Bill S.773 – the Cybersecurity Act of 2009 – is on the table in Washington. The Electronic Freedom Foundation is concerned that “the bill would create a major shift of power away from users and companies to the federal government”.
I have taken a pass through the bill myself and, while I agree with the EFF that there is at least a need for clarification and modification of a few points I think it is overall an issue that must be addressed. The cyber risk to physical systems (transportation, power, manufacturing, and automated systems) and to the free flow of commerce and communications is very real. From a governmental standpoint it has been largely left to its own devices to date, and that may not be the best choice.
I suggest reading sections 14, 17 and 18 for all the non-geeks out there.
Purpose:
To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes.
[UPDATE] Steven Bellovin has written a decent commentary on the bill.
An overview of the bill can be found here, and bill S.778 is out in parallel to establish the Office of National Cybersecurity Advisor.
Sen. John Rockefeller [D-WV] has sponsored both bills, Sen.s Olympia Snowe [R-ME], Bill Nelson [D-FL] and Evan Bayh [D-IN] have co-sponsorted S.773.
Below is the bulk of the text of the bill, edited only slightly for length to make it somewhat more readable. I do have a couple of issues with it, but in general I’d say it is about damn time Washington took a hand in this area.
SEC. 2. FINDINGS.
The Congress finds the following:
(1) America’s failure to protect cyberspace is one of the most urgent national security problems facing the country.
(2) Since intellectual property is now often stored in digital form, industrial espionage that exploits weak cybersecurity dilutes our investment in innovation while subsidizing the research and development efforts of foreign competitors. In the new global competition, where economic strength and technological leadership are vital components of national power, failing to secure cyberspace puts us at a disadvantage.
[snip – additional justifications, pretty standard stuff]
OK, all the justifications are true by my estimation. I suggest that there is really not even much to argue about here.
SEC. 3. CYBERSECURITY ADVISORY PANEL.
(a) IN GENERAL- The President shall establish or designate a Cybersecurity Advisory Panel.
(b) QUALIFICATIONS- The President–
(1) shall appoint as members of the panel representatives of industry, academic, non-profit organizations, interest groups and advocacy organizations, and State and local governments who are qualified to provide advice and information on cybersecurity research, development, demonstrations, education, technology transfer, commercial application, or societal and civil liberty concerns; and
(2) may seek and give consideration to recommendations from the Congress, industry, the cybersecurity community, the defense community, State and local governments, and other appropriate organizations.(c) DUTIES- The panel shall advise the President on matters relating to the national cybersecurity program and strategy and shall assess–
(1) trends and developments in cybersecurity science research and development;
(2) progress made in implementing the strategy;
(3) the need to revise the strategy;
(4) the balance among the components of the national strategy, including funding for program components;
(5) whether the strategy, priorities, and goals are helping to maintain United States leadership and defense in cybersecurity;
(6) the management, coordination, implementation, and activities of the strategy; and
(7) whether societal and civil liberty concerns are adequately addressed.[snip – administrivia such as report at least every 24 months and travel reimbursement].
OK, put a panel together of industry leaders. Makes sense. I would suggest that Civil Libertarians should be a part of the Advisory Panel to voice concerns about encroachment on privacy.
SEC. 4. REAL-TIME CYBERSECURITY DASHBOARD.
The Secretary of Commerce shall–
(1) in consultation with the Office of Management and Budget, develop a plan within 90 days after the date of enactment of this Act to implement a system to provide dynamic, comprehensive, real-time cybersecurity status and vulnerability information of all Federal Government information systems and networks managed by the Department of Commerce; and
(2) implement the plan within 1 year after the date of enactment of this Act.
IOW – “The government should know the status of it’s own systems.” Couldn’t agree more.
SEC. 5. STATE AND REGIONAL CYBERSECURITY ENHANCEMENT PROGRAM.
(a) CREATION AND SUPPORT OF CYBERSECURITY CENTERS- The Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards. Each Center shall be affiliated with a United States-based nonprofit institution or organization, or consortium thereof, that applies for and is awarded financial assistance under this section.
[snip – details of state and regional centers]
IOW – “There should be regional centers of excellence that can service the local population.” You betcha.
SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE.
(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the National Institute of Standards and Technology shall establish measurable and auditable cybersecurity standards for all Federal Government, government contractor, or grantee critical infrastructure information systems and networks in the following areas:
(1) CYBERSECURITY METRICS RESEARCH- The Director of the National Institute of Standards and Technology shall establish a research program to develop cybersecurity metrics and benchmarks that can assess the economic impact of cybersecurity. These metrics should measure risk reduction and the cost of defense. The research shall include the development automated tools to assess vulnerability and compliance.
(2) SECURITY CONTROLS- The Institute shall establish standards for continuously measuring the effectiveness of a prioritized set of security controls that are known to block or mitigate known attacks.
(3) SO
FTWARE SECURITY- The Institute shall establish standards for measuring the software security using a prioritized list of software weaknesses known to lead to exploited and exploitable vulnerabilities. The Institute will also establish a separate set of such standards for measuring security in embedded software such as that found in industrial control systems.
(4) SOFTWARE CONFIGURATION SPECIFICATION LANGUAGE- The Institute shall, establish standard computer-readable language for completely specifying the configuration of software on computer systems widely used in the Federal Government, by government contractors and grantees, and in private sector owned critical infrastructure information systems and networks.
(5) STANDARD SOFTWARE CONFIGURATION- The Institute shall establish standard configurations consisting of security settings for operating system software and software utilities widely used in the Federal Government, by government contractors and grantees, and in private sector owned critical infrastructure information systems and networks.
(6) VULNERABILITY SPECIFICATION LANGUAGE- The Institute shall establish standard computer-readable language for specifying vulnerabilities in software to enable software vendors to communicate vulnerability data to software users in real time.
(7) National compliance standards for all software-
(A) PROTOCOL- The Institute shall establish a standard testing and accreditation protocol for software built by or for the Federal Government, its contractors, and grantees, and private sector owned critical infrastructure information systems and networks. to ensure that it–
(i) meets the software security standards of paragraph (2); and
(ii) does not require or cause any changes to be made in the standard configurations described in paragraph (4).
(B) COMPLIANCE- The Institute shall develop a process or procedure to verify that–
(i) software development organizations comply with the protocol established under subparagraph (A) during the software development process; and
(ii) testing results showing evidence of adequate testing and defect reduction are provided to the Federal Government prior to deployment of software.(b) CRITERIA FOR STANDARDS- Notwithstanding any other provision of law (including any Executive Order), rule, regulation, or guideline, in establishing standards under this section, the Institute shall disregard the designation of an information system or network as a national security system or on the basis of presence of classified or confidential information, and shall establish standards based on risk profiles.
(c) INTERNATIONAL STANDARDS- The Director, through the Institute and in coordination with appropriate Federal agencies, shall be responsible for United States representation in all international standards development related to cybersecurity, and shall develop and implement a strategy to optimize the United States position with respect to international cybersecurity standards.
(d) COMPLIANCE ENFORCEMENT- The Director shall–
(1) enforce compliance with the standards developed by the Institute under this section by software manufacturers, distributors, and vendors; and
(2) shall require each Federal agency, and each operator of an information system or network designated by the President as a critical infrastructure information system or network, periodically to demonstrate compliance with the standards established under this section.(e) FCC NATIONAL BROADBAND PLAN- In developing the national broadband plan pursuant to section 6001(k) of the American Recovery and Reinvestment Act of 2009, the Federal Communications Commission shall report on the most effective and efficient means to ensure the cybersecurity of commercial broadband networks, including consideration of consumer education and outreach programs.
OK, I leave this whole section intact because there is no way to dumb it down. In short, the bill mandates that NIST arrange for standards and enforcement. All I can say is it’s a lot easier than it sounds and that I am really looking forward to the debate that surrounds the creation, implementation and enforcement of those standards. Regardless of my own trepidation, though, I think it is a battle that needs to be engaged sooner or later so we’re better taking it on now and starting to make progress on it.
SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS.
(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.
(b) MANDATORY LICENSING – Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.
License all Information Security folks? Like section 6 I have serious doubts as to what the details of this really imply – and I am concerned that a less than thoughtful implementation of this requirement could reduce the number of InfoSec people available to world – but there is a level of sense to it. If you have to be certified to draw lines on a map, fiddle with people’s personal finances or sell a home then there seems to be a good argument that you should be required to prove you are competent to be allowed to mess about with other people’s confidential information. I would encourage making it very easy for existing infosec folks to get these certifications so we don’t scare too many off.
SEC. 8. REVIEW OF NTIA DOMAIN NAME CONTRACTS.
(a) IN GENERAL- No action by the Assistant Secretary of Commerce for Communications and Information after the date of enactment of this Act with respect to the renewal or modification of a contract related to the operation of the Internet Assigned Numbers Authority, shall be final until the Advisory Panel–
(1) has reviewed the action;
(2) considered the commercial and national security implications of the action; and
(3) approved the action.(b) APPROVAL PROCEDURE- If the Advisory Panel does not approve such an action, it shall immediately notify the Assistant Secretary in writing of the disapproval and the reasons therefor. The Advisory Panel may provide recommendations to the Assistant Secretary in the notice for any modifications the it deems necessary to secure approval of the action.
Effectively transfers the authority for negotiating the assignment of Domain Names to the Advisory Panel created with Section 3.
SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM.
(a) IN GENERAL- Within 3 years after the date of enactment of this Act, the Assistant Secretary of Commerce for Communications and Information shall develop a strategy to implement a secure domain name addressing system. The Assistant Secretary shall publish notice of the system requirements in the Federal Register together with an implementation schedule for Federal agencies and information systems or networks designated by the President, or the President’s designee, as critical infrastructure information systems or networks.
(b) COMPLIANCE REQUIRED- The President shall ensur
e that each Federal agency and each such system or network implements the secure domain name addressing system in accordance with the schedule published by the Assistant Secretary.
I’m guessing that this is referencing something like DNSSEC.
SEC. 10. PROMOTING CYBERSECURITY AWARENESS.
The Secretary of Commerce shall develop and implement a national cybersecurity awareness campaign that–
(1) is designed to heighten public awareness of cybersecurity issues and concerns;
(2) communicates the Federal Government’s role in securing the Internet and protecting privacy and civil liberties with respect to Internet-related activities; and
(3) utilizes public and private sector means of providing information to the public, including public service announcements.
Education really is key. This is a current area of obsession with me: I think the only way to fix the underlying InfoSec malaise is to begin educating children early, so that the next generation of programmers and consumers have a basis in building and buying secure systems.
SEC. 11. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
(a) FUNDAMENTAL CYBERSECURITY RESEARCH- The Director of the National Science Foundation shall give priority to computer and information science and engineering research to ensure substantial support is provided to meet the following challenges in cybersecurity:
(1) How to design and build complex software-intensive systems that are secure and reliable when first deployed.
(2) How to test and verify that software, whether developed locally or obtained from a third party, is free of significant known security flaws.
(3) How to test and verify that software obtained from a third party correctly implements stated functionality, and only that functionality.
(4) How to guarantee the privacy of an individual’s identity, information, or lawful transactions when stored in distributed systems or transmitted over networks.
(5) How to build new protocols to enable the Internet to have robust security as one of its key capabilities.
(6) How to determine the origin of a message transmitted over the Internet.
(7) How to support privacy in conjunction with improved security.
(8) How to address the growing problem of insider threat.(b) SECURE CODING RESEARCH- The Director shall support research that evaluates selected secure coding education and improvement programs. The Director shall also support research on new methods of integrating secure coding improvement into the core curriculum of computer science programs and of other programs where graduates have a substantial probability of developing software after graduation.
(c) ASSESSMENT OF SECURE CODING EDUCATION IN COLLEGES AND UNIVERSITIES- Within one year after the date of enactment of this Act, the Director shall submit to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science and Technology a report on the state of secure coding education in America’s colleges and universities for each school that received National Science Foundation funding in excess of $1,000,000 during fiscal year 2008. The report shall include–
(1) the number of students who earned undergraduate degrees in computer science or in each other program where graduates have a substantial probability of being engaged in software design or development after graduation;
(2) the percentage of those students who completed substantive secure coding education or improvement programs during their undergraduate experience; and
(3) descriptions of the length and content of the education and improvement programs, and a measure of the effectiveness of those programs in enabling the students to master secure coding and design.(d) CYBERSECURITY MODELING AND TESTBEDS- The Director shall establish a program to award grants to institutions of higher education to establish cybersecurity testbeds capable of realistic modeling of real-time cyber attacks and defenses. The purpose of this program is to support the rapid development of new cybersecurity defenses, techniques, and processes by improving understanding and assessing the latest technologies in a real-world environment. The testbeds shall be sufficiently large in order to model the scale and complexity of real world networks and environments.
(e) NSF COMPUTER AND NETWORK SECURITY RESEARCH GRANT AREAS – [snip – grant ammendments]
As with Section 11, this deals more with support for education and research. Again, it’s hard for me to argue against any of this.
SEC. 12. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.
(a) IN GENERAL- The Director of the National Science Foundation shall establish a Federal Cyber Scholarship-for-Service program to recruit and train the next generation of Federal information technology workers and security managers.
[snip – scholarship details]
Like the overall thread of “we’ll pay your education if you agree to give something back” that the President touted since before he was elected.
SEC. 13. CYBERSECURITY COMPETITION AND CHALLENGE.
(a) IN GENERAL- The Director of the National Institute of Standards and Technology, directly or through appropriate Federal entities, shall establish cybersecurity competitions and challenges with cash prizes in order to–
(1) attract, identify, evaluate, and recruit talented individuals for the Federal information technology workforce; and
(2) stimulate innovation in basic and applied cybersecurity research, technology development, and prototype demonstration that have the potential for application to the Federal information technology activities of the Federal Government.[snip – details of competitions]
Federally supported security geek competitions. I don’t know what I can’t like about that.
This section below has the most contentious phrase (bolded below, emphasis mine).
SEC. 14. PUBLIC-PRIVATE CLEARINGHOUSE.
(a) DESIGNATION- The Department of Commerce shall serve as the clearinghouse of cybersecurity threat and vulnerability information to Federal Government and private sector owned critical infrastructure information systems and networks.
(b) FUNCTIONS- The Secretary of Commerce–
(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access;
(2) shall manage the sharing of Federal Government and other critical infrastructure threat and vulnerability information between the Federal Government and the persons primarily responsible for the operation and maintenance of the networks concerned; and
(3) shall report regularly to the Congress on threat information held by the Federal Government that is not shared with the persons primarily responsible for the operation and maintenance of the networks concerned.(c) INFORMATION SHARING RULES AND PROCEDURES- Within 90 days after the date of enactment of this Act, the Secretary shall publish in the Federal Register a draft description of rules and procedures on how the Federal Government will share cybersecurity threat and vulnerability information with private sector critical infrastructure information systems and networks owners. After a 30 da
y comment period, the Secretary shall publish a final description of the rules and procedures. The description shall include–
(1) the rules and procedures on how the Federal Government will share cybersecurity threat and vulnerability information with private sector critical infrastructure information systems and networks owners;
(2) the criteria in which private sector owners of critical infrastructure information systems and networks shall share actionable cybersecurity threat and vulnerability information and relevant data with the Federal Government; and
(3) any other rule or procedure that will enhance the sharing of cybersecurity threat and vulnerability information between private sector owners of critical infrastructure information systems and networks and the Federal Government.
I very much want to see that wording thrashed out, and I’m not at all sure I can be completely satisfied with the result. On the one hand I understand the desire to have enough information about private networks to allow the government Cyber Security efforts to effectively function. On the other hand I fully sympathize with the concerns of the Electronic Freedom Foundation and other privacy advocates.
SEC. 15. CYBERSECURITY RISK MANAGEMENT REPORT.
Within 1 year after the date of enactment of this Act, the President, or the President’s designee, shall report to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science and Technology on the feasibility of–
(1) creating a market for cybersecurity risk management, including the creation of a system of civil liability and insurance (including government reinsurance); and
(2) requiring cybersecurity to be a factor in all bond ratings.
Hmmm! Making implementation of cybersecurity a factor in limiting insurance costs… Don’t know how feasible it really will be (or whether the standards used as metrics can be made worthwhile), but it does get to the issue of motivating organizations to use the tools that are already available – and that they too often don’t use.
SEC. 16. LEGAL FRAMEWORK REVIEW AND REPORT.
(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the President, or the President’s designee, through an appropriate entity, shall complete a comprehensive review of the Federal statutory and legal framework applicable to cyber-related activities in the United States, including–
(1) the Privacy Protection Act of 1980 (42 U.S.C. 2000aa);
(2) the Electronic Communications Privacy Act of 1986 (18 U.S.C. 2510 note);
(3) the Computer Security Act of 1987 (15 U.S.C. 271 et seq.; 40 U.S.C. 759);
(4) the Federal Information Security Management Act of 2002 (44 U.S.C. 3531 et seq.);
(5) the E-Government Act of 2002 (44 U.S.C. 9501 et seq.);
(6) the Defense Production Act of 1950 (50 U.S.C. App. 2061 et seq.);
(7) any other Federal law bearing upon cyber-related activities; and
(8) any applicable Executive Order or agency rule, regulation, guideline.(b) REPORT- Upon completion of the review, the President, or the President’s designee, shall submit a report to the Senate Committee on Commerce, Science, and Transportation, the House of Representatives Committee on Science and Technology, and other appropriate Congressional Committees containing the President’s, or the President’s designee’s, findings, conclusions, and recommendations.
A review of existing legislation on the topic of cybersecurity, including
SEC. 17. AUTHENTICATION AND CIVIL LIBERTIES REPORT.
Within 1 year after the date of enactment of this Act, the President, or the President’s designee, shall review, and report to Congress, on the feasibility of an identity management and authentication program, with the appropriate civil liberties and privacy protections, for government and critical infrastructure information systems and networks.
OK, here’s either some real meat or a perfect reason to dig a bunker – depending how paranoid you are (whether or not you are justified in being paranoid is a separate issue).
What this section is saying is that there will be a year to dwell on how and whether to create/support/impose a system which could reliably allow someone to Identify themselves, and subsequently gain access to things they should have access to. There is no reason, for example, that you should deeply believe that I am really Chris Blask – I could as easily be an albino yak (not protected by the laws of my state) or an Albanian goatherd named Shep.
Herein lies both a rat’s nest of privacy concerns and fear of Government Monitoring. On the other hand, industry has completely failed to produce any sort of reliable Identity system and it may come down to the same folks who brought us Driver’s Licenses to make a system that works.
SEC. 18. CYBERSECURITY RESPONSIBILITIES AND AUTHORITY.
The President–
(1) within 1 year after the date of enactment of this Act, shall develop and implement a comprehensive national cybersecurity strategy, which shall include–
(A) a long-term vision of the Nation’s cybersecurity future; and
(B) a plan that encompasses all aspects of national security, including the participation of the private sector, including critical infrastructure operators and managers;(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;
(3) shall designate an agency to be responsible for coordinating the response and restoration of any Federal Government or United States critical infrastructure information system or network affected by a cybersecurity emergency declaration under paragraph (2);
(4) shall, through the appropriate department or agency, review equipment that would be needed after a cybersecurity attack and develop a strategy for the acquisition, storage, and periodic replacement of such equipment;
(5) shall direct the periodic mapping of Federal Government and United States critical infrastructure information systems or networks, and shall develop metrics to measure the effectiveness of the mapping process;
(6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security;
(7) shall, through the Office of Science and Technology Policy, direct an annual review of all Federal cyber technology research and development investments;
(8) may delegate original classification authority to the appropriate Federal official for the purposes of improving the Nation’s cybersecurity posture;
(9) shall, through the appropriate department or agency, promulgate rules for Federal professional responsibilities regarding cybersecurity, and shall provide to the Congress an annual report on Federal agency compliance with those rules;
(10) shall withhold additional compensation, direct corrective action for Federal personnel, or terminate a Federal contract in violation of Federal rules, and shall report any such action to the Congress in an unclassified format within 48 hours after taking any such action; and
(11) shall notify the Congress within 48 hours after providing a cyber-related certification of legality to a United States person.
OK, here is some touchy stuff.  
;18.2 and 18.6 deal with extraordinary powers associated with a cyber attack. Specifically, the power to disconnect private networks that are deemed part of National Critical Infrastructure.
I have very very mixed feelings on this one. On the one hand, during a period of outright cyber warfare it could serve everyone well for someone somewhere to pull some plugs at the most optimal moments. On the other hand, there is no avoiding the defensible concern of Orwellian governmental action given this sort of power.
SEC. 19. QUADRENNIAL CYBER REVIEW.
(a) IN GENERAL- Beginning with 2013 and in every fourth year thereafter, the President, or the President’s designee, shall complete a review of the cyber posture of the United States, including an unclassified summary of roles, missions, accomplishments, plans, and programs. The review shall include a comprehensive examination of the cyber strategy, force structure, modernization plans, infrastructure, budget plan, the Nation’s ability to recover from a cyberemergency, and other elements of the cyber program and policies with a view toward determining and expressing the cyber strategy of the United States and establishing a revised cyber program for the next 4 years.
[snip – details of quadrennial review]
Full introspective report every four years.
SEC. 20. JOINT INTELLIGENCE THREAT ASSESSMENT.
The Director of National Intelligence and the Secretary of Commerce shall submit to the Congress an annual assessment of, and report on, cybersecurity threats to and vulnerabilities of critical national information, communication, and data network infrastructure.
Yearly look at who wants to make us dead by remote control.
SEC. 21. INTERNATIONAL NORMS AND CYBERSECURITY DETERRANCE MEASURES.
The President shall–
(1) work with representatives of foreign governments–
(A) to develop norms, organizations, and other cooperative activities for international engagement to improve cybersecurity; and
(B) to encourage international cooperation in improving cybersecurity on a global basis; and(2) provide an annual report to the Congress on the progress of international initiatives undertaken.
Work with other countries as much as possible (unspoken healthy level of paranoia duly noted).
SEC. 22. FEDERAL SECURE PRODUCTS AND SERVICES ACQUISITIONS BOARD.
[snip – “The government will control the purchase of secure gear for it’s own use.”]
So, my issues with it are in Sections 6, 7, 14, 17 and 18. What are your thoughts?
11 comments