The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Cybersecurity Legislation


Cyber seems to be one of the buzzwords in Washington these days, with the recent botnet attacks generating a lot of extra noise. This has included at least one rather bellicose response from a US Representative who either is reading much more interesting information than the rest of us, or is not reading anything at all.

Meanwhile, in the background, various bits of legislation are being worked on by several committees in both the House and Senate to address various aspects of the perceived problems. Two notable instances are legislation proposed by Senator Rockefeller and others that followed closely after my testimony before their committee. I have heard that at least one of these pieces of proposed legislation is being revised, and will be reintroduced. Back in April, I sent comments on both proposed bills to committee staff, but never heard a response. I hope my input had some impact.

It occurred to me that I did not blog about the legislation or my comments. So, to correct that oversight, you will find the enclosed, which are my original comments with some newer perspective gained over the last few months. You can find the text of these bills via Thomas.

(I will post a follow-up when I see what the revised bills are like.)

The National Cybersecurity Advisor Act of 2009, S. 778

This proposed legislation, cosponsored by Senators Snowe, Bayh and Nelson, was a bit of a puzzle to me when it was introduced. The timing was such that the President's 60-day review report had not yet been delivered, and so it seemed premature to me. However, in retrospect, the 60-day review didn't end up suggesting a powerful office within the EOP for cyber, and so this bill was right on target.

The bill would establish an office of National Cybersecurity Advisor , with the head of that office reporting directly to the President. That person would have authority to hire consultants, consult with any Federal agency, approve clearances of personnel related to cyber, and have access to all classified programs relating to cyber. More importantly, the advisor "...shall review and approve all cybersecurity-related budget requests submitted to the Office of Management and Budget" and would "...serve as the principal advisor to the President for all cybersecurity-related matters." Both of these would be an improvement over the suggestions in the final 60-day review.

The bill has had two readings and has been referred to the Committee on Homeland Security and Governmental Affairs.

(I note that the 60 day review would have been delivered to the President on April 9. It is now more than 3 months later, and still no appointment of the cybersecurity cheerleader proposed by that document.)

The National Cybersecurity Act of 2009, S 773

This was also introduced before the 60-day review was released. It contains 23 sections. It has been read twice and referred to the Committee on Commerce, Science, and Transportation. It also is cosponsored by Snowe, Nelson and Bayh.

Sec. 1: Title And Table Of Contents.

Pro forma material.

Sec 2: Findings

This is a section devoted to bits of information that justify the bill. Several people are cited for things they have said on the topics; I was not one of them, although Purdue was mentioned in point 13, and the PITAC report I helped prepare was listed in point 14.

Sec 3: Cybersecurity Advisory Panel

This section defines the creation of a high-level, Presidential advisory panel. The panel will be composed of individuals from a broad cross-section of society, and will provide the President with advice on strategy, trends, priorities, and civil liberties related to cyber security. The panel will be required to provide a report at least once every 2 years.

This looks to be well-designed and potentially very useful. Panels such as this depend on the alacrity with which a President appoints appropriate members, whether those members actually get something useful done, and whether the President heeds their advice. But at least this framework is off to a good start.

Sec 4. Real-time Cybersecurity Dashboard

The Secretary of Commerce is mandated to develop a "real-time dashboard" within a year. This dashboard is supposed to show the cybersecurity status and vulnerability information of all networks managed by the Department of Commerce.

This is quite puzzling. It isn't clear to me why this is restricted to Commerce, although notes I have from staff indicate that the intent is to serve as a pilot for other parts of government. But that isn't the end of the puzzle. Who is supposed to view this dashboard? What do they do after they see something on it? And what the heck does it really measure? (Hopefully not a dynamic FISMA score!)

Of course, I can't help noting that having one location to collect and display vulnerability information is a very bad idea.

Sec 5. State And Regional Cybersecurity Enhancement Program

This section describes the creation of a set of centers around the country to assist small businesses with cybersecurity. It is modeled on the Hollings Manufacturing Extension Partnership (MEP) and would be run by the Department of Commerce. The centers would receive up to 1/2 of their initial funding from the Federal government, with the rest to come from states, regional groups, and fees paid by members. The centers would provide expertise and resources to small companies.

Although I have some misgivings about this, it is the best suggestion I have seen yet on how to get cybersecurity technology out to small businesses in an affordable manner. I was not familiar with this program and had suggested something similar to our agricultural extension model, so this is in keeping with that. The questions I have are whether these will attract the necessary funding and talent to be viable. But it is probably worth the experiment.

Sec 6. NIST Standards Development And Compliance

This section sets out that, within a year, the Secretary of Commerce will establish a research plan for security metrics, establish a whole set of metrics and compliance measures for vulnerabilities and testing, set all these as standards, and apply them to all vendors and government systems. This will also constrain acceptable configurations, and provide accreditation of suppliers.

Whew! This is way off base. We don't know how to do many of these things, and I fear that setting a deadline will mean that a number of poor standards and requirements will be established. Not only that, having a set of uniform configurations (and required compliance to them) is a sure way to weaken our security rather than strengthen it -- diversity and uncertainty have protective effects when used appropriately. Requiring everyone to code the same way, and configure only approved systems the same way is not going to be helpful -- except to the bad guys.

This is also a good way to kill innovation in an area (software development and security deployment) where innovation is badly needed.   

This is a bad idea.

Sec 7. Licensing And Certification Of Cybersecurity Professionals

This provision requires Commerce to develop a national licensing and certification program for cybersecurity professionals. Within 3 years, it would be unlawful to provide security services to any government or national security system without the certification.

This is worse than section 6! We don't know yet what the appropriate skills are for professionals. In fact, there are a wide range of skills, not all of which are needed by each person.

The result of this, if it gets enacted, is either that we will have a least-common denominator for skills that will get taught by a lot of training organizations that will enrich them but do nothing for the nation, or the bar will be set so high that we will have a shortage of qualified personnel. Either way, it may also stifle enhanced and unconventional training that could produce new talent.

I have been working as an educator in this field for two decades. This section presents an awful idea.

Sec 8. Review Of NTIA Domain Name Contracts

Basically requires the Advisory Panel (Sec 3) to review any contract renewal with ICANN, and gives it veto authority.

Reasonable. it doesn't address some of the problems with ICANN, but it isn't clear that Congress can do that.

Sec 9. Secure Domain Name Addressing System

Within 3 years, the Commerce Department must come up with a strategy and schedule to implement DNSSEC, and the President must require all agencies and departments to follow that plan.

Probably reasonable, and with a more realistic timetable than some of the other sections.

Sec 10. Promoting Cybersecurity Awareness

Basically, the Secretary of Commerce is charged with finding ways to increase public awareness of cybersecurity. Not a bad idea, but the real issue occurs when budgets are allocated. Commerce gets stuck with lots of unfunded mandates, and I don't see this as ranking up there with, say, maintaining the nation's atomic clocks or evaluating the next digital signature standard. So, if the budgets are cramped, this won't happen.

Sec 11. Federal Cybersecurity Research And Development

This directs NSF to provide more funding towards some specific hard research issues (assurance, attribution, insider threat, privacy protection, etc.), and to help ensure that students get some training in secure code production techniques (although that is a somewhat nebulous concept). It also authorizes significant new funding levels for research, establishment of centers, and funding traineeships.

Overall, I think the intent is good. The issue is once again one of appropriations each year to fund these initiatives. if "new" funding is available, that is great. However, if this ends up eating into other research thrusts, it is generally not good for the community as a whole.

It is also the case that when substantial blocks of money are made available, suddenly "experts" come out the woodwork to compete for it. New ideas and new blood are needed in the area, but it is almost certain that a significant part of this will not accomplish what is intended, although what is accomplished may still have value. I would hope that the NSF doesn't try to address this by tying funds to the Centers of Excellence (sic).

Sec 12. Federal Cyber Scholarship-For-Service Program

The NSF SoS program would be expanded in size and scope, and codify it in law. The Scholarship for Service program grew out of an idea I presented to Congress back in 1997. It has functioned well, although it has not attracted large numbers of students, for a variety of reasons. The expansion of the program in this draft bill doesn't really change the nature of the program, so I would be very surprised if the 1000 students per year would actually matriculate. I suppose the numbers might get pumped up if more schools participated, but we don't have the faculty or educational materials nationally to do that. Thus, I have reservations about this, too.

Sec 13. Cybersecurity Competition And Challenge

This would direct NIST to set up national competitions at different levels for cybersecurity. There is also authorization to solicit for and award prize money to winners.

I can see where this might increase interest in the field, and bring more people out to solve problems. However, the majority of challenges held in the field right now are "hacking into the opposing server" challenges, and I have contended over the years that such an approach should not be encouraged. It we are looking for employees of cyber military groups, this might be okay. But hack challenges don't really recognize the well-rounded and adept defenders and researchers. Attack challenges also don't tend to engage women, who are already badly underrepresented in the field.

So, this is another qualified "maybe" section: good intent, but a lot depends on implementation.

Sec 14. Public-Private Clearinghouse

This establishes Commerce as the home of vulnerability and threat information for government systems and critical private infrastructure. Commerce also has to come up with methods and standards for protecting and sharing this information.

  Hmmm, I thought DHS was supposed to be doing all this now?

Sec 15. Cybersecurity Risk Management Report

The President is supposed to come up with a report on the feasibility of a risk and insurance market for cyber risk. The report is also supposed to include the feasibility of including that risk in bond ratings.

I've often said that if we could get the insurance industry engaged, we might well see some progress in private sector security. However, without some liability for companies (above and beyond loss risk) it still might not be enough. This bill doesn't touch the liability issue, which is likely to be a third rail issue for any legislation.

Sec 16. Legal Framework Review And Report

This section of the bill would mandate review of existing law that touches on cyber, and require recommendations for any necessary changes. This includes the ECPA, the Privacy Act, FISMA, and others. This would be a very good idea. The review would be delivered to Congress. At that point, there is no way to predict what might happen, but a review is definitely needed.

Sec 17. Authentication And Civil Liberties Report'

Briefly mandates study of a national identification and authentication program, including the civil liberties issues associated therewith.

This is another touchy topic. There are many groups advocating for strongly authenticated ID, but there are also reasons to proceed with caution. Performing an in-depth study is probably worthwhile, but I'd prefer to see the National Academies tasked with it than an agency of government.

Sec 18. Cybersecurity Responsibilities And Authority

This would give the President authority to disconnect government or critical infrastructure systems in the event of an emergency. it would also grant authority for mapping systems, setting standards, monitoring performance, and other activities to protect and defend national-interest systems. It also allows the President to designate an agency or organization to be in charge during any cyber incident – presumably including Department of Defense agencies.

This has been controversial because of the "disconnect" provision. It isn't clear to me that there are situations that would be helped by a disconnect, although I can certainly imagine some that might be made worse by disconnection. I'm not sure that the current infrastructure would even allow disconnection! So, on balance, if it were left out I don't think it would matter, but it might make some people less nervous.

Most of the other parts of the section seem reasonable.

Sec 19. Quadrennial Cyber Review

Every four years there would need to be a review of cybersecurity posture, strategy, partnerships, threats, and so on. The Advisory Panel (Sec 3) would be involved. "The review shall include a comprehensive examination of the cyber strategy, force structure, modernization plans, infrastructure, budget plan, the Nation's ability to recover from a cyberemergency, and other elements of the cyber program and policies with a view toward determining and expressing the cyber strategy of the United States and establishing a revised cyber program for the next 4 years." Wow!

This is modeled after the Defense Department's review of the same name, I assume. It would be a tremendous amount of work, and might be a huge distraction. However, it also might help to highlight some of the shortfalls and dangers in a way that would be useful for policymakers.

One consideration from the DoD side: structuring reporting in this way tends to move planning from annual or biennial cycles to quadrennial or octennial cycles. In a fast-moving field such as cyber, this might well be counterproductive.

Sec 20. Joint Intelligence Threat Assessment

it states "The Director of National Intelligence and the Secretary of Commerce shall submit to the Congress an annual assessment of, and report on, cybersecurity threats to and vulnerabilities of critical national information, communication, and data network infrastructure."   

Well, that's reasonable. Hmm, where is DHS?

Sec 21. International Norms And Cybersecurity Deterrance Measures

The President is directed to work with foreign governments to increase engagement and cooperation in cybersecurity.   

We can hardly argue with that!

Sec 22. Federal Secure Products And Services Acquisitions Board

This would establish a board to set and review requirements for Federal acquisitions to ensure that cybersecurity standards are met.

My comments on section 6 hold here as well.

Sec 23. Definitions

Assorted definitions to interpret other parts of the bill.


S. 778 seems like a reasonable idea, although it isn't clear that enough responsibility is given to the position. Merging with S773 might be reasonable with many of the tasks in S.773 currently delegated to the President instead delegated to the new position.

S.773 is best where it encourages new development. reporting, education and response. Unfortunately, some of the restrictions and mandates, especially Sections 6 and 7, make the bill more toxic than helpful.

The new funding required to carry everything out would be in the many hundreds of millions of dollars per year. Most of that is explicitly authorized in this legislation, but corresponding appropriation is not a certainty...and given the current economic climate, it is unlikely. Thus, there are some things contained in here that would end up as unfunded mandates on a few agencies (such as NIST) that are already laboring under a huge taskload with insufficient resources.

No mention is made of bolstering law enforcement at any level to help deal with cybersecurity issues. That is unfortunate, because it is one place where some immediate impact could definitely be made. However, given the way this will wend through committees, that is not unexpected. Commerce gets the bill first, so they get the direction.

DHS isn't mentioned anywhere. Again, that may be because of the path the bill will take through committees. However, I can't help but think it also has to do with the way that DHS has screwed up in this whole arena.

Overall, this bill evidences a great deal of careful thought and deep concern. There are many great ideas in here, as well as a few flawed ones. I have my fingers crossed that the rumored revision addresses the flaws and results in something that can get passed into law. Even a pared-down law consisting of sections 3, 5, 9, 10, 11, 12, 16 and 21 would have a lot of positive impact.


Posted by Jean Camp
on Tuesday, July 14, 2009 at 08:20 PM

I thought the ISACs and Incident Response Centers were suppose to perform some of the tasks of Sec. 5. Sadly this has not been the case. But they may be more well-suited than entirely new entities.

I am saddened that it will take more than an Act of Congress for DNSSEC adoption.

I am concerned about “increasing awareness”. Sometimes increased awareness corresponds with irrational behavior. We need to understand how to communicate the problem more effectively, and “awareness” may prove to be double-edged.

Posted by Scott
on Thursday, July 16, 2009 at 01:17 PM

After reading this post, I looked up the described bills in Thomas. While I understand why congress feels these bills are necessary, they are typical of congressional attempts that attempts to maintain jurisdiction between various departments and agencies. It is as if congress has not learned how ineffective policy implementation can become the more jurisdictional boundaries are required to be crossed.

While I agree that federal cyber security efforts should be centralized, the bills do not provide that central effort any authority. Further, it requires a committee approach that has to bridge too many boundaries. In government-speak, these are called “integrated project teams” (IPT). Every time I hear the government wants to do anything by IPT, I immediately add 50-percent to my time projections for the project.

Rather than this team approach, the government should take some lessons from private industry as to how to organize this effort. First, the bill should create a government-wide Chief Information Security Officer. The CISO would have the authority to approve government-wide security policies, oversee standards, provide oversight to designated accreditation authorities, and work with oversight organizations in their audit of government systems.

Although the CISO would be under the Executive Office of the President (EOP) and report directly to the President, I would leave the standards to NIST and US CERT under DHS. Both agencies would remain in their respective departments—in deference to the politics that would prevent their removal. Heads of those departments would report to an Associate CISO (ACISO) who would report to the CISO.

In this scenario, NIST’s budget would be increased and charged with completing the guidelines (Special Publications) and providing direct guidelines to be FISMA compliant. While NIST does an excellent job today, I am sure Dr. Ron Ross could do better if he was provided the appropriate resources.

US CERT would become more important. I would envision that US CERT would be to the Internet that NOAA is to the weather. As part of the expansion of their duties, US CERT may want to partner with other organizations like the Internet Storm Center and foreign CERT organizations. US CERT could become the national resource that people are looking for.

Working with the CISO would be an ACISO for Law Enforcement that would coordinate the work of the Justice Department’s Cyber Crime Unit and the FBI amongst the other law enforcement agencies.  The ACISO for Law Enforcement would provide the coordination during investigations to help break down jurisdictional barriers.

Rounding out the staff would be an ACISO for personnel, another for policy, one for government relations, and another for commercial relations. The ACISO for personnel would work with the Office of Personnel Management (OPM) and agencies requiring security clearances to ensure that the government has standards and processes that are consistent. Even if the responsibilities for the clearance process remains with their current agencies, this ACISO can work with them to improve the throughput by improving the workflow and cross-agency access to information.

The ACISO for Policy would work within the Executive branch and interface with the President’s policy team to coordinate cyber security with the President’s policy initiatives. The ACISO for Government Relations (AGR) would work within the government agencies as part of the CISO’s enforcement requirements for government agencies.

The ACISO for Commercial Relations (ACR) would be the bridge between the government and the commercial work. The ACR would be responsible for disseminating information from the government to the public and from the public to the government. Together with the AGR, the ACR would be responsible for managing a government and industry consortium to coordinate information security concerns between the public and private sectors.

The CISO and ACISOs would make up a Cyber Security Council that would work Cyber Security issues on behalf of the government and the public. The Cyber Security Council, lead by the CISO, would issue a quarterly report on the State of Cyber Security that would be followed up by a public comment period. The State of Cyber Security Annual report would be part of a conference briefing that would breakdown each area mentioned in the report along with presenting information on the best of what was discovered, and round table discussions on the state of cyber security. This conference would allow for both physical and virtual participation.

I think this is a pragmatic approach taking the best of how private industry manages their information assets while recognizing the distributed nature of government management. However, I hold no hope that something like this would be implemented because it appears to concentrate too much power with the CISO, which would make the ability to pass a skeptical congress difficult.

Leave a comment

Commenting is not available in this section entry.