Amid calls for a comprehensive national strategy on cyber security, as well as stronger government leadership to ensure that security initiatives are implemented effectively, Sen. John D. Rockefeller IV and Sen. Olympia Snowe proposed a sweeping piece of legislation to address this significant and growing threat to the United States. This legislation comes in the wake of attacks on the Pentagon late last year and in the shadow of recent news of massive cyber espionage efforts spanning over 100 countries.
The following represent the major provisions of the proposed legislation at this time. Everyone should expect changes to be made as it works its way through the legislative process.
- Legislation proposed by Senator John D. Rockefeller IV and Senator Olympia Snowe calls for the establishment of an Office of the National Cyber Security Advisor that would take the lead on Internet security matters and coordinate with the Defense Department, intelligence community and the private sector.
- The proposed legislation calls for the creation of a Cyber Security Advisory Panel that is composed of outside experts from industry, academia, and nonprofit groups that would advise the president on related matters.
- The proposed legislation calls for the creation of a public/private clearinghouse for cyber threats and vulnerability information sharing, establishment of measurable and auditable cyber security standards from the National Institute of Standards and Technology.
- The proposed legislation would also require that cyber security professionals be licensed and certified.
Provision: The proposed legislation would also require that the Cyber Security Adviser conduct a review of the U.S. cyber security program every four years and require officials to complete a number of reviews and reports. - The proposed legislation calls for the creation of state and regional cyber security centers to help small and midsize businesses adopt security measures.
- The proposed legislation would establish a Secure Products and Services Acquisitions Board that would to review and approve the security and integrity of products purchased by the federal government.
- The proposed legislation would require government and private sector networks that control the critical infrastructure to comply with a set of cyber security standards established by the National Institute of Standards and Technology (NIST).
This legislation is past due! Report after report has highlighted the increased complexity and frequency of cyber attacks on business, government and our critical infrastructure. Delays in pushing this legislation through could have serious consequences. So time is of the essence in preparing for the passage and enactment of this legislation.
I offer the following recommendation for consideration in order to strengthen the proposed legislation. The legislation as it stands does not address mandatory reporting requirements of cyber security breaches, data and information theft and other cyber security related issues. If we are to track our progress, learn from these events and rapidly identify new cyber threats, mandatory reporting within 24 hours of discovery is critical. Another area of concern is training. While the proposed legislation touches on training, it does not specifically address continuing education. Cyber attack techniques and criminal scams are highly dynamic and rapidly evolving.
These factors combine to make continuing education necessary to stay aware of the latest developments in cyber security. A third concern rests in the area of testing, validation and verification of hardware and software. While this is not specifically addressed, it may be bundled into support and funding for research and development of new validation and verification capabilities that are needed to mitigate this threat. The visibility of this issue has risen significantly after Alex Allan, Chairman of the British Joint Intelligence Committee, expressed his growing concern because government departments, the intelligence services and the military were all exposed to threats from computer and network hardware that came from foreign (citing the new BT Telecom network).
Finally, I was disappointed the legislation did not address an appointee to coordinate and push for an international accord that establishes open cooperation during investigations of cyber attacks and crime and also to stem the development of strategic cyber weapons.
While the devil is in the details, I think the proposed legislation modified to include the four areas identified above is a huge step in securing our nation against cyber threats. And while the proposed legislation is mainly reactive, proactive measures can go a long way to reducing risks.
...
ohwilleke
GREAT POINT — that supports my recommendation that continuing education is required. Cyber Security Intelligence is the best defense. Knowing something is coming or likely to come give you the ability to reinformce your defenses
Kevin, my point is that many very good cyber security professionals have irregular education and training, and sometimes patchy (even criminal) backgrounds). For example, for at least a decade, the industry pay for computer professionals was so high that many of the best are college dropouts with little or no formal credentialing. Many have never even taken classroom instruction in computer technology, even though others have specialized PhDs in the subject. And, ot is not obvious that the PhDs are the more qualified workers in the field.
Licensing and certification would exclude many qualified people from the profession, while not necessarily improving standards for those who remain. Licensing and certification requirements presume that government regulators know what a cyber security professional needs to know — but they don’t.
Indeed, there isn’t even a strong consensus on who really is a cyber security professional. Does that include a small business LAN expert who handles the password protections and firewall for the business? What if the small business is a multi-billion dollar hedge fund? Are ISP managers who supervise computer experts charged with spam control cyber security professionals? Are telephone techs cyber security professionals? What if they do wiretap work for police departments?
Also, to the extent that one is discussing cyber security professionals working for government contractors, there is already backdoor regulation for “inside job” compromise threats through the established security clearance system, although even this minimal regulation has a negative distortion effect giving undue preference to those who already have security clearances from prior employment, even if they aren’t the most qualified, because of the cost and delay involved.
Cut the bureaucracy alone to Fund this
Combine like agencies etc into 1.
Place within estd AF CyberCommand.
Maybe the Cyberspace Panel for the WH.
But merge the rest, save time & money.
& expand to US Emb in China alone or Taiwan.
Prior cyberstrikes came from China.
We dont need More Govt, we need Less & More Efficent at that esp for DoD.
I have to agree with Ohwilleke here. A licensed and certified professional in the IT industry usually means someone with a lot of paper from a school somewhere that bascily doesn’t even know a SYN from an ACK. Don’t get me wrong there are lots of guys with lots of paper that know what they are doing, but they either got it cause the business unit wanted to look kewl (That’s me) or got it and then got lots of experense. The paper it self means nothing.
I know guys that just got their MCSE or A+ and I am not sure they are qualified to work on my helpdesk and these are exams writen by IT companies, do we think the govt. can do a better idea.
I am not sure I even want the govt. writing rules about what to do and no do. I have found that most times rules just end up just breeding in some new unknown weak point in the system. We use best practices and try to follow them but even they tend to make people think they are rules.
I agree, the training would need to be continuous because the threat is always evolving. Just look at the anti-virus game.
A virus is written to exploit a hole in the operating system. The operating system is patched, and the anti-virus is updated to look for the threat. The virus is updated to look different, or attack a different hole in the OS. Again, the hole is patched, anti-virus is updated. And on and on…
It is for all intents and purposes an arms race. The bad guys attack with a new “weapon”, the good guys update their defense and close the holes, the bad guys create something new.
Most current computer industry training is very linear. They teach you the basics of the OS or software product. They teach you how to use the wizards, or if you have done steps one, two and three, your network should be protected. Many admins do not even go back and recheck servers after they are up and running. They are too busy fighting fires all day.
The hackers are successful, because they think “out of the box”. They do not follow checklists, or established rules. They have the time to spend to find the hole in your system.
Those involved in cyber security would need to be as active in upgrading their skill sets as the hackers are. We as a nation need to be in the forefront of this arms race. Staying static in this game will find us falling behind and becomming more of a target.
Well Mr. Coleman you really made an ass out of Rob Rosenberger of Vmyths !!!! Your were dead on target and he, of course slammed you on his blog. You think he would be professionally enough to say he was wrong. OH, wait a minute — he is not a professional!!! True professionals admit when they are wrong. I have followed your blog for over a year now and I must say you are RIGHT about cyber warfare/terrorism far more than anyone should be who is not on the inside. SO you must be connected. KEEP UP THE GREAT WORK!!!
Thanks Bradley
We had better be careful with this one. Giving control of the internet to our government puts us in the same league as Iran and N. Korea. Let’s not forget how Iran used that control after their last election.