New Cyber Security Bill: Crowdsource Analysis?
A lot of people I trust are suggesting that the “Collins-Lieberman” bill has a substantial chance of passing. I have some really interesting (and time-consuming) work tasks right now, and so I’m even more curious than usual what you all think, especially how this
According to the press release, the “Collins-Lieberman” bill would:
- The Department of Homeland Security (DHS) to assess the risks and vulnerabilities of critical infrastructure systems—whose disruption from a cyber attack would cause mass death, evacuation, or major damage to the economy, national security, or daily life—to determine which should be required to meet a set of risk-based security standards. Owners/operators who think their systems were wrongly designated would have the right to appeal.
- DHS to work with the owners/operators of designated critical infrastructure to develop risk-based performance requirements, looking first to current standards or industry practices. If a sector is sufficiently secured, no new performance requirements would be developed or required to be met.
- The owners of a covered system to determine how best to meet the performance requirements and then verify that it was meeting them. A third-party assessor could also be used to verify compliance, or an owner could choose to self-certify compliance.
- Current industry regulators to continue to oversee their industry sectors.
- Information-sharing between and among the private sector and the federal government to share threats, incidents, best practices, and fixes, while maintaining civil liberties and privacy.
- DHS to consolidate its cybersecurity programs into a unified office called the National Center for Cybersecurity and Communications.
- The government to improve the security of federal civilian cyber networks through reform of the Federal Information Security Management Act.
Some of that, like risk-based security standards, sounds potentially tremendously positive. There are some clear risks, like DHS will make a best-practices table of risk management activity without any focus on outcomes, and then classify it.
Other bits, like information sharing, sounds worrisome, because the authors clearly know that there’s a risk of privacy and liberty impacts. It’s not clear what the data to be shared is. If that’s (for example) “Verisign has been pwned using a 3-year old Flash expliot” there’s minimal impact to liberty. (Of course, since they haven’t said anything, we don’t know how Verisign was owned.) If it’s “We suspect Kevin Mitnick, then that’s both less useful and more privacy impactful.
Stepping back, where should I look for analysis? Have you looked at the bill? What does it do for the New School pillars? As a reminder, those are:
- Learning from other professions, such as economics and psychology, to unlock the problems that stymie the information security field. The way forward cannot be found solely in mathematics or technology.
- Sharing objective data and analysis widely. A fetish for secrecy has held us back.
- The embrace of the scientific method for solving important problems. Analyzing real world outcomes is the best way for information security to become a mature discipline.
In other words, how New School is this bill?
Sen. John McCain (R, AZ) led a revolt of the Ranking Members of Senate committees that those members thought should have been allowed to hold hearings on this bill. REF:
http://commerce.senate.gov/public/?a=Files.Serve&File_id=91f25587-1514-4fac-a761-e3ba8d723e10
I attended the one hearing on the Lieberman/Collins/Rockefeller bill that was held last Thursday. Sen. McCain vowed to introduce an alternative bill. REF:
http://www.cio.com/article/700382/McCain_GOP_Vow_Alternative_Cybersecurity_Bill
The general sentiment seemed to be that if, somehow, this current bill made it out of the Senate, it would be killed in the House.
I have just started plowing through the 250 pages of this legislation, but it appears to be a mandate on the owners of critical-infrastructure-related IT systems to certify that they are doing what in fact no one knows how to do–protect their systems from a currently unknown and unpredictable attack (think: Stuxnet).
What security industry contributions I have seen have been beyond unhelpful.
http://www.rsa.com/innovation/docs/CISO-RPT-0112.pdf
says that the only answer is for cybersecurity to become a “core competency” of every organization in America. Of course, right now America is struggling with a financial services industry populated with institutions which have lost the “core competency” of banking and auto companies that have lost the “core competency” of making cars people will buy. But, somehow, they will all become infallible cybersecurity wizards too.
While you don’t expand on the idea in your body copy, the notion expressed in your title that looking for holes in America’s cyber defenses be “crowdsourced” has much to recommend it. Of course, we don’t want to present our adversaries with a suggested list of attacks, but some sort of “whistleblower” program might be appropriate to supplement the Cybersecurity Act of 2012’s mandate for owners of critical infrastructure to self-identify and self-certify.