountable for not telling the government about the potential consequences? For example, what happens if the government asks an oil pipeline operator to block a TCP port that the operator uses to monitor pressure in the pipeline and as a result, the pipe bursts and millions of gallons of oil spill into an environmentally sensitive area. Do we want the government to take all the heat for something like that when the pipeline operator knew about the potential consequences?
I hate to pour cold water on all these seemingly genuine, but misguided, efforts to improve cybersecurity, but I've yet to see any evidence that the federal government is capable of doing more than providing intelligence and thought leadership to the private sector and funding research and development into new security technologies. The only other thing is for laws that demand accountability, but so far we don't seem to be very good at that either if the financial sector reforms are any guide. Moreover, we can't even definitively say what controls and funding is needed for a given organization to prevent a compromise with any degree of actuarial reliability.