Senate could move cybersecurity from DHS to a cabinet-level post
One reason the US federal government may feel less and less secure about its technology is that there is no federal standard, maintained by the executive branch and mandated from the highest level, dictating what "security" should actually be. This according to Sen. Jay Rockefeller (D - W.V.), who last week joined with Sen. Olympia Snowe (R - Me.) in the first stage of drafting legislation that would separate the whole issue of cybersecurity from the Dept. of Homeland Security, creating a separate office whose leader reports to Pres. Obama.
"At the risk of sounding alarmist, I know the threats we face. Our enemies are real, they are sophisticated, they are determined and they will not rest," stated Sen. Rockefeller in his opening statement, in hearings on the cybersecurity topic last Thursday before the Commerce Committee which he chairs. "I do not believe it is only the job of the Intelligence Committee or our national security and defense agencies to protect us from the threats we face. This committee can and must play a very proactive role in keeping Americans safe. Let me be very clear: I will not wait for a crisis to take action now. Today's economic climate simply does not allow room for error."
Later, the Chairman went on to remark -- as first quoted by Precursor blogger Scott Cleland -- "It almost makes you ask the question, 'Would it have been better if we hadn't invented the Internet?'"
One of the witnesses at last Thursday's hearing was the highly regarded Purdue University professor, Gene Spafford, known for not only having founded one of the world's first university research centers in computer security, but also having coined the phrase "clouds" with respect to distributed operating environments. "Spaf" too also began part of his statement to Congress noting the risk of sounding alarmist, but then he rang a very loud alarm of his own, pointing out once again that free market forces aren't always reliable in creating security standards.
"Society has placed too much reliance on marketplace forces to develop solutions," stated Prof. Spafford. "This strategy has failed, in large part, because the traditional incentive structures have not been present: there is no liability for poor quality, and there is no overt penalty for continuing to use faulty products. In particular, there is a continuing pressure to maintain legacy systems and compatibility rather than replace components with deficient security. The result is a lack of reward in the marketplace for vendors with new, more trustworthy, but more expensive products."
Spaf went on to repeat an oft-heard complaint (from him) that the software industry is becoming too reliant upon regular patches rather than improved architecture. But while he was saying that, what may have been mulling about in Sen. Rockefeller's head was the notion that market forces may be failing at providing security. (During the last term, Rockefeller chaired the Sen. Intelligence Committee.)
According to a National Journal report on Friday, Rockefeller's and Snowe's legislation (yet to be formally introduced on the Senate floor) would create the office of the National Cybersecurity Advisor, who would be responsible for crafting a national computer and network security strategy separate from the intelligence, justice, and homeland security branches of government. The private sector would be engaged to form a panel, probably to contribute to a quadrennial review of the state of the nation's computer security.
But the government itself would be reponsible for licensing and certifying security professionals, especially those worthy of working for the government itself, using a new system of standards that might conceivably trump those presently dispensed by private companies such as Cisco, and international independent bodies such as (ISC)2.
A quadrennial review of standards may be necessary because, as Prof. Spafford pointed out, what it means to be "secure" in computing changes very rapidly: "There is a misperception that security is a set of problems that can be 'solved' in a static sense. That is not correct, because the systems are continuing to change, and we are always facing new adversaries who are learning from their experiences. Security is dynamic and changing, and we will continue to face new challenges. Thus, protection is something that we will need to continue to evolve and pursue."
During Thursday's hearing, Sen. Bill Nelson (D - Fla.) -- who also served on the Intelligence Cmte. with Rockefeller, and before that as a one-time payload specialist on-board the Space Shuttle -- revealed perhaps for the first time that, for the third time in the last month, his office's computers were the victim of a direct attack believed to have emanated from China. The fact that Sen. Nelson revealed the news there, as Prof. Spafford reports on his blog, may have triggered an incident-response exercise.
As currently drafted, the new legislation would create state and regional cybersecurity centers, that would enable SMBs to have direct government points of contact that would save them the hassle of always dealing at the national level...or, more likely, of avoiding contacting any government department whatsoever.
But the most controversial portion of the bill is very likely the most obvious portion: yet another government "Czar" who answers to the President rather than to another department-level official. Debate over the bill will likely center on whether every major problem lawmakers presently face -- cybersecurity being just one of them -- can be addressed by bypassing established chains of command. Just how many czars can a president juggle all at once?