Cyber seems to be one of the buzzwords in Washington these days, with the recent botnet attacks generating a lot of extra noise. This has included at least one rather bellicose response from a US Representative who either is reading much more interesting information than the rest of us, or is not reading anything at all.
Meanwhile, in the background, various bits of legislation are being worked on by several committees in both the House and Senate to address various aspects of the perceived problems. Two notable instances are legislation proposed by Senator Rockefeller and others that followed closely after my testimony before their committee. I have heard that at least one of these pieces of proposed legislation is being revised, and will be reintroduced. Back in April, I sent comments on both proposed bills to committee staff, but never heard a response. I hope my input had some impact.
It occurred to me that I did not blog about the legislation or my comments. So, to correct that oversight, you will find the enclosed, which are my original comments with some newer perspective gained over the last few months. You can find the text of these bills via Thomas.
(I will post a follow-up when I see what the revised bills are like.)
The National Cybersecurity Advisor Act of 2009, S. 778
This proposed legislation, cosponsored by Senators Snowe, Bayh and Nelson, was a bit of a puzzle to me when it was introduced. The timing was such that the President's 60-day review report had not yet been delivered, and so it seemed premature to me. However, in retrospect, the 60-day review didn't end up suggesting a powerful office within the EOP for cyber, and so this bill was right on target.
The bill would establish an office of National Cybersecurity Advisor , with the head of that office reporting directly to the President. That person would have authority to hire consultants, consult with any Federal agency, approve clearances of personnel related to cyber, and have access to all classified programs relating to cyber. More importantly, the advisor "...shall review and approve all cybersecurity-related budget requests submitted to the Office of Management and Budget" and would "...serve as the principal advisor to the President for all cybersecurity-related matters." Both of these would be an improvement over the suggestions in the final 60-day review.
The bill has had two readings and has been referred to the Committee on Homeland Security and Governmental Affairs.
(I note that the 60 day review would have been delivered to the President on April 9. It is now more than 3 months later, and still no appointment of the cybersecurity cheerleader proposed by that document.)
The National Cybersecurity Act of 2009, S 773
This was also introduced before the 60-day review was released. It contains 23 sections. It has been read twice and referred to the Committee on Commerce, Science, and Transportation. It also is cosponsored by Snowe, Nelson and Bayh.
Sec. 1: Title And Table Of Contents.
Pro forma material.
Sec 2: Findings
This is a section devoted to bits of information that justify the bill. Several people are cited for things they have said on the topics; I was not one of them, although Purdue was mentioned in point 13, and the PITAC report I helped prepare was listed in point 14.
Sec 3: Cybersecurity Advisory Panel
This section defines the creation of a high-level, Presidential advisory panel. The panel will be composed of individuals from a broad cross-section of society, and will provide the President with advice on strategy, trends, priorities, and civil liberties related to cyber security. The panel will be required to provide a report at least once every 2 years.
This looks to be well-designed and potentially very useful. Panels such as this depend on the alacrity with which a President appoints appropriate members, whether those members actually get something useful done, and whether the President heeds their advice. But at least this framework is off to a good start.
Sec 4. Real-time Cybersecurity Dashboard
The Secretary of Commerce is mandated to develop a "real-time dashboard" within a year. This dashboard is supposed to show the cybersecurity status and vulnerability information of all networks managed by the Department of Commerce.
This is quite puzzling. It isn't clear to me why this is restricted to Commerce, although notes I have from staff indicate that the intent is to serve as a pilot for other parts of government. But that isn't the end of the puzzle. Who is supposed to view this dashboard? What do they do after they see something on it? And what the heck does it really measure? (Hopefully not a dynamic FISMA score!)
Of course, I can't help noting that having one location to collect and display vulnerability information is a very bad idea.
Sec 5. State And Regional Cybersecurity Enhancement Program
This section describes the creation of a set of centers around the country to assist small businesses with cybersecurity. It is modeled on the Hollings Manufacturing Extension Partnership (MEP) and would be run by the Department of Commerce. The centers would receive up to 1/2 of their initial funding from the Federal government, with the rest to come from states, regional groups, and fees paid by members. The centers would provide expertise and resources to small companies.
Although I have some misgivings about this, it is the best suggestion I have seen yet on how to get cybersecurity technology out to small businesses in an affordable manner. I was not familiar with this program and had suggested something similar to our agricultural extension model, so this is in keeping with that. The questions I have are whether these will attract the necessary funding and talent to be viable. But it is probably worth the experiment.
Sec 6. NIST Standards Development And Compliance
This section sets out that, within a year, the Secretary of Commerce will establish a research plan for security metrics, establish a whole set of metrics and compliance measures for vulnerabilities and testing, set all these as standards, and apply them to all vendors and government systems. This will also constrain acceptable configurations, and provide accreditation of suppliers.
Whew! This is way off base. We don't know how to do many of these things, and I fear that setting a deadline will mean that a number of poor standards and requirements will be established. Not only that, having a set of uniform configurations (and required compliance to them) is a sure way to weaken our security rather than strengthen it -- diversity and uncertainty have protective effects when used appropriately. Requiring everyone to code the same way, and configure only approved systems the same way is not going to be helpful -- except to the bad guys.
This is also a good way to kill innovation in an area (software development and security deployment) where innovation is badly needed.
This is a bad idea.
Sec 7. Licensing And Certification Of Cybersecurity Professionals
This provision requires Commerce to develop a national licensing and certification program for cybersecurity professionals. Within 3 years, it would be unlawful to provide security services to any government or national security system without the certification.
This is worse than section 6! We don't know yet what the appropriate skills are for professionals. In fact, there are a wide range of skills, not all of which are needed by each person.
The result of this, if it gets enacted, is either that we will have a least-common denominator for skills that will get taught by a lot of training organizations that will enrich them but do nothing for the nation, or the bar will be set so high that we will have a shortage of qualified personnel. Either way, it may also stifle enhanced and unconventional training that could produce new talent.
I have been working as an educator in this field for two decades. This section presents an awful idea.
Sec 8. Review Of NTIA Domain Name Contracts
Basically requires the Advisory Panel (Sec 3) to review any contract renewal with ICANN, and gives it veto authority.
Reasonable. it doesn't address some of the problems with ICANN, but it isn't clear that Congress can do that.
Sec 9. Secure Domain Name Addressing System
Within 3 years, the Commerce Department must come up with a strategy and schedule to implement DNSSEC, and the President must require all agencies and departments to follow that plan.
Probably reasonable, and with a more realistic timetable than some of the other sections.
Sec 10. Promoting Cybersecurity Awareness
Basically, the Secretary of Commerce is charged with finding ways to increase public awareness of cybersecurity. Not a bad idea, but the real issue occurs when budgets are allocated. Commerce gets stuck with lots of unfunded mandates, and I don't see this as ranking up there with, say, maintaining the nation's atomic clocks or evaluating the next digital signature standard. So, if the budgets are cramped, this won't happen.
Sec 11. Federal Cybersecurity Research And Development
This directs NSF to provide more funding towards some specific hard research issues (assurance, attribution, insider threat, privacy protection, etc.), and to help ensure that students get some training in secure code production techniques (although that is a somewhat nebulous concept). It also authorizes significant new funding levels for research, establishment of centers, and funding traineeships.
Overall, I think the intent is good. The issue is once again one of appropriations each year to fund these initiatives. if "new" funding is available, that is great. However, if this ends up eating into other research thrusts, it is generally not good for the community as a whole.
It is also the case that when substantial blocks of money are made available, suddenly "experts" come out the woodwork to compete for it. New ideas and new blood are needed in the area, but it is almost certain that a significant part of this will not accomplish what is intended, although what is accomplished may still have value. I would hope that the NSF doesn't try to address this by tying funds to the Centers of Excellence (sic).
Sec 12. Federal Cyber Scholarship-For-Service Program
The NSF SoS program would be expanded in size and scope, and codify it in law. The Scholarship for Service program grew out of an idea I presented to Congress back in 1997. It has functioned well, although it has not attracted large numbers of students, for a variety of reasons. The expansion of the program in this draft bill doesn't really change the nature of the program, so I would be very surprised if the 1000 students per year would actually matriculate. I suppose the numbers might get pumped up if more schools participated, but we don't have the faculty or educational materials nationally to do that. Thus, I have reservations about this, too.
Sec 13. Cybersecurity Competition And Challenge
This would direct NIST to set up national competitions at different levels for cybersecurity. There is also authorization to solicit for and award prize money to winners.
I can see where this might increase interest in the field, and bring more people out to solve problems. However, the majority of challenges held in the field right now are "hacking into the opposing server" challenges, and I have contended over the years that such an approach should not be encouraged. It we are looking for employees of cyber military groups, this might be okay. But hack challenges don't really recognize the well-rounded and adept defenders and researchers. Attack challenges also don't tend to engage women, who are already badly underrepresented in the field.
So, this is another qualified "maybe" section: good intent, but a lot depends on implementation.
Sec 14. Public-Private Clearinghouse
This establishes Commerce as the home of vulnerability and threat information for government systems and critical private infrastructure. Commerce also has to come up with methods and standards for protecting and sharing this information.
Hmmm, I thought DHS was supposed to be doing all this now?
Sec 15. Cybersecurity Risk Management Report
The President is supposed to come up with a report on the feasibility of a risk and insurance market for cyber risk. The report is also supposed to include the feasibility of including that risk in bond ratings.
I've often said that if we could get the insurance industry engaged, we might well see some progress in private sector security. However, without some liability for companies (above and beyond loss risk) it still might not be enough. This bill doesn't touch the liability issue, which is likely to be a third rail issue for any legislation.
Sec 16. Legal Framework Review And Report
This section of the bill would mandate review of existing law that touches on cyber, and require recommendations for any necessary changes. This includes the ECPA, the Privacy Act, FISMA, and others. This would be a very good idea. The review would be delivered to Congress. At that point, there is no way to predict what might happen, but a review is definitely needed.
Sec 17. Authentication And Civil Liberties Report'
Briefly mandates study of a national identification and authentication program, including the civil liberties issues associated therewith.
This is another touchy topic. There are many groups advocating for strongly authenticated ID, but there are also reasons to proceed with caution. Performing an in-depth study is probably worthwhile, but I'd prefer to see the National Academies tasked with it than an agency of government.
Sec 18. Cybersecurity Responsibilities And Authority
This would give the President authority to disconnect government or critical infrastructure systems in the event of an emergency. it would also grant authority for mapping systems, setting standards, monitoring performance, and other activities to protect and defend national-interest systems. It also allows the President to designate an agency or organization to be in charge during any cyber incident – presumably including Department of Defense agencies.
This has been controversial because of the "disconnect" provision. It isn't clear to me that there are situations that would be helped by a disconnect, although I can certainly imagine some that might be made worse by disconnection. I'm not sure that the current infrastructure would even allow disconnection! So, on balance, if it were left out I don't think it would matter, but it might make some people less nervous.
Most of the other parts of the section seem reasonable.
Sec 19. Quadrennial Cyber Review
Every four years there would need to be a review of cybersecurity posture, strategy, partnerships, threats, and so on. The Advisory Panel (Sec 3) would be involved. "The review shall include a comprehensive examination of the cyber strategy, force structure, modernization plans, infrastructure, budget plan, the Nation's ability to recover from a cyberemergency, and other elements of the cyber program and policies with a view toward determining and expressing the cyber strategy of the United States and establishing a revised cyber program for the next 4 years." Wow!
This is modeled after the Defense Department's review of the same name, I assume. It would be a tremendous amount of work, and might be a huge distraction. However, it also might help to highlight some of the shortfalls and dangers in a way that would be useful for policymakers.
One consideration from the DoD side: structuring reporting in this way tends to move planning from annual or biennial cycles to quadrennial or octennial cycles. In a fast-moving field such as cyber, this might well be counterproductive.
Sec 20. Joint Intelligence Threat Assessment
it states "The Director of National Intelligence and the Secretary of Commerce shall submit to the Congress an annual assessment of, and report on, cybersecurity threats to and vulnerabilities of critical national information, communication, and data network infrastructure."
Well, that's reasonable. Hmm, where is DHS?
Sec 21. International Norms And Cybersecurity Deterrance Measures
The President is directed to work with foreign governments to increase engagement and cooperation in cybersecurity.
We can hardly argue with that!
Sec 22. Federal Secure Products And Services Acquisitions Board
This would establish a board to set and review requirements for Federal acquisitions to ensure that cybersecurity standards are met.
My comments on section 6 hold here as well.
Sec 23. Definitions
Assorted definitions to interpret other parts of the bill.
S. 778 seems like a reasonable idea, although it isn't clear that enough responsibility is given to the position. Merging with S773 might be reasonable with many of the tasks in S.773 currently delegated to the President instead delegated to the new position.
S.773 is best where it encourages new development. reporting, education and response. Unfortunately, some of the restrictions and mandates, especially Sections 6 and 7, make the bill more toxic than helpful.
The new funding required to carry everything out would be in the many hundreds of millions of dollars per year. Most of that is explicitly authorized in this legislation, but corresponding appropriation is not a certainty...and given the current economic climate, it is unlikely. Thus, there are some things contained in here that would end up as unfunded mandates on a few agencies (such as NIST) that are already laboring under a huge taskload with insufficient resources.
No mention is made of bolstering law enforcement at any level to help deal with cybersecurity issues. That is unfortunate, because it is one place where some immediate impact could definitely be made. However, given the way this will wend through committees, that is not unexpected. Commerce gets the bill first, so they get the direction.
DHS isn't mentioned anywhere. Again, that may be because of the path the bill will take through committees. However, I can't help but think it also has to do with the way that DHS has screwed up in this whole arena.
Overall, this bill evidences a great deal of careful thought and deep concern. There are many great ideas in here, as well as a few flawed ones. I have my fingers crossed that the rumored revision addresses the flaws and results in something that can get passed into law. Even a pared-down law consisting of sections 3, 5, 9, 10, 11, 12, 16 and 21 would have a lot of positive impact.