Sunday, April 05, 2009

Real Secure

It's amazing what you turn up in the most unexpected places. Karl Denninger, who usually writes about the economy, alerts the public to a couple of Senate Bills that may prove the road to hell is paved with good intentions. They are S.773(very long name) and S.778 to establish the National Office of Cybersecurity Advisor (see Thomas for more). As of this writing the bill texts are not available at Thomas. They are tied to H.R. 266 Cybersecurity Education Enhancement Act of 2009.

The fundamentals of the House bill are to establish cybersecurity training via grants to institutions of higher education. Who could argue with that? It seems Denninger can, and he does so via the draft text for the Senate bills here. (site is the Center for Democracy)

Denninger starts out by taking issue with the licensing aspects of the draft bill (page 21) in SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS. I don't because I would like to know that anyone calling themself a cybersecurity professional can demonstrate some baseline standard of knowledge that s/he has achieved.

However, what he is really exercised about, and I agree this needs to be looked at closely, starts on Page 39 SEC. 14. PUBLIC–PRIVATE CLEARINGHOUSE. Don't let that title fool you. Here's the relevant text:

(b) FUNCTIONS.—The Secretary of Commerce
(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access;

(2) shall manage the sharing of Federal government and other critical infrastructure threat and vulnerability information between the Federal government and the persons primarily responsible for the operation and maintenance of the networks concerned; and

(3) shall report regularly to the Congress on threat information held by the Federal government that is not shared with the persons primarily responsible for the operation and maintenance of the networks concerned.

SEC 14(b)(1) is where the rubber hits the road for Denninger, and it is an opportunity for mischief making by our government, whether elected representatives or over-eager bureaucrats. But it doesn't end there, he is also concerned about Presidential authority, especially as defined in SEC 18 (2) and (6).

The President—
(1) within 1 year after the date of enactment of this Act, shall develop and implement a comprehensive national cybersecurity strategy, which shall include—
(A) a long-term vision of the nation’s cybersecurity future; and
(B) a plan that encompasses all aspects of national security, including the participation of the private sector, including critical infrastructure operators and managers;
(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal government or United States critical infrastructure information system or network;
(3) shall designate an agency to be responsible for coordinating the response and restoration of any Federal government or United States critical infrastructure information system or network affected by a cybersecurity emergency declaration under paragraph (2);
(4) shall, through the appropriate department or agency, review equipment that would be needed after a cybersecurity attack and develop a strategy for the acquisition, storage, and periodic replacement of such equipment;
(5) shall direct the periodic mapping of Federal government and United States critical infrastructure information systems or networks, and shall develop metrics to measure the effectiveness of the mapping process;
(6) may order the disconnection of any Federal government or United States critical infrastructure information systems or networks in the interest of national security;
(7) shall, through the Office of Science and Technology Policy, direct an annual review of all Federal cyber technology research and development investments;
(8) may delegate original classification authority to the appropriate Federal official for the purposes of improving the Nation’s cybersecurity posture;
(9) shall, through the appropriate department or agency, promulgate rules for Federal professional responsibilities regarding cybersecurity, and shall provide to the Congress an annual report on Federal agency compliance with those rules;
(10) shall withhold additional compensation, direct corrective action for Federal personnel, or terminate a Federal contract in violation of Federal rules , and shall report any such action to the Congress in an unclassified format within 48 hours after taking any such action; and
(11) shall notify the Congress within 48 hours after providing a cyber-related certification of legality to a United States person.

SEC 18 (2) and (6) make sense on one level. Those of us caught up in the Sasser worm debacle remember the pain and agony of trying to stop it from spreading. At the IRS we wound up using sledgehammers - shutting down the network devices that connected our offices. Clearing all the infected PCs was a nightmare. There is evidence of organized cyber attacks originating in China and we would be foolish to not have mitigations in place along with a plan to respond when (not if) attacked. On the other hand, the regulations governing the execution of this authority will have to be carefully written to, once again, say it with me; minimize the potential for government mischief making. Make no mistake, this is a double edged sword and we need to wield it carefully.

Stay tuned folks, this is one that could bite us all later.

No comments: