A more detailed look at the proposed Cybersecurity Act of 2009

The Rockefeller-Snowe bill emerges from an environment of blind hysteria around cyber-security problems that has developed in recent months. Section 2 contains 150 lines of silly hyperventilating that exaggerate the threats – but more importantly, misconceives the nature of Internet-based threats and the best way to respond to them. The bill succumbs to the tendency to take a national, hierarchical and centralized approach to problems that are best met through the organic evolution of decentralized, flexible, adaptive and transnational, private sector-based cooperative solutions that leverage the peer production capabilities of the Internet.

Still, it is not as bad as it could have been. The bill does not directly turn over cybersecurity responsibilities to the NSA, nor does it completely centralize authority in a single government agency. Instead, it creates a Cyber-Czar in the Whitehouse and a multistakeholder “Cyber-security Advisory” panel appointed by the President.

Note that even Louis Freeh, former FBI head, has warned that the problem of cybersecurity “is too large and too complicated to relegate it into a typical bureaucratic or statutory pigeonhole.”

That being said, creating a centralized Czar, and empowering the President with emergency powers does little to address problems such as botnets and viruses, which rely on the dispersion and decentralisation of ICTs. That battle will really be fought in the marketplace by firms offering security products and services and by ICT professionals in Internet service providers and at the organizational and agency level.

I don't know whether this bill will get anywhere. While it is off-target, one must also understand that Washington is primarily about posturing. What matters to your typical congressperson is looking like you are doing something – and doling out cash to patrons – not making the Internet safer per se. In that regard, the bill has a lot going for it.

Here is a section-by-section review of the most outstanding parts of the proposed law. The bill:

* Creates an Office of the National Cybersecurity Advisor within the Executive Office who reports directly to the President. This is modelled after the US Trade Representative. Borders on the kind of centralization Freeh warned against, but at least it is not the NSA. (Section 1)

* Creates a Cyber-security Advisory panel appointed by the President. It will contain representatives of industry, academics, non-profit organizations, interest groups and advocacy organizations, and State and local governments. It issues reports and develops and seeks recommendations on cybersecurity strategy. (Section 3)

* Empowers the President to declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal government or United States critical infrastructure information system or network (Section 18)

* In true Washington style, encourages and funds duplicative and unneeded bureaucracies in order to provide the appearance of bold action on a problem. Ignoring the existence of an extensive network of self-governing security professionals and CERTS around the world, the bill funds the formation of State and regional “Cybersecurity Centers,” a massive boondoggle for alert politicians, academics, political capitalists and anyone else who wishes to jump on the “cybersecurity” bandwagon. We saw this happen with other forms of “security” during the post-9/11 period and the formation of DHS. One Washington insider I know accurately labeled the post- 9/11 Beltway security industry a “kleptocracy” comparable to that of Russia. (Section 5)

* Authorizes the National Institute of Standards and Technology (NIST) to establish measurable and auditable cybersecurity standards for the Federal government, government contractors, or grantees involved in critical infrastructure information systems and networks. This would include a research program to develop cybersecurity metrics and benchmarks that can assess the economic impact of cybersecurity. This is one of the less-objectionable parts of the bill. It is an example of the kind of modest and targeted activity which might actually be useful. (Section 6)

* Establishes a mandatory licensing regime for “cybersecurity professionals.” So this new area of knowledge will become cartelized – which means more expensive, less open and less innovative. It is unclear what diagnosis led to this remedy. (Section 7)

* Entrenches the Commerce Department's IANA contract in the quagmire of “national security” discourse. The IANA contract grants a monopoly over the administration of a globally shared resource, the domain name system, to ICANN. NTIA cannot renew or modify the IANA contract until a Cybersecurity Advisory Panel appointed by the U.S. President reviews and approves whatever it does. The Panel must consider the commercial (i.e., to U.S. companies) and national (i.e., U.S.-only) security implications of any change. (Section 8) Note that this is a step back from the claim that the bill would “make sure that ICANN does not succumb to foreign pressure” in Senator Rockefeller's press release.

* Mandates the Commerce Department to “develop a strategy to implement a secure domain name addressing system” in three years. Huh? Commerce is already doing that, see the NTIA DNSSEC proceeding. (Section 9) And global acceptance of DNSSEC will depend not just on the U.S. but on other countries as well – a fact that authors of this bill obviously don't grasp.

* Throws more money at the National Science Foundation to do more “computer and information science and engineering research” – when in fact both the causes and solutions to the security problems are mostly institutional, organizational, economic and political rather than technical in nature, and there is already a major spending program on computer science and engineering research in this area – the Cybersecurity Research and Development Act, passed in 2002.

* Throws more money at universities for security-related scholarships. Hey, we'll take more student scholarships, but we've been benefiting from a similar program for the past six years. More posturing.


3 comments

  1. Anonymous

    Friday, May 29th, 2009 at 10:00 am
    Securing Our Digital Future
    Melissa Hathaway, Cybersecurity Chief at the National Security Council, discusses securing our nation's digital future:
    The globally-interconnected digital information and communications infrastructure known as cyberspace underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety and national security. The United States is one of the global leaders on embedding technology into our daily lives and this technology adoption has transformed the global economy and connected people in ways never imagined. My boys are 8 and 9 and use the Internet daily to do homework, blog with their friends and teacher, and email their mom; it is second nature to them. My mom and dad can read the newspapers about their daughter on-line and can reach me anywhere in the world from their cell phone to mine. And people all over the world can post and watch videos and read our blogs within minutes of completion. I can’t imagine my world without this connectivity and I would bet that you cannot either.
    [1] http://www.whitehouse.gov/asset.aspx?AssetId=1732
    [2] http://www.whitehouse.gov/CyberReview/ (other links here as well)
    [3] http://www.whitehouse.gov/videos/2009/May/20090529_Cyber_Security.mp4

  2. Anonymous

    America is waking up and will pull in the fences on Cyberspace – as the Koreans Nuke each other
    Aliant, “Developing a Telecommunications Roadmap: Preparing for the promise of convergence” (undated) 342 K PDF
    American Chemistry Council, ChemITC, “Making Strides to Improve Cyber Security in the Chemical Sector,” 2009 Update, March 2009 94 K PDF
    Brecht, Lyle A., Capital Markets Research, “National Cyber Systems Infrastructure Security Review Concept Paper,” February 15, 2009 257 K PDF
    Business Executives for National Security, “Cyber Strategic Inquiry: Enabling Change Through a Strategic Simulation and Megacommunity Concept”, December 2008 604 K PDF
    Business Executives for National Security, “Cybersecurity Roundtable, March 19, 2009, City Club, Washington DC,” March 26, 2009 57 K PDF
    Business Software Alliance, “National Security & Homeland Security Councils Review of National Cyber Security Policy,” March 19, 2009 (cover letter) 713 K PDF
    Business Software Alliance, “National Security & Homeland Security Councils Review of National Cyber Security Policy,” March 19, 2009 47 K PDF
    Carnegie Mellon University, Lynn Robert Carter, “Computing Infrastructure Risk: Issue, Analysis, and Recommendation,” December 23, 2008 218 K PDF
    Carnegie Mellon CyLab, Pradeep Khosla, “Information Security for the Next Century: Why we need an information-centric approach to data protection” (undated) 194 K PDF
    Center for Applied Cybersecurity Research, Indiana University, Fred H. Cate, “Comments to the White House 60-Day Cybersecurity Review,” March 27, 2009 209 K PDF
    Center for Democracy and Technology, letter from Ari Schwartz and Gregory T. Nojeim, March 20, 2009 103 K PDF
    Center for National Security Studies, letter from Kate Martin, April 4, 2009 28 K PDF
    Office of the Director of National Intelligence, Joint Interagency Cyber Task Force, Steven R.Chabinsky, presentation entitled “Intrusion Detection and Prevention (What, Where, How and Who)” (undated) 40 K PDF
    American Chemistry Council, Christine Adams, untitled memorandum of the Chemical Sector Cyber Security Program’s responses to four questions from the White House 60-day Cyber Policy Review (undated) 33 K PDF
    Business Executives for National Security, “Commercial/Civil Cyber Community Snapshot” (undated) 4307 K PDF
    United States House of Representatives, hearing before the Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, “Federal Cybersecurity Mission,” March 10, 2009 140 K PDF
    United States House of Representatives, hearing before the Permanent Select Committee on Intelligence, “Annual Threat Assessment” by Dennis C. Blair, Director of National Intelligence, February 25, 2009 168 K PDF
    United States House of Representatives, hearing before the Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, Science and Technology, “Written Testimony of Scott Charney, Corporate Vice President, Microsoft Corporation’s Trustworthy Computing, ‘Securing America’s Cyber Future: Simplify, Organize and Act,’” March 10, 2009 567 K PDF
    United States House of Representatives, hearing before the Committee on Science and Technology, “Statement of Dr. Christopher L. Greer, Director, National Coordination Office for Networking and Information Technology Research and Development,” April 1, 2009 1967 K PDF
    United States House of Representatives, hearing before the Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, “Testimony of Mary Ann Davidson, Chief Security Officer, Oracle Corporation,” March 10, 2009 31 K PDF
    United States House of Representatives, hearing before the Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, “Statement of David Powner, Director, Information Technology Management Issues, United States Government Accountability Office, ‘National Cybersecurity Strategy: Key Improvements are Needed to Strengthen the Nation’s Posture,’” March 10, 2009 275 K PDF
    United States House of Representatives, Permanent Select Committee on Intelligence, “HPSCI White Paper on Cyber security,” December 10, 2008 45 K PDF
    United States House of representatives, hearing before the Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, “Statement of James A. Lewis, Center for Strategic and International Studies, ‘Reviewing the Federal Cybersecurity Mission,’” March 10, 2009 60 K PDF
    United States House of Representatives, hearing before the Committee on Transportation and Infrastructure, Subcommittee on Aviation, “Statement of The Honorable Calvin L. Scovel III, Inspector General, U.S. Department of Transportation, ‘Federal Aviation Administration: Actions Needed to Achieve Mid-term NextGen Goals,’” March 18, 2009 119 K PDF
    United States House of Representatives, hearing before the Committee on Transportation and Infrastructure, Subcommittee on Aviation, “Statement of James C. May, President and CEO, Air Transport Association of America, Inc., ‘Air Traffic Control Modernization and NextGen: Near-Term Achievable Goals,’” March 18, 2009 289 K PDF
    United States Senate, hearing before the Committee on Energy and Natural Resources, “Statement of Patricia Hoffman, Acting Assistant Secretary for Electricity Delivery and Energy Reliability, U.S. Department of Energy,” March 3, 2009 136 K PDF
    United States Senate, hearing before the Committee on Energy and Natural Resources “Testimony of Patrick D. Gallagher, Ph.D., Deputy Director, National Institute of Standards and Technology, United States Department of Commerce,” March 3, 2009 136 K PDF
    United States Senate, hearing before the Committee on Energy and Natural Resources, “Questions for Patrick Gallagher, National Institute of Standards and Technology,” March 3, 2009 118 K PDF
    United States House of Representatives, hearing before the Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, “Statement for the Record of Seán P. McGurk, Director, Control Systems Security Program, National Cyber Security Division, National Protection and Programs Directorate, Department of Homeland Security,” March 24, 2009 20 K PDF
    United States House of Representatives, hearing before the Armed Services Committee, Subcommittee on Strategic Forces, “Statement of General Kevin P. Chilton, Commander, United States Strategic Command,” March 17, 2009 243 K PDF
    United States House of Representatives, hearing before the Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, “Statement of Chairman Bennie G. Thompson, ‘Reviewing the Federal Cybersecurity Mission,’” March 10, 2009 29 K PDF
    United States Congress, Year 2000 Information and Readiness Disclosure Act, Public Law 105-271 53 K PDF
    United States House of Representatives, hearing before the Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, “Testimony of Amit Yoran, Netwitness Corporation, ‘Reviewing the Federal Cybersecurity Mission,’” March 10, 2009 179 K PDF
    Congressional Research Service, report by John Rollins and Anna C. Henning entitled “Comprehensive National Cybersecurity Initiative: Legal Authorities and Policy Considerations,” March 10, 2009 237 K PDF
    Business Executives for National Security, “National Cybersecurity Center Policy Capture” (undated) 101 K PDF
    Business Executives for National Security, “National Cybersecurity Center Policy Capture” (undated) (graphic) 1504 K PDF
    Defense Advanced Research Projects Agency, “The National Cyber Range: A National Testbed for Critical Security Research” (undated) 1783 K PDF
    Davidson, Mary Ann, Oracle Corporation, “The Monroe Doctrine in Cyberspace”, March 2009 39 K PDF
    Department of Defense, “Defense Security Information Exchange (DSIE) A partnership for the Defense Industrial Base” (undated) 24 K PDF
    Electronic Frontier Foundation, letter from Lee Tien and Peter Eckersley (undated) 355 K PDF
    Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Securities and Exchange Commission, “Interagency Paper on Sound Practices To Strengthen the Resilience of the U.S. Financial System,” Federal Register, Volume 68, Number 70, April 18, 2003 149 K PDF
    Financial Services Information Sharing and Analysis Center, letter from William B. Nelson, March 23, 2009 175 K PDF
    Department of the Treasury, FSSCC/FBIIC Cyber Security Intelligence and Information Sharing Work Groups, “Roadmap for Improved Information Sharing: Situational Analysis and Recommendations for Action” (undated) 122 K PDF
    United States Government Accountability Office, David A. Powner, “Information Technology: Federal Laws, Regulations, and Mandatory Standards for Securing Private Sector Information Technology Systems and Data in Critical Infrastructure Sectors,” September 16, 2008 1018 K PDF
    Khater, Rami and Rachel Schaffer, Georgetown University, untitled memorandum, April 13, 2009 50 K PDF
    Gourley, Bob, Crucial Point LLC, “Open Source Software and Cyber Defense,” March 30, 2009 142 K PDF
    Gourley, Bob, Crucial Point LLC, “Cloud Computing and Cyber Defense,” March 21, 2009 39 K PDF
    National Coordination Office for Networking and Information Technology Research and Development, Sally E. Howe, presentation entitled “Workshop Deliverables: Roadmap, Hard Problems, and Report” at the HCSS-Sponsored National Workshop on Beyond SCADA: Networked Embedded Control for Cyber Physical Systems, November 8, 2008 755 K PDF
    Schneider, Fred B., and Birman, Kenneth P., Cornell University, “The Monoculture Risk put into Context,” IEEE Security & Privacy, January/February 2009 454 K PDF
    Intelligence and National Security Alliance, “Critical Issues for Cyber Assurance Policy Reform: An Industry Assessment,” March 26, 2009 433 K PDF
    Intelligence and National Security Alliance, “60 Day Cyber Study INSA Response,” March 26, 2009 268 K PDF
    Intelligence and National Security Alliance, “The Missing Link in U.S. Cybersecurity,” March 21, 2009 33 K PDF
    Internet Security Alliance, paper by Jeff Brown, Raytheon Company, entitled “A National Model for Cyber Protection Through Disrupting Attacker Command and Control Channels,” March 2009 122 K PDF
    Internet Security Alliance, paper by Larry Clinton entitled “Cyber-Insurance Metrics and Impact on Cyber-Security” (undated) 47 K PDF
    Internet Security Alliance, paper by Larry Clinton entitled “Cross cutting Issue #2 How Can we create public private partnerships that extend to action plans that work?” (undated) 29 K PDF
    Internet Security Alliance, paper by Sentar, Inc., “Position paper for Obama 60 Day review on Cyber Security: Utilization of Small Business (SBs) for Innovative Cyber Security Research and Development”, March 26, 2009 17 K PDF
    Internet Security Alliance, paper by Larry Clinton entitled “Issue Area 3: Norms of Behavior— Hathaway Questions” (undated) 51 K PDF
    Internet Security Alliance, paper by Scott Borg entitled “Securing the Supply Chain for Electronic Equipment: A Strategy and Framework” (undated) 31 K PDF
    Internet Security Alliance, “The Cyber Security Social Contract Policy Recommendations for the Obama Administration and 111th Congress: A Twenty-First Century Model for Protecting and Defending Critical Technology Systems and Information” (undated) 302 K PDF
    Internet Security Alliance, “The Economic and Security Costs of Obsolescent Computer Laws” March 24, 2009 93 K PDF
    Internet Security Alliance, “ISA Comments to Hathaway on creating an International Cyber Security Anchor Program” (undated) 21 K PDF
    Internet Security Alliance, “ISA Initial Comments on Hathaway 60-Day review – a top 10 list of Cyber Principles” (undated) 19 K PDF
    Information Systems Audit and Control Association, “IS Standards, Guidelines and Procedures for Auditing and Control Professionals,” January 15, 2009 1762 K PDF
    Information Technology Sector Coordinating Council and Communications Sector Coordinating Council, “Response to White House Cyber Review Questions,” March 20, 2009 174 K PDF
    Kellermann, Tom, Core Security Technologies, “Proactive Public Policy per Cybersecurity,” March 18, 2009 28 K PDF
    Kellermann, Tom, Core Security Technologies, “Red teaming idea in detail,” March 11, 2009 11 K PDF
    National Association of State Chief Information Officers, NASCIO State CIO-CISO Cybersecurity Priorities Survey Summary, March 3, 2009 50 K PDF
    National Cyber Forensics & Training Alliance and Cyber Initiative & Resource Fusion Unit, “Cyber Fusion Center, Pittsburgh, PA: Executive Briefing” (undated) 3202 K PDF
    National Cyber Security Alliance and Symantec, “NCSA-Symantec National Cyber Security Awareness Study: Newsworthy Analysis,” October 2008 1009 K PDF
    Harris Interactive, “Online Security and Privacy Study”, conducted on behalf of Microsoft and the National Cyber Security Alliance, March 2009 233 K PDF
    National Cyber Security Alliance, “National Cyber Security Alliance in Brief” (undated) 122 K PDF
    National Science Foundation, “Responses to Questions Posed by Ms. Melissa Hathaway During Her Presentation at the National Science Foundation on March 18, 2009,” March 31, 2009 128 K PDF
    National Science Foundation, “Notes for White House 60-day Cyber-Policy Review,” March 25, 2009 151 K PDF
    National Science Foundation, “NSF Security Program Overview,” March 26, 2009 3290 K PDF
    United States House of Representatives, hearing before the Committee on Transportation and Infrastructure, Subcommittee on Aviation, “Statement of The Honorable Calvin L. Scovel III, Inspector General, U.S. Department of Transportation, ‘Federal Aviation Administration: Actions Needed to Achieve Mid-term NextGen Goals,’” March 18, 2009 113 K PDF
    Networking and Information Technology Research and Development Program, High Confidence Software and Systems Coordinating Group, “High-Confidence Medical Devices: Cyber-Physical Systems for 21st Century Health Care,” February 2009 3290 K PDF
    National Security Telecommunications Advisory Committee, “NSTAC Response to the Sixty-Day Cyber Study Group,” March 12, 2009 190 K PDF
    Pederson, Perry, Wurldtech Labs, “Project Aurora and the Smart Grid” (undated) 491 K PDF
    Raduege, Harry D., Jr., “Evolving Cybersecurity Faces a New Dawn,” SIGNAL Magazine, December 2008 115 K PDF
    Raduege, Harry D., Jr., “Future Defense Department Cybersecurity Builds on the Past,” SIGNAL Magazine, February 08 116 K PDF
    Center for Education and Research in Information Assurance and Security, Purdue University, presentation by Eugene Spafford entitled “NITRD Strategic Plan Forum,” February 2009 778 K PDF
    Spoonamore, Stephen and Ronald L. Krutz, “Smart Grid and Cyber Challenges: National Security Risks and Concerns of Smart Grid”, March 2009 174 K PDF
    TechAmerica, “TechAmerica Response to 60-Day Cyber Security Review,” March 2009 202 K PDF
    Trevithick, Paul, William Coleman, John Clippinger, and Kim Taipale, “Identity and Resilience” (undated) 43 K PDF
    SANS Institute, “The United States Cyber Challenge,” May 8, 2009 174 K PDF
    Department of the Treasury, memorandum regarding 60-day cyber review questions (undated) 50 K PDF
    Department of the Treasury, “2008 Update to Banking and Finance Sector-Specific Plan: Appendix B: Statutory Authorities” (undated) 331 K PDF
    Department of the Treasury, “2008 Update to Banking and Finance Sector-Specific Plan: Sector Profile and Goals” (undated) 65 K PDF
    United States Secret Service, memorandum entitled “Electronic Crime task Forces (ECTF)” (undated) 18 K PDF
    U.S. Chamber of Commerce, letter from Ann Beauchesne, March 27, 2009 176 K PDF
    Information Technology Information Sharing and Analysis Center, letter from Brian Willis, February 27, 2009

  3. Anonymous

    Paul Vixie, one of the most vocal and narrow minds on the planet, finally throws in the towel on the old DNS. Will he be turning off
    his root servers and giving up his multi-million dollar non-profit gigs?
    http://ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00989.html
    “we have to start a transition away from UDP/53 (which is not upgradeable in
    place due to many failings including reliance on IP fragmentation) and TCP/53
    (which is too fragile to be relied upon for queries, even as a fallback). i
    don't think we should exert more energy on these two transports now that we
    know what the problems really are. let's consider SCTP.”