Image: chrisharvey

In an op-ed for The Washington Post, Sens. Joe Lieberman, Susan Collins and Tom Carper propose a “gold standard” in cybersecurity to help protect networks and computers from hackers and potentially, a “digital Pearl Harbor.”

Philip Reitinger

The Department of Homeland Security is planning to amp up its cybersecurity workforce by more than 50 percent in efforts to spearhead governmentwide efforts to secure federal networks against cyber attacks as detailed in the Obama administration’s recent cybersecurity proposal.

Testifying before a Senate committee on Monday, Phillip Reitinger, deputy undersecretary of the DHS’ National Protection and Programs Directorate, said DHS plans to hire 140 additional cybersecurity experts by October 2012, which would bring the agency’s total to 400, Federal Times reported.

Under the president’s proposed legislation, DHS would coordinate cybersecurity measures across the government, as well as  ensure that private operators of critical infrastructure have adequate security measures in place.

“DHS will be the new sheriff in cyber town that we need,” said Sen. Joe Lieberman (I-Conn.), chairman of the Senate Homeland Security and Governmental Affairs Committee, according to Federal Times.

The Center for Regulatory Effectiveness, founded and managed by former regulatory officials of the White House Office of Management and Budget,  published on its Interactive Public Docket two recent articles in The Wall Street Journal in an effort to highlight FISMA and FedRAMP worries.

The first article cites how former Homeland Security Secretary Michael Chertoff worries about insidious Stuxnet-type worms that might infiltrate financial networks and wreak havoc slowly and methodically by corrupting financial data without creating immediate alarm.

The second article discusses how Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Calpers (D-Del.) have introduced the Cybersecurity and Internet Freedom Act of 2011, which intends to set up the essential point of coordination across the executive branch in the event of devastating cyber attack against U.S. critical infrastructure.

Established in 1996, after the passage of the Congressional Review Act, CRE provides Congress with independent analyses of agency regulations. It’s main goals are to ensure the public has access to data and information used to develop federal regulations and that information federal agencies disseminate to citizens is of the highest quality.

Image: voiceleaks.blogspot.com

The Egyptian government’s multiday deactivation of the Internet, in the wake of the turmoil in the country, have raised concerns and questions about whether the U.S. government could block Internet access by implementing a “kill switch” to protect the country in the event of a cyber emergency.

Last summer, Sen. Joe Lieberman introduced the Protecting Cyberspace as a National Asset Act of 2010, which would have authorized the standup of an Office of Cyberspace Policy. The new office would have been tasked with creating plans to protect the nation’s infrastructure from cyber attacks.

The bill, however, languished when Congress failed to act on it. But last week, Senate Majority Leader Harry Reid reintroduced the bill to the new Congress under the title Cyber Security and American Cyber Competitiveness Act of 2011,” The Washington Post reported.

The revised version says the federal government’s designation of vital Internet or other computer systems “shall not be subject to judicial review.” Another addition expanded the definition of critical infrastructure to include “provider of information technology,” and a third authorized the submission of “classified” reports on security flaws, ZDNet UK reported.

But critics were quick to express their concerns about the new proposal. Greg Nojeim, director of the Center for Democracy and Technology’s Project on Freedom, Security and Technology, told The Post the bill focuses on cybersecurity emergency measures, not on suppressing dissent. However, the measure is not adequate to ensure that such power to control Internet access is not abused, he added.

“What if the authority the bill gives the government to shut down or limit Internet traffic was abused?” Nojeim asked. “What would be the remedy? The bill does not allow for a remedy. There’s no authority for an objective decision-maker to ensure the decision . . . is properly based on a true emergency.”

Privacy groups also voiced concerns. Wired reported that the American Civil Liberties Union, the American Library Association, Electronic Frontier Foundation and Center for Democracy & Technology were skeptical enough to file an open letter opposing the idea, citing concerns that the measure, if it became law, could be used to censor the Internet.

“It is imperative that cybersecurity legislation not erode our rights,” the groups wrote last year to Congress.

But other experts say there’s no need to worry: a kill switch implementation would be near-impossible.

“It would be almost impossible for the government to shut down the whole Internet in the U.S.,” International Business Times wrote. The reason is that the Internet is not one network, but many, with several companies maintaining fiber optic networks, for example, and some of those are owned by foreign companies.

“The Metropolitan Area Exchange, an Internet exchange point that covers the East Coast, has 19 member carriers. Shutting down every avenue to the Internet, given the number of service providers, would be nearly impossible to do — and very expensive,” IBT pointed out.

However, if the government were able to shut down online access, there’s no guarantee it would stop citizens from accessing the web, Computerworld pointed out. CW’s Mike Elgan highlighted the ways Egyptian netizens were able to circumvent the government’s Internet block, including using Google-owned SayNow and Twitter to send Tweets via landline phone calls.

And in neighboring Morocco, Dr. Francesco Landogna, CEO of the site Wall5.com, set up a ghost portal that circumvented the virtual barriers implemented by Egyptian authorities, helping more than 200,000 Egyptians access the Internet.

“Events in Egypt have demonstrated that the human race has evolved some Internet protocols of our own,” Elgan wrote.

Also, an Internet kill switch could actually cause more problems that it would prevent, a report commissioned by the Organisation for Economic Cooperation and Development argued.

“In the very simplest sense the Internet cannot really be switched off because it has no center,” the report said. “In most emergencies, you would want to give priority to doctors, but most doctors and their surgeries use the same downstream Internet facilities as the bulk of the population and there would be no easy way to identify them. Localized Internet switch-off is likely to have significant unwanted consequences.”

The Protecting Cyberspace as a National Asset Act of 2010, S.3480, submitted by Sens. Joe Lieberman, Susan Collins and Tom Carper, would create a new cyber center within the Department of Homeland Security and create a White House Office of Cyberspace Policy to spearhead federal and private sector cybersecurity efforts.

“Catastrophic cyber attack is no longer a fantasy or a fiction,” Lieberman said. “It is a clear and present danger. This legislation would fundamentally reshape the way the federal government defends America’s cyberspace. It takes a comprehensive, risk-based, and collaborative approach to addressing critical vulnerabilities in our own defenses.  We believe our bill would go a long way toward improving the security of our government and private critical infrastructure, and therefore the security of the American people.”

When the bill first appeared, several privacy and civil liberties advocates claimed the bill provided the president with a “kill-switch” for the Internet. Language has since been added to the bill requiring the president to obtain Congressional approval for extending emergency powers beyond 120 days.

“It’s important that we realize that the threat of a catastrophic cyber attack is not theoretical,” Collins said. “It’s very real. It is not a matter of ‘if’ such an attack is going to occur, but when. Cyber crime costs our national economy billions of dollars annually.  And intelligence officials have warned over and over again that these attacks are becoming more and more sophisticated. The fact is: We cannot fail to act. We can’t wait until there is a cyber 9/11 and say, ‘Why didn’t we act? We knew this was coming.’ The attacks are ongoing even as we meet. So we must act, and I believe we have drafted a responsible bill to do so.”

Photo: Currant.com

The bill, which was introduced by Sens. Joe Lieberman, Susan Collins and Tom Carper, looks to provide DHS with the power to dictate cybersecurity requirements to private sector companies, which is troubling, McAfee officials said.

“The government needs to be very careful about imposing too much of a top-down standards process,” said McAfee vice president of government relations Tom Gann. “We need to bring products to market very quickly. They need to make sure we can get latest technology.”

IT standards developed by the private sector are more effective as they apply internationally, according to Gann. The standards can also be adapted and changed much more quickly by the private sector than by the government, which could cause the standards to become outdated quickly, he said.

“We tend to do best when those standards are first and foremost developed in private sector because we can move faster,” Gann said. “[Standards] need to continually evolve. Government needs to be sensitive to the rapid pace of innovation in the technology sector.”

The new cyber bill will also overhaul FISMA, which is viewed as a much needed change. The bill would provide a more comprehensive approach to protecting critical infrastructure and government networks, said McAfee director of federal business development Tom Conway.

It “clearly further empowers the White House to drive cybersecurity initiatives across the government,” Conway said.

During a hearing to discuss the Protecting Cyberspace as a National Asset Act of 2010, recently proposed by Sens. Joe Lieberman, Susan Collins and Tom Carper, Townsend said that the majority of cyber talent lies in the private sector, making partnerships between the government and private sector absolutely critical to securing the nation’s infrastructure.

“Collective national cybersecurity can only be effectively addressed through a partnership approach between government and private industry,” she said. “Industry is where most of the expertise in the fields of IT and cybersecurity reside … partnership is the only way forward.”

The bill,  if passed, would create a new Center to coordinate the nation’s cyber effort. Townsend, on behalf of INSA, praised the creation of such a center and its efforts to include the private sector through an advisory council.

“This bill not only establishes a clearly responsible Center for the problem, but requires that a private sector advisory council be organized to advise the Center on their actions’ effects on industry,” she said.

Additionally, Townsend discussed the need to preserve the innovative atmosphere in cyber. The government should be careful when developing standards to keep innovation and creativity from being stifled.

“Prescriptive or directive security standards, or one-size fits all approaches will limit innovation and erode industry support and participation if industry managers feel security mandates have made their business less competitive,” Townsend said. “We applaud the measured approach of this bill in allowing industry members to propose their own security solutions for approval by the regulatory body.”

“This not only creates a true give-and-take security partnership, but also allows for innovation and growth,” she added.

Another key component of the legislation is establishing plans for information sharing. In a cyber environment, particularly in parternship with the government, information is often over-classified or poorly disseminated.

“Critical to a strong public-private partnership is the creation of a shared awareness of the network environment,” Townsend said. “Information sharing is absolutely crucial.”

The bill, if passed, would require plans to be put in place for the sharing of information between public and private sector actors. Townsend also called for the development of best practices and standards in cooperation between the private and public sectors.

“Government must develop security standards and systems that deal with known threats and have the capacity to adapt to the rapidly changing cyber environment, and it must do so in concert with industry partners,” she said. [The new center] should embrace a true partnership approach, soliciting comments from industry on draft proposals, consulting closely with owners and operators and being open to revision of their rules in light of industry input.”

One method of improving security proposed by INSA is private sector self-regulation.

“Self-regulation is not an unprecedented activity in the U.S. private sector,” Townsend said. “There are multiple examples of where the private sector has self-organized to attain a goal … Self-regulation in cyberspace can be achieved and self-imposed based on a strong value proposition and value-based incentives.”

Bob Gourley

Last week, Sens. Joe Lieberman, Susan Collins and Tom Carper unveiled the Protecting Cyberspace as a National Asset Act of 2010, S.3480. The bill will create a permanent Office of Cyber Policy in the White House and form a give the Department of Homeland Security the power to enforce cyber policy in the government and private sector.

Bob Gourley, CTO of Crucial Point LLC, recently wrote an article with his analysis of the bill. One of the issues Gourley points out is the bill’s provision that the Cyber Coordinator position would be Senate-confirmed, which “will help underscore for the executive branch that this issue should be taken a bit more serious.”

The creation of the National Center for Cybersecurity and Communications (NCCC) within DHS also reinforces that message, according to Gourley. “Tt also empowers an individual and group to do something that no one has been authorized to do before (at least no one under the rank of President),” he writes. “This office will have authority to lead across government.”

For that be effective, Gourley writes that the Department must choose the a capable and intelligence technology leader to head the NCCC. “The nation must choose wisely and put a very smart technology leader in this position,” he writes. “Someone who can enforce the right standards and give direction when required but can back off and let agency IT leaders run things when required and that person must be smart enough to know when and how to decide what to decide about.”

Gourley also praises the movement towards a system of continuous monitoring rather than the current FISMA structure. “Updating FISMA is long overdue,” he writes. “Moving towards real-time monitoring is GREAT!”

Additionally, making NCCC the central coordination point across the federal government is “a solid move.” The proposed effort to create secured supply chains, remove any impediments to sharing information and factoring in the human side of cybersecurity are also important, Gourley writes.

In addition to his praise for the bill, Gourley has one additional piece he would like to see added to the bill.

“I want to suggest that the U.S. Intelligence Community be tasked with providing a detailed yearly cyber intelligence threat assessment  for unclassified dissemination,” he writes. “The IC does a good job of providing some counterintelligence assessments and frequently mentions cyber in open fora like Congressional Testimony, but I believe this issue deserves a focused, NIE-like report dedicated to this topic.  Of course the IC should also be tasked with support to the NCCC.”

The Protecting Cyberspace as a National Asset Act of 2010, S.3480, would create a new office in the White House called the Office of Cyber Policy, whose director would be confirmed by the Senate. The Department of Homeland Security would also have a National Center for Cybersecurity and Communications, whose director would also be Senate confirmed. The office would enforce cyber policy in the government and private sector.

The Homeland Security and Governmental Affairs Committee intends to hold a hearing on the bill on June 15.

“The Internet may have started out as a communications oddity some 40 years ago but it is now a necessity of modern life, and sadly one that is under constant attack,” said Lieberman. “It must be secured, – and today, Senators Collins, Carper, and I have introduced a bill which we believe will do just that. The Protecting Cyberspace as a National Asset Act of 2010 is designed to bring together the disjointed efforts of multiple federal agencies and departments to prevent cyber theft, intrusions, and attacks across the federal government and the private sector. The bill would establish a clear organizational structure to lead federal efforts in safeguarding cyber networks. And it would build a public/private partnership to increase the preparedness and resiliency of those private critical infrastructure cyber networks upon which our way of life depends.”

Lieberman also said the Internet is a dangerous place with new risks from new enemies.

“For all of its ‘user-friendly’ allure, the Internet can also be a dangerous place with electronic pipelines that run directly into everything from our personal bank accounts to key infrastructure to government and industrial secrets,” he said. ” Our economic security, national security and public safety are now all at risk from new kinds of enemies — cyber-warriors, cyber-spies, cyber-terrorists and cyber-criminals.”

The bill would also update the Federal Information Security Management Act (FISMA) and would require critical infrastructure to report significant data breaches to DHS. Additionally, the bill would require OPM to change the way cyber professionals are recruited and retained by the government.

“For too long, our approach to cyber security has been disjointed and uncoordinated. Our vital legislation would fortify the government’s efforts to safeguard America’s cyber networks from attack,” Collins said. “This bill would build a public/private partnership to promote national cyber security priorities and help prevent and respond to cyber attacks.”

On Monday, Senator Susan Collins spoke before the Homeland Security Policy Institute at GWU and outlined her view that the cyber coordinator position should be part of the Department of Homeland Security.

As the leading members of the Homeland Security and Governmental Affairs Committee, Lieberman and Collins often work together on pieces of legislation related to national security issues. In this case, Collins advocates a coordinator who is operating in DHS, who can operate in a similar manner to the head of the National Counterterrorism Center (who reports to the DNI and president).

The idea is to give the individual the high level access to the president while providing the appropriate infrastructure backing. Critics of Collins’ plan cite the difficulty of cross-agency cooperation if the coordinator is operating out of DHS.

Despite their differences over the position of cyber coordinator, both Lieberman and Collins believe a coordinator needs to be appointed soon.