A lot of people I trust are suggesting that the “Collins-Lieberman” bill has a substantial chance of passing. I have some really interesting (and time-consuming) work tasks right now, and so I’m even more curious than usual what you all think, especially how this
According to the press release, the “Collins-Lieberman” bill would:
- The Department of Homeland Security (DHS) to assess the risks and vulnerabilities of critical infrastructure systems—whose disruption from a cyber attack would cause mass death, evacuation, or major damage to the economy, national security, or daily life—to determine which should be required to meet a set of risk-based security standards. Owners/operators who think their systems were wrongly designated would have the right to appeal.
- DHS to work with the owners/operators of designated critical infrastructure to develop risk-based performance requirements, looking first to current standards or industry practices. If a sector is sufficiently secured, no new performance requirements would be developed or required to be met.
- The owners of a covered system to determine how best to meet the performance requirements and then verify that it was meeting them. A third-party assessor could also be used to verify compliance, or an owner could choose to self-certify compliance.
- Current industry regulators to continue to oversee their industry sectors.
- Information-sharing between and among the private sector and the federal government to share threats, incidents, best practices, and fixes, while maintaining civil liberties and privacy.
- DHS to consolidate its cybersecurity programs into a unified office called the National Center for Cybersecurity and Communications.
- The government to improve the security of federal civilian cyber networks through reform of the Federal Information Security Management Act.
Some of that, like risk-based security standards, sounds potentially tremendously positive. There are some clear risks, like DHS will make a best-practices table of risk management activity without any focus on outcomes, and then classify it.
Other bits, like information sharing, sounds worrisome, because the authors clearly know that there’s a risk of privacy and liberty impacts. It’s not clear what the data to be shared is. If that’s (for example) “Verisign has been pwned using a 3-year old Flash expliot” there’s minimal impact to liberty. (Of course, since they haven’t said anything, we don’t know how Verisign was owned.) If it’s “We suspect Kevin Mitnick, then that’s both less useful and more privacy impactful.
Stepping back, where should I look for analysis? Have you looked at the bill? What does it do for the New School pillars? As a reminder, those are:
- Learning from other professions, such as economics and psychology, to unlock the problems that stymie the information security field. The way forward cannot be found solely in mathematics or technology.
- Sharing objective data and analysis widely. A fetish for secrecy has held us back.
- The embrace of the scientific method for solving important problems. Analyzing real world outcomes is the best way for information security to become a mature discipline.
In other words, how New School is this bill?