Even More Security Pros Discuss US Cybersecurity Laws
In the third entry in a series on the subject of current U.S. cybersecurity legislation, CIO.com blogger Constantine von Hoffman asks experts from Bat Blue Networks, Foreground Security, Sensage and AlgoSec for their takes on the laws.
By Constantine von Hoffman, CIO
American essayist H.L. Mencken once wrote, “A national political campaign is better than the best circus ever heard of, with a mass baptism and a couple of hangings thrown in.”
The current political drama playing out in the United States is proving no exception; the sheer idiocy of each week is topped only by the following week’s events–topping Rep. Akin’s recent comments is going to take a lot of work, though.
That being the case, it is no surprise that most of the other issues of significance have either been kicked to the side of the road or demagogued into utter nonsense. One of those forgotten issues: Protecting the nation’s critical IT infrastructure, which is currently about as secure as a mountain of Oreos after a legalize pot rally.
Congress left town without taking action on any of the proposed national cybersecurity bills put before it. (Go here, here, here and/or here for more information about the cybersecurity laws proposed in the latest Congressional session.) The elected amateurs failed to take action; here are some thoughts from some security professionals.
Babak Pasdar, president and CEO, Bat Blue Networks:
“The main concern and challenge with the S.2105 Cybersecurity Bill of 2012 are with Sections 703 and 704. Though I like the idea of CyberSecurity Exchanges as defined in section 703 and 704 there are two challenges.
“First, these cybersecurity exchanges would be government-run entities and that is sure to draw the likes of the FBI and NSA into the exchanges’ day-to-day operations with or without their knowledge. The language is vague enough to set the foundation for government engagement with major backbone providers.
“The industry has an inherent lack of trust of both the Government and major backbone providers who have a proven track record of illegal wiretapping (I reference the 2008 warrantless wiretap immunity bill). In support of this concern we have seen major providers such as Level 3 start to implement wiretapping language in all of their agreements including for non-Internet private corporate communications.
“It would be far better to hand such a function to the service provider communities themselves rather than as a vague government function. Organizations such as NANOG (North American Network Operators Group) are far better suited to competently and cost-effectively handle such functions in a communal and fair manner.
“Second, regarding Section 704, this section is also too far reaching. A better solution would be to voluntarily provide anonymized and sanitized threat data that is standards-based and that organizations can turn on as a feature in their Threat Management tools.
“Keeping in mind that information sharing with regard to threats, a major focus of this bill, will only be effective with known vulnerabilities. The industry has seen a significant rise around zero-day threats which are either not identified with current tool sets or done so behaviorally. Sharing behavioral data is far more complex and could impact an organization’s privacy and competitive advantages.“
Anthony Bargar, EVP for cyber security solutions, Foreground Security:
“My recommendations for national cyber security legislation are first that it provide a clear and definitive description of what constitutes an ‘act of war’ in cyberspace. This identifies what cyber actions threatening national security that might merit a response in kind. It would include guidance on a U.S. deterrence strategy in cyberspace. It would need to determine what the U.S. will say publicly to deter national security-level cyber-attacks. This means policymakers will have to deal with a key issue: Would the U.S. accept having other countries implement these same kinds of provisions, and are we willing to abide by them?
“Second, the legislation should cover National Identity and Access Management for critical infrastructure owners and operators. This would require a standard identity and access management baseline across all public and private critical infrastructure sectors. This would make for easier information sharing, shared encryption standards and access control. Some work has already been done on this by the National Institutes of Science in its National Strategy for Trusted Identities in Cyberspace. However, this document is just a start and could be expanded for critical infrastructure owners and operators.
“Third, there need to be incentives promoting and rewarding organizations which practice good ‘cyber-hygiene.’ This could be similar to the tax credits and other incentives already in place to save the environment. Policymakers can consider incentives regarding substantive security investments and achievement, this would need a mechanism to measure and report but is very doable.”
Sam Erdheim, senior security strategist, AlgoSec:
“The Cybersecurity act has a lot more good than bad to it, and was knocked down mostly due to political reasons, not technical issues. Since businesses (and their lobbyists) expressed concern about the costs of adhering to the bill, I think the bill should focus more on mechanisms for information sharing between breached organizations and less on specific security infrastructure that needs to be put in place. This would not only make the critical infrastructure industry less susceptible to attacks, but would also increase the chance of getting the bill approved.”
Joe Gottlieb, president and CEO of Sensage:
The key is to look at other legislation that has worked well and stood the test of time. The pattern of successful legislation seems to be principled legislation that may be interpreted/adapted to new developments. They also need a system of checks and balances that ensures that the applications of the law, and how it is obeyed, are achieving the goal (e.g., food labeling, accounting audits). Finally there must be a mandate that industry practices are being applied (e.g., the new SEC guidelines on breach risk require this). Necessary to industry practices, is the concept of automation and where it is possible. If it is expected that organizations must adopt legislation, clearly issuing what can and can’t be automated (defenses and monitoring/reporting) will help identify areas of streamlining.
In addition, you need to mandate key metrics by providing a set of specific user and asset metrics that must be measured consistently. This will ensure the right data is being collected and baselines are understood over time. This is particularly critical in those areas where centralization is mandated (The Trusted Internet Connections (TIC) initiative , IDS, cyber ops centers).