Two U.S. senators are pushing a dramatic escalation of defenses against cyberattacks, crafting proposals to empower the government to set and enforce security standards for private industry in this area for the first time.
The Cybersecurity Act of 2009 (Senate Bill 778) would broaden the focus of the government’s cybersecurity efforts to include not only military networks but also private systems that control essential services such as electricity and water distribution. The bill also would add regulatory teeth to ensure industry compliance with the rules.
A companion bill (Senate Bill 773) would establish an Office of the National Cybersecurity Advisor, which would take the lead on Internet security matters and coordinate with the intelligence community and the private sector.
Sens. John D. Rockefeller IV (D-WV) and Olympia Snowe (R-ME) coauthored the bills.
Government Overreach Concerns
The measures also would require cybersecurity professionals to be licensed and certified according to federally directed guidelines. A “cyberczar” would be vested with authority to shutter both public and private computer networks during a cyberattack, at the discretion of the president.
Given this amount of power, “There’s always a chance that the government will overreach,” said Betty Steele, an attorney who heads up the information privacy and security management group at the Banker Donaldson law firm in Memphis, Tennessee.
The legislation also would curtail innovation in the industry, as firms hold back in fear of government-imposed regulations, according to Al Gidari, chairman of the privacy and security group for the Seattle-based law firm Perkins Coie.
“Would Bill Gates have created Microsoft if he needed to have a license?” Gidari asked.
Proponents of the legislation warn of impending disaster if their suggestions aren’t followed.
“If we fail to take swift action, we, regrettably, risk a cyber Katrina,” Snowe said in a statement.
Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, which represents private companies and civil liberties advocates, said mandatory standards long have been the “third rail of cybersecurity policy.” Dempsey said regulation could stifle creativity by forcing companies to adopt a uniform approach.
Senators Seeking Sound Bites
“I definitely agree with Mr. Dempsey,” said Brian Dykstra, a senior partner and co-owner of Jones Dykstra and Associates, an electronic evidence discovery and computer forensics company in Columbia, Maryland. “In all the computer intrusions I’ve responded to over the years, I’ve never seen two that were exactly the same, nor do I know of any certification that would have helped me respond better.
“This honestly sounds like the senators needed sound bites or campaign contributions from defense contractors who have a large portion of the government cybersecurity business and would like to expand into the private sector,” Dykstra added.
“Most of those same defense contractors also have extensive network security problems due to their close connectivity to the government and poor internal network security,” Dykstra said.
Makes Sense ‘In Theory’
Scott Testa, a technology expert who teaches marketing at St. Joseph’s University in Philadelphia, said the bills “in theory make a lot of sense, but in reality, this needs to be thought through.
“For the government to have the ability to shutter public and private computer networks would set a powerful precedent,” Testa said. “It would be very ‘martial-lawish.'”
Such a policy should be very carefully considered before being implemented, Testa said.
The idea of certification has people on both sides of the issue. Steele said gaining a Certified Information Systems Security Professional (CISSP) certificate requires a network technician to gain a high level of expertise, “And a great deal goes into maintaining that certification,” she said.
But the government requirements may or may not include CISSP designation, depending on how the final rules are written. A government-sponsored certification may have little or no value, Gidari says.
“There are already a lot of private certifications,” Gidari said. “I don’t know that [government certification] would do anything constructive. You have to presume that the people who work on this every day know more about it than the government. This legislation is wrongheaded in a lot of different ways. It would codify insecurity.”
While at first glance a certification mandate would seem to ensure a level of expertise, it would have at best only fleeting value, Testa said.
“What’s not a threat now could be six months from now. Then what are they going to do, recertify everyone?” Testa asked.
“There are always new threats and new [security] solutions,” Gidari added. “The government would never be nimble enough to keep up with everything.”
Tacking on Costs
Another drawback to certification requirements, Gidari says, is the significant costs of testing and administering the status of “approved” security professionals.
The cost of auditing also would rise, causing costs to climb even further, said Gidari. He noted security professionals who fail to provide adequate security now are already weeded out by the free market, so government intervention and licensure is unnecessary.
Gidari also took exception to the comparison of cyberthreats to Katrina. While certainly damaging, the cyberthreats would be unlikely to cost lives as Katrina did.
“It’s a ridiculous analogy,” Gidari said. “The Internet was designed to work around failures. If part of it goes down, there’s still a way to get around.”
Centralizing security efforts would defeat that flexibility, according to Gidari.
“As soon as you [centralize security], you set yourself up for a Pearl Harbor strategy,” Gidari said. “Centralized security before World War II contributed to the disaster in Hawaii.”
Phil Britt ([email protected]) writes from South Holland, Illinois.