Last Updated: 2009-04-06 18:33:01 UTC
by Johannes Ullrich (Version: 1)
You may have heard in the news about the "Cyber Security Act of 2009", or the "Rockefeller-Snowe legislation". The news actually relates to two proposed laws, which are currently in their draft stage. A lot can and will change until they are passed, if they are ever passed. But I believe as infosec profesionals, we do have a duty to stay in the loop on these laws and chime in if we see something that doesn't quite sound right. So here comes a quick review from someone who has little insight on politics.
The first law establishes a position of "National Cybersecurity Advisor". This person would advice the president directly about cyber security. Similar to a national security advisor he would report directly to the president. Of course, the president may just decide not to listen. But the bill also requires that this advisor controls the cyber security budget. So there is some real "bite" added to the "bark". Many have asked for a position like this. Until now, cyber security has been "hidden" deep inside the department of homeland security and the position had notorious issues attracting candidates. It was vacant for a long time in part because there was little budget control associated with it.
The real interesting part is the second proposed bill, the actual "Cyber Security Act of 2009". I think it starts out with a good concept. The president will appoint a "Cybersecurity Advisory Panel" which will be composed of representative from industry, government, non-profits and other stakeholders. The idea is to find people with clue to propose and review solutions. The panel will also issue reports on how we are doing with respect to cyber security and what could be done better.
Next in line is a rather practical proposal: A cyber security dashboard. Kind of like every CISO would like to have, but this time for the federal networks. The Department of Commerce (DoC) would be in charge of this panel. One thing I noticed is that the Department of Commerce is put in charge of a lot of things here. Homeland Security almost never shows up. This is interesting. Traditionally, the DoC was very involved in the creation and management of the Internet (we will get to that later in more detail). And I actually like a lot of the security related standards DoC came up with over the years. Homeland security currently runs US-CERT, but overall has played a more reactive roll and never had much success in setting standards. Probably in part due to the personnel situation.
The next part asks the federal government to establish local and state cybersecurity centers. The federal government would provide assistance and funding to such centers. The bill contains a lot of details about these centers. In short: They would get the word out. These centers would help businesses with the implementation of security standards. They would even offer loan to purchase software and equipment. This sounds a bit like the Small Business Administration that assists small businesses around the country. One problem I can see is that this may overlap and conflict with other efforts put forward by local and state governments. I just hope they will work all together. The bill provides for such a collaboration.
And finally the DoC shows up again with NIST. The National Institute for Standards and Technology. I almost ended up working for them out of college on a project to establish a new method to define the kilogram. Well, times change. NIST is not only working on meters and kilograms. Cybersecurity is another important field to set standards and NIST is tasked to set them. The list of standards is long and includes software security as well as a standard vulnerability specification language. The bill suggests to consider international standards.
Section 7 is the one that caught a lot of attention: The bill requires that within only one year, a licensing program should be established, and 3 years later, everybody involved in cyber security for the federal government or in "critical infrastructure networks" has to be certified. That is a very short time! Not much details here. But DoC is in charge again.
Section 8 gets to the meat of why DoC is in charge: DoC still owns the root zone! This is not widely known. But ICANN operates the root zone (and with is IANA) under a contract with DoC. This section states that all changes to the contract between DoC and ICANN have to consider cyber security. At the time the contract is up for renewal, DoC could add certain cybersecurity requirements.
The bill continues with the domain name system. The next section requires the implementation of a secure domain name addressing scheme. The plan for it has to be ready within 3 years. This sounds like mandating DNSSEC, but DNSSEC is not mentioned by name so DoC could come up with something new and better.
Section 10 requires DoC to establish a national cyber awareness campaign. Certainly not a bad idea. Have to see what they come up with. I see cybersecurity posters and TV ads in the future.
The National Science Foundation (NSF) will be in charge of a large cybersecurity research program. Again a lot of details here and even $ amounts. I have no idea if these amounts are reasonable. The money would be dispersed as research grants. NSF has a lot of experience with this and is certainly the right place to manage a project like this. It is interesting to note that software security is again prominently mentioned.
NSF will also be in charge of a "Scholarship for Service" program. There exists already a similar program. The federal government will pay for your tuition and expenses and in return you will have to work for the government for a while. From what I see, the program would provide 1,000 scholarships (tuition + stipend) and in return for each year you receive the scholarship you have to work one year for the federal government. The money can be used for undergraduate and graduate degrees.
Section 13 is somewhat research related. NIST will create cyber security challenges with prize money. These challenges in particular include schools and universities. Nice idea!
Section 14 talks about information sharing. This section seems to essentially identify what US-CERT is supposed to be doing now (US-CERT is run by DHS). We will see where this goes, but there is certainly some room for turf wars in this section.
Section 15, 16 and 17 do mandate a set of reports, essentially reporting on how the program is doing. Section 17 is a bit different as it talks about a possible identity management program. Some comments have suggested that this is heading towards some form of national ID, which is in itself a heavily debated topic.
Section18 has received quite a bit of coverage already. It essentially puts the president "in charge" of the internet and allows him to shut it down if needed ("federal and critical infrastructure systems" only again). This is similar to shutting down air traffic after 9/11 and would certainly be a step of last resort. Lesser measures may include the disconnect of certain federal networks, canceling of contracts or withholding of pay.
Section 19 and 20 talk about various reports again. In particular a review after 4 years and the inclusion of cyber threats in the national intelligence report.
Section 21 makes clear that standards and other measures should be coordinated internationally.
Section 22 is very interesting again. The law requires a secure services and acquisition board to be created, which will review any "high value purchase". New purchases of software have to comply with the NIST standards. This has been a very valuable approach in the past, and it has been one way how the federal government influenced product security. If the federal government mandates a particular configuration standard, vendors tend to gravitate to it and offer the same configuration for other users as well. After all it wouldn't make sense to maintain multiple configurations and the federal government tends to be a large enough buyer to demand the necessary changes.
Well, if you are interested, you can find the two bills here:
Links to Thomas.gov. The full text is not available as of the last time I checked.
Johannes B. Ullrich, Ph.D.
SANS Technology Institute