New Regulations Will Not Prepare the US for Cyberwar

Thursday, April 08, 2010

Richard Stiennon

924ce315203c17e05d9e04b59648a942

Senators Rockefeller and Snowe have formulated a new Cybersecurity bill that they describe in today’s Wall Street Journal.  (Use Google news to get to the full article.)  

The Bill as proposed will be very disruptive to the operations of every business and will do essentially nothing to prepare the US for cyberwar.

Regulations have been tried before. One of the main drivers for investments in IT security have been regulations. 

California 1386 required the disclosure of data losses that has had a remarkable impact on banks, insurance companies, and schools. 

HIPPA created an industry of consultants to address potential health records losses. 

GLBA created a mountain of privacy letters sent to every account holder in the country.

And Sarbanes-Oxley, thanks to an off-hand reference to requiring companies to deploy a security framework, has caused mountains of paper work and investment for publicly traded companies.

But regulation is not the primary driver for new technology, new investment, or new training; the threats are.   The Payment Card Industry (PCI) standard,  was created by the credit card industry to protect the viability of their brand. 

Too much credit card theft was finally hurting them and they now require anyone who handles credit card information to encrypt that data.  

Aside from progress being made on that front , the threat against networks and data continues unabated.

Rockefeller and Snowe’s Bill will add nothing to the US’s cyber preparedness.  It’s  main points are:

• Create the position of national cybersecurity adviser to coordinate government efforts and collaborate with private businesses. The person who fills this position would be confirmed by the Senate and answer directly to the president.

This position already exists. It was created in response to Melissa Hathaway’s Cybersecurity Policy Review (CPR).  Howard Schmidt was appointed by President Obama to be the Cybersecurity Coordinator. 

If cyber security can truly be coordinated by someone with no budget, no authority, and dozens of competing factions to coral, Howard is the man for the job. 

What possible benefit could be derived from having a Senate confirmation of the person selected for this role other than to policiticize the process?

• Launch a new public awareness campaign to make basic cybersecurity principles and civil liberty protections as familiar as Smokey the Bear's advice for preventing forest fires.

The CPR also called for a Smokey the Bear campaign. Just as devastating forest fires still occur despite Mr. Bear’s exhortations, debilitating cyber attacks will occur even if a well intentioned mascot stands up for cyber security.  A new public awareness campaign would be worthless.

• Support significant new cybersecurity research and development and triple the federal Scholarship-For-Service program to 1,000 students. This program recruits individuals to study cybersecurity at American universities and then enter public service.

Cyber security is probably the most heavily researched endeavor in all of computer science.

Tens of thousands of extremely bright people are crouched over their computers around the world every hour of every day tracking the latest cyber threats and countering them in near real-time.

If some university applied for a grant to study a particular defense or technology the threat would have moved on before they were awarded the money they asked for. 

This is one arena the government is not needed and public research cannot contribute to.

• Create a market-driven process that encourages businesses to adopt good cybersecurity practices and innovate other ways to protect our security. Companies that excel at this will be publicly recognized by the government, and companies that fall short in two consecutive independent audits will be required to implement a remediation plan.

There already is a market driven process to encourage good cyber security. The repercussions of being attacked successfully far outweigh the expense of defense.

Companies are spending billions of dollars on cyber security today and growing that investment at a rate of over 20% annually. 

Public ridicule and recognition from the annual GAO audits of government agencies’ cyber security has not been very effective in getting them to change their ways.

Why should the private sector be subjected to what could only be a massive incursion into the way they do business?

•Encourage government agencies and private businesses to work together to protect our civil liberties, intellectual property rights, and classified information. Our bill provides for unprecedented information sharing, including giving cleared private sector executives access to classified threat information.

Any executive that wants access to threat information is welcome to join the FBI’s Infragard where this is already done. 

The rest of the oft-repeated refrain for more public-private partnership is wasted.  The private sector is well prepared for cyber threats and will reacte quickly to any changes. It is the government that needs to change its ways.

• Require the president and private companies to develop and rehearse detailed cyber-emergency response plans in order to clarify roles, responsibilities and authorities in a time of crisis. In a cybersecurity emergency, such as a terrorist attack or a major natural disaster, our country must be prepared to respond without delay.

There have been major earthquakes, floods, power-grid failures, and Internet outages for decades. We are still here and the Internet is alive and well. 

I can see that government officials want to have proposed legislation on the books so that they can say “I told you so” after the next cyber incident. 

But preventing the next incident is not only possible, but is easier to accomplish than creating a massive response capability that will be caught off guard anyway.

In my open letter to President Obama published the day before he was elected I proposed the measures that have to be taken to protect government networks and assets from cyber attack. 

Cyber preparedness is something the US military and agencies have to take on. They already own and control their networks. They do not need legislation to do their jobs.  Here is an abbreviated list of the steps that could be taken today by the US government.

1.       Immediately issue a Presidential order that establishes responsibility for cyber security with real negative repercussions for those who fail to prevent breaches.  For civilians this means being fired; for the military this means court marshal, demotion, and expulsion for serious security breaches. Do not allow the blame to be foisted off on contractors. The only way that security gets implemented is if someone’s job is on the line. 

2.       While the National Institute of Standards and Technology (NIST) has been responsible for security standards and has created some great documents it is a stretch to try to make the entire government comply with them during  your term as President.   Those responsible for locking down government networks and defending data will need to be empowered with a set of strict rules.  These rules should include:

I.            All access must be explicitly authorized.
II.           All users must be identified and strongly authenticated.
III.          All applications must be reviewed for security vulnerabilities.
IV.          All network attached systems must be scanned for vulnerabilities on a schedule.
V.          All network connections must be firewalled.
VI.         All firewalls must be configured to “deny all except that which is explicitly allowed”.
VII.         All government networks must be mapped and understood.
VIII.         All data needs to be encrypted at rest
IX.            All communication links need to be encrypted
X.           All intrusions need to be aggressively analyzed and appropriate responses executed.


3.       Empower OMB to withhold funding to any agency that does not comply in a timely (less than 6 months) manner with 1. and 2.

4.       Decentralize security management.  One person cannot be effective in overseeing a cyber security policy. Security is everyone’s responsibility and the system should motivate responsible individuals to take action.

5.       Fix the DHS information sharing capability by learning from the recent advance of social networking.  Getting members of law enforcement to collaborate effectively is not a task that can be accomplished by rolling out a quick fix technology.  In a secure environment individuals could find the most effective way s to communicate and share critical information.

6.       Do not confuse security awareness campaigns with actual security improvements. The time, effort, and money that is spent on publicity campaigns could be better allocated to securing government networks.

7.       Do not propose a new massive spending effort or any new departments to oversee cyber security.  Security should be part of every computing infrastructure purchase and everyone’s job.

8.       Enhance transparency.  Publish the methods of attacks used successfully against the Pentagon and NIPRNet.  That is security awareness at its best.  If the community knew the types of attacks and the sources it could better prepare for them.

9.       Stop spying on citizens of the United States.  While discovering terrorist plots is a legitimate function of the FBI, the violation of the privacy and individual rights of the people is too high a price to pay for the dubious information gleaned by snooping on email.

10.   While offense cyber techniques will be developed, keep in mind that in cyberspace the best offense is a perfect defense.

Congressional oversight of these ten points may well be effective. But new legislation is not needed.  The executive branch can and should take the  lead.

The country is getting tired of legislation. Passing a cybersecurity bill would not do anything to better prepare us for cyber attack.

Beefing up our defenses with accepted security practices would.

Possibly Related Articles:
10972
General HIPAA PCI DSS
Federal
Government Regulation Cyberwar
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.