-
Russell Mickler, Principal Consultant, has over 17 years of professional experience leading and managing IT organizations.
A Review of S.773: The CyberSecurity Act of 2009
Written on December 24, 2009
Leave a Comment
|
I wanted to take a few minutes to talk about a very cool piece of legislation circulating through the Federal Government right now. It has a high chance of passing but not likely in 2009.
S.773 (The CyberSecurity Act of 2009) is a document that recognizes the importance of creating a common criteria for assessing information technology risks for the government, public, and private sectors. It reasons that if we’re to have an economy based on information and electronic commerce, then reasonable, standard, and specific precautions must be taken by all in order to strengthen our national defense, national competitiveness, and national security posture. In short, the Act creates a common expectation of IT security for all manner of businesses.
I can’t tell you how important this is. Today, there are a hodge-podge of industry-based and government (municipal, state, and federal) mandates that demand how certain kinds of information are maintained, and to what degree of governance is levered over them. There hasn’t been a single consistent message from the government on what constitutes “secure” when it comes to technology implementations. With this Act, we would have a tool that actually creates a universal guideline of expectation for managing the security of IT resources across industry boundaries, and, regardless of the size of the company. In this way, consumers and regulators can ensure that your personal private information is just as safe as a Quickiemart point-of-sale (POS) station as it is at a Wal-Mart’s POS. We in the industry – as well as consumers – have needed this for a very long time.
Beyond just recognizing the importance of standardization, audit, and corrective action – installing a mechanism for assessing reporting on the state of national preparedness with cybersecurity – funds are allocated to do some rather amazing things for industry, students, and consultants alike. Here’s a run-down:
1. Regional Cybersecurity Centers.
The government would allocate funds to create boards of industry, academic, government, and ethics practitioners to help guide government decision-making, which then feeds into a central federal committee reporting to Congress and the President under a CyberSecurity Advisory Panel. These practices then create a manner of reviewing trends, threats, changes in consumer expectations, and so on. Plus, the Regional Centers would be responsible for distributing millions in loans to small businesses with under 100-employees to invest in safeguards/countermeasures to meet NIST compliance expectations.
2. A Real-time Cybersecurity Dashboard.
Within our industry, there are a multitude of tools and resources we use to gage the current threat level to cyber resources. Nearly all of them (with exception of US-CERT) are private industry-based and have their own built-in biased. Now, the Act would create a common set of metrics to gage the threat level and recommend a coordinate response to risk. This has been sorely needed ever since we’ve started connecting our computers to the Internet.
3. NIST-Level Standards, Metrics, and Controls.
Currently, when I make recommendations on implementing standards for security, I use a variety of public-domain documents that are considered “best practices”. The NIST (National Institute for Science and Technology) set forth guidelines for securing IT assets at the Federal level. Under the Act, the NIST’s guidelines would be published as a universal standard for American businesses, creating a single yardstick to measure security compliance. This would greatly simplify the task of implementing security controls throughout small to mid-range businesses who’re often baffled by the dizzying array of standards, options, compliance requirements, and technologies.
4. R&D Dollars.
Money would flow into creating stronger and more resilient networking technologies and software.
5. Professional Certification Program.
In order to help the implementation of the NIST standards and to verify the distribution of Federal dollars to businesses, the Act would create a licensing process similar to what we see in private industry. Industry professionals and practitioners could certify to evaluate, assess, and implement the NIST standards for stakeholders. This would give a clear signal to small and medium sized businesses who usually don’t have access to these kinds of professionals an indicator that these folks know their business and can really talk security. For consultants – people like me – this is a tremendous opportunity (as you might imagine).
6. Federal Cyber Scholarship-for-Service Programs.
What’s very cool is that 1,000 students per year could receive full tuition-paid and stipend-included scholarships (both graduate and undergraduate) to university to promote cybersecurity practices. Further, the Act compels the Federal Government to give preferential treatment for hiring these professionals once they graduate to fill Federal vacancies.
7. New Presidential Authority.
Under this Act – and perhaps the most controversial - is a provision that allows the POTUS to declare a cybersecurity state of emergency and shut down/disconnect portions of the Internet. I think what’s critical in reading the Act is that the POTUS has authority to do this with Federal Assets only, and, to critical national infrastructure (like power grids); the POTUS doesn’t have authority to shut off the Internet entirely, like we see in China, Iran, or North Korea. This isn’t all-together whacky: the POTUS should have means of recognizing and shifting national security posture just like a Chief Security Officer (CSO)/Chief Information Officer (CIO) would inside of a traditional business. I think some care should be given in defining “critical infrastructure”, but this is still relevant and prudent capability offered to the POTUS that he doesn’t have today.
8. A Stronger DNS System.
Finally, one of the weaknesses in the design of the Internet is the way we resolve names and find IP addresses. This is called a DNS system and it’s highly prone to attack and failure. If we can’t resolve names, we can’t go anywhere on the Internet. Within the Act, dollars would be allocated to create a stronger and more capable DNS solution.
Anyway, this is an amazing piece of legislation that anybody in the security industry (student, academic, or business owner) should be watching! It has the potential to reshape the way we think about security into a cohesive set of business practices that could be universally applied and evaluated. It could literally shape the next decade of strategic spending for small to mid-range businesses.
R