Sunday, February 07, 2010

Another Cybersecurity Bill; Yawn

And so now yet another cybersecurity bill is seeing the light of day as H.R. 4061 has just cleared the House.  Based on my reading, the bill authorizes, but doesn't appropriate, funds for cyber security research, an agency-by-agency review of cyber security skills and scholarships, more of NIST guidance efforts, including an effort to normalize security standards internationally, which is what NIST has been working on for several years.  While more funding for cyber security is usually a good thing, that's about all it does.  Everything else is already being done.  And in fact I understand that the Senate is looking to wrap this in with one of their appropriations bills.  The most telling sign of the bill's underwhelming nature is that it passed 422-5.  That ranks up there with the naming of post offices in terms of lacking any controversy.

As a New York Times article notes, the Obama budget actually cuts the cyber security division in DHS where most of the cross government cyber security efforts are spearheaded.  That doesn't bode well for a bill whose only distinguishing characteristic is more funding.

The suggestion that the government needs to hire 1000 more "cyber warriors" has been bandied about by various government officials with little idea what those folks would do or how they would be paid for.  As has been frequently pointed out, most of our critical infrastructure and much of what hackers are interested in are owned and operated by the private sector.  The parts of the government most at risk, mainly the military and intelligence communities, are much further along in both protecting their infrastructure and providing appropriate staffing.  However, even then there is a mismatch.

Most of the top technical skills they're looking for, such as malware
analysis, exploit development, and penetration testing, are held by
individuals who command salaries above the government GS scale and would not likely want to sit in windowless rooms all day examining network traffic they can't talk about.  Contractors will inevitably fill some of this void, but they're also having a hard time keeping talent and still fitting in under the often rigid rate structures the government demands.  Right now the going rate for strong penetration testers with about 5 years of experience in IT/security exceeds $100K in many markets.

I do believe that we will be able to implement appropriate security controls for the federal government and that a sufficient amount of staff will eventually be hired and many may simply need to grow to the needed skills while on the job.  However, I do not believe the federal government will ever be able to provide operational support for cyber security matters for the private sector.  Guidance on control frameworks and funding for research are useful endeavors.  But the government is simply not structured to advise the private sector on evolving threats in a timely manner.  Even if they had
timely information, they would not be able to share it.  It's hard enough sharing information among federal agencies, as the December 25 Northwest bombing demonstrated, but providing actionable information to the private sector is next to impossible.  Moreover, it is highly unlikely that private sector agencies will share the needed information on incidents that affect them.  The fear of fines and unwanted regulator attention has all but precluded those activities. 

Unlike physical security where jurisdiction is easy and techniques are well understood and slower to change, I don't believe the government can ever be able to protect us from cyber security
threats other than to make a few arrests in the more serious cases or where the hackers are idiots.  The FBI and Justice Department should be congratulated for the busts they have made.  However, things are only going to get harder.  The source for timely threat information and the development of defenses will need to reside predominantly in the private sector.  There simply is no other way in my opinion.

1 comment:

Mike Ahmadi said...

Good point about the private sector having to take the lead. The biggest issue I see is that the private sector is still waiting for the standards to become solidified (i.e. NISTIR-7628), and nobody seems to know what direction it may go. If, for example, regulations mandate FIPS 140-2 components, then it may not be prudent to build with components that are not compliant. If it is not mandated, the high cost of such components make it difficult to compete.

The private sector, I believe, is pretty damn good at knowing what to do to achieve a given level of security. What it ultimately comes down to is how much money is available to pay for the requisite security. Where government obviously can help is in solidifying standards (which, in an of itself, is a huge challenge), and then providing funding .

This would lead to a commoditizing of the market, which can lead to stagnation, but at least everyone is on the same page.