PROPOSED BILL: CYBERSECURITY ACT OF 2009 (SB773) By John 'J' Trinckes How the President of the United States Can Control the Internet As if the government doesn't control enough in our lives, a new bill was introduced in the Senate on April 1, 2009 that basically gives full control of the Internet to the President of the United States. As of this writing, the bill is currently in the Commerce, Science, and Transportation Committee. The bill, as proposed, is short titled “Cybersecurity Act of 2009” (Click here for full text), and it's purpose is: “to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes.” I don't know about you, but I always get nervous with an open ending statement of ‘for other purposes’. So let's take a look at this proposal and break down the real intent of this bill, shall we? The act designates a Cybersecurity Advisory Panel to the President. Although I may not totally disagree with this endeavor and feel that the President needs to be educated as much as possible on security threats especially when it comes from Cyberspace, I'm not that convinced that there will be real experts in the field on the panel, but rather, another way for the government to ‘throw bones’ out to their friends and family members. The act continues with the development of a real-time cybersecurity dashboard under the responsibility of the Secretary of Commerce. As a security expert working in the field, I've never before seen the Secretary of Commerce deal with cybersecurity related items. Most of the time, security is synonymous with Department of Homeland Security or the National Security Agency. Other executive departments (FBI, CIA, etc.) normally have responsibility over their own securitymatters. Besides this, there is already a National Vulnerability Database in place to track cybersecurity related threats. No act would be complete without the government spending more money. This one is no different. The Cybersecurity Act of 2009 will create and support Cybersecurity Centers (again, ran by the Secretary of Commerce). “The purpose of the Centers is to enhance the cybersecurity of small and medium sized businesses in [the] United States through:” transfer of cybersecurity knowledge; participation from industry, university, state governments, federal agencies, and the National Institute of Science and Technology (NIST); efforts to make cybersecurity software/hardware usable by small- and medium-sized business; active dissemination of information, utilization of federal laboratories; and make short term loans to small businesses (defined as a business having less than 100 employees) for advanced cybersecurity countermeasures. The act designates financial support not to exceed 50% of annual operating/maintenance cots for non-profit organization(s). I'm not sure where the funding for the other 50% is going to come from to support these centers. I'm assuming, which I hate to do, that it would come from donations and the interest earned from the short term loans? There is going to have to be some basis for revenue to continue operation of these centers in order for them to survive and accomplish their goals. (I guess they could always ask for a bail-out if they don't succeed.) Of course we will need standards and the act will require critical infrastructure systems to follow the NST standards. To make sure that departments (or companies) handling critical infrastructure systems comply with these standards, the Director of NIST shall – “enforce compliance with the standards developed by the Institute under this section by software manufacturers, distributors, and vendors, and shall require each Federal agency, and each operator of an information system or network designated by the President as a critical infrastructure information system or network, periodically to demonstrate compliance with the standards established under this section.” I have a couple of issues here. First, I'm not sure what periodically means. Is this annually? semi-annually? bi-annually? I hate laws that are vague and allow for interpretation. If the government wants compliance, it should be specific in when it wants it. Second, I'm not sure what type of enforcement authority the Director will have. Will he/she issue fines or other penalties to force compliance? Section 7 will have a direct effect on me and my livelihood. This section introduces licensing and certification requirements for cybersecurity professionals. Like I don't have enough certifications, education, and real-world experience dealing with cybersecurity matters already (see my bio below), now I’ll have to get approval from the government and pay a ‘fee’ to continue to work. I'm not opposed to demonstrating my abilities and providing credentials to my clients in an effort to ensure them that I know what I'm talking about when it comes to information security, but now I’ll have to pay another fee to show it as well. It will be interesting to see what type of licensing, certification, and periodic recertification program will be required since it is left up to the Secretary of Commerce to develop and coordinate. (Do doctors and lawyers have a national licensing?) Furthermore, since cybersecurity services and critical infrastructure information systems are not specifically defined in the act (which we will discuss in a moment) it will be interesting to see how this all works out. In addition, the act doesn't specify if violating these requirements will be a misdemeanor or felony and doesn't list any sanctions like imprisonment or fines. Maybe it will fall under practicing cybersecurity related activity without a license? And then what will be defined as cybersecurity related activity in the scope of this new act? As a point of reference, the common acceptable definition of cybersecurity is“measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.”Source: Merriam-Webster.com Another definition of cybersecurity is “the protection of data and systems in networks that are connected to the internet. See information security.” Source: Pcmag.com So if you are installing or updating your anti-virus software, I guess you could be found guilty of practicing cybersecurity related activity without a license. In Section 14, we find the act establishes a public-private clearinghouse under the Department of Commerce. (Again, why we are seeing so much of these security related items under Commerce is beyond me.). This one shall surely get you,“The Secretary of Commerce -- shCommentsClose CommentsPermalinkall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access.” Say what? Without regards… to any provision of law … any relevant data… (Of course, relevant data is again, not defined here.) I thought this country was built on laws? CommentsClose CommentsPermalink This brings us to the main point of this article. The act does not specifically define critical infrastructure systems, safe it to say, that the President (or his designee) can define them in any form he wants. If he goes by a previous Presidential Decision Directive 63 (PDD-63), critical infrastructure systems are those systems that are crucial for survival. The critical infrastructure of the U.S. is telecommunications, energy, banking and finance, transportation, water systems and emergency services, among others. (source click here) *PDD-63 (Presidential Decision Directive-63) An order by President Clinton on May 22, 1998 to define U.S. federal government policies on critical infrastructure protection. PDD-63 is the foundation document for the creation of the National Infrastructure Protection Center (NIPC), the United States Computer Emergency Readiness Team (US-CERT) and other organizations devoted to protecting the nation's crucial industrial and financial base. For more information, visit here. See critical infrastructure. There is reference to what constitutes a critical infrastructure information system and network from a quote supplied as a basis for the act. “According to the February 2003 National Strategy to Secure Cyberspace, ‘our nation’s critical infrastructures are composed of public and private institutions in the sectors of agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking finance, chemicals and hazardous materials, and postal and shipping. Cyberspace is their nervous system--the control system of our country’ and that ‘the cornerstone of America’s cyberspace security strategy is and will remain a public-private partnership.’” This pretty much covers everything, but if the President (or his designee) expands the definition, it could include any and all systems connected in some form or fashion to the Internet. Here is the kicker. Section 18 of the act provides the President the authority to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal government or United States critical infrastructure information system or network.” It further contends that the President can “order the disconnection of any Federal government or United States critical infrastructure information systems or networks in the interest of national security.” Unfortunately, the act does not define what constitutes a cybersecurity emergency. In addition, the part about national security is also rather vague. So, ladies and gentlemen, how does the President of the United States control the Internet? Just have the Cybersecurity Act of 2009 pass as written. “This is just one of those reasons why I hate stupid people.” © 2009 John 'J' Trinckes - All Rights Reserve John 'J' Trinckes, Jr. (CISSP, CISM, CEH, NSA-IAM/IEM, MCSE-NT, A+) John ("Jay") is a Senior Information Security Consultant and former law enforcement officer. Jay is the author of a new book, “The Executive MBA in Information Security”, published by CRC Press, Taylor & Francis Group, An Aurbach Book, due out in October, 2009. Jay holds a Bachelor’s Degree in Business Administration/Management Information Systems from the Union Institute and University and has been a member of numerous security industry associations such as the FBI's InfraGard®, Information Systems Security Association (ISSA), International Association of Technology Professionals (IATP), Information Systems Audit and Controls Association (ISACA ®), and the International Information Systems Security Certification Consortium (ISC2). When Jay isn’t working, he likes to spend his spare time with his family and friends.
May 23, 2009
NewsWithViews.com
E-Mail: hitechpo@windstream.net
Saturday, 23 May 2009
Posted by Britannia Radio at 22:08