Image: chrisharvey

In an op-ed for The Washington Post, Sens. Joe Lieberman, Susan Collins and Tom Carper propose a “gold standard” in cybersecurity to help protect networks and computers from hackers and potentially, a “digital Pearl Harbor.”

Susan Collins

A ranking member of the Senate Homeland Security and Governmental Affairs Committee has voiced concern over a cybersecurity recommendation submitted by the White House, saying she fears the plan would give hackers and terrorists vital information on which U.S. infrastructure entities are easy to breach, Politico reports.

The Obama administration’s proposal calls for publication of independent audits on how well private companies protect critical infrastructure, and Sen. Susan Collins (R-Maine) questioned whether the audits could provide valuable information not only to cyber criminals, “but perhaps [to] terrorist groups or nation-states that are constantly trying to probe our systems.”

Philip Reitinger, soon-to-retire undersecretary in the Department of Homeland Security’s National Protection and Programs Directorate, said the evaluation would not require detailed reporting that could impair the security of critical infrastructure such as electricity grids, transportation networks and other facilities.

While Collins said she understood what the administration was trying to accomplish by publishing the evaluations, she said the availability of such information could help hostile actors and nations up the ante to compromise U.S. infrastructure systems.

“I really hope you’ll take another look at that,” she said.” I understand what you’re trying to do, but I also think you’re giving information to the enemy.”

The Center for Regulatory Effectiveness, founded and managed by former regulatory officials of the White House Office of Management and Budget,  published on its Interactive Public Docket two recent articles in The Wall Street Journal in an effort to highlight FISMA and FedRAMP worries.

The first article cites how former Homeland Security Secretary Michael Chertoff worries about insidious Stuxnet-type worms that might infiltrate financial networks and wreak havoc slowly and methodically by corrupting financial data without creating immediate alarm.

The second article discusses how Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine) and Tom Calpers (D-Del.) have introduced the Cybersecurity and Internet Freedom Act of 2011, which intends to set up the essential point of coordination across the executive branch in the event of devastating cyber attack against U.S. critical infrastructure.

Established in 1996, after the passage of the Congressional Review Act, CRE provides Congress with independent analyses of agency regulations. It’s main goals are to ensure the public has access to data and information used to develop federal regulations and that information federal agencies disseminate to citizens is of the highest quality.

The Protecting Cyberspace as a National Asset Act of 2010, S.3480, submitted by Sens. Joe Lieberman, Susan Collins and Tom Carper, would create a new cyber center within the Department of Homeland Security and create a White House Office of Cyberspace Policy to spearhead federal and private sector cybersecurity efforts.

“Catastrophic cyber attack is no longer a fantasy or a fiction,” Lieberman said. “It is a clear and present danger. This legislation would fundamentally reshape the way the federal government defends America’s cyberspace. It takes a comprehensive, risk-based, and collaborative approach to addressing critical vulnerabilities in our own defenses.  We believe our bill would go a long way toward improving the security of our government and private critical infrastructure, and therefore the security of the American people.”

When the bill first appeared, several privacy and civil liberties advocates claimed the bill provided the president with a “kill-switch” for the Internet. Language has since been added to the bill requiring the president to obtain Congressional approval for extending emergency powers beyond 120 days.

“It’s important that we realize that the threat of a catastrophic cyber attack is not theoretical,” Collins said. “It’s very real. It is not a matter of ‘if’ such an attack is going to occur, but when. Cyber crime costs our national economy billions of dollars annually.  And intelligence officials have warned over and over again that these attacks are becoming more and more sophisticated. The fact is: We cannot fail to act. We can’t wait until there is a cyber 9/11 and say, ‘Why didn’t we act? We knew this was coming.’ The attacks are ongoing even as we meet. So we must act, and I believe we have drafted a responsible bill to do so.”

Photo: Currant.com

The bill, which was introduced by Sens. Joe Lieberman, Susan Collins and Tom Carper, looks to provide DHS with the power to dictate cybersecurity requirements to private sector companies, which is troubling, McAfee officials said.

“The government needs to be very careful about imposing too much of a top-down standards process,” said McAfee vice president of government relations Tom Gann. “We need to bring products to market very quickly. They need to make sure we can get latest technology.”

IT standards developed by the private sector are more effective as they apply internationally, according to Gann. The standards can also be adapted and changed much more quickly by the private sector than by the government, which could cause the standards to become outdated quickly, he said.

“We tend to do best when those standards are first and foremost developed in private sector because we can move faster,” Gann said. “[Standards] need to continually evolve. Government needs to be sensitive to the rapid pace of innovation in the technology sector.”

The new cyber bill will also overhaul FISMA, which is viewed as a much needed change. The bill would provide a more comprehensive approach to protecting critical infrastructure and government networks, said McAfee director of federal business development Tom Conway.

It “clearly further empowers the White House to drive cybersecurity initiatives across the government,” Conway said.

During a hearing to discuss the Protecting Cyberspace as a National Asset Act of 2010, recently proposed by Sens. Joe Lieberman, Susan Collins and Tom Carper, Townsend said that the majority of cyber talent lies in the private sector, making partnerships between the government and private sector absolutely critical to securing the nation’s infrastructure.

“Collective national cybersecurity can only be effectively addressed through a partnership approach between government and private industry,” she said. “Industry is where most of the expertise in the fields of IT and cybersecurity reside … partnership is the only way forward.”

The bill,  if passed, would create a new Center to coordinate the nation’s cyber effort. Townsend, on behalf of INSA, praised the creation of such a center and its efforts to include the private sector through an advisory council.

“This bill not only establishes a clearly responsible Center for the problem, but requires that a private sector advisory council be organized to advise the Center on their actions’ effects on industry,” she said.

Additionally, Townsend discussed the need to preserve the innovative atmosphere in cyber. The government should be careful when developing standards to keep innovation and creativity from being stifled.

“Prescriptive or directive security standards, or one-size fits all approaches will limit innovation and erode industry support and participation if industry managers feel security mandates have made their business less competitive,” Townsend said. “We applaud the measured approach of this bill in allowing industry members to propose their own security solutions for approval by the regulatory body.”

“This not only creates a true give-and-take security partnership, but also allows for innovation and growth,” she added.

Another key component of the legislation is establishing plans for information sharing. In a cyber environment, particularly in parternship with the government, information is often over-classified or poorly disseminated.

“Critical to a strong public-private partnership is the creation of a shared awareness of the network environment,” Townsend said. “Information sharing is absolutely crucial.”

The bill, if passed, would require plans to be put in place for the sharing of information between public and private sector actors. Townsend also called for the development of best practices and standards in cooperation between the private and public sectors.

“Government must develop security standards and systems that deal with known threats and have the capacity to adapt to the rapidly changing cyber environment, and it must do so in concert with industry partners,” she said. [The new center] should embrace a true partnership approach, soliciting comments from industry on draft proposals, consulting closely with owners and operators and being open to revision of their rules in light of industry input.”

One method of improving security proposed by INSA is private sector self-regulation.

“Self-regulation is not an unprecedented activity in the U.S. private sector,” Townsend said. “There are multiple examples of where the private sector has self-organized to attain a goal … Self-regulation in cyberspace can be achieved and self-imposed based on a strong value proposition and value-based incentives.”

In reference to a cyber bill proposed by Sens. Joe Lieberman, Susan Collins and Tom Carper, Phil Reitinger, deputy under secretary of the National Protection and Programs Directorate at DHS, told the senators that the Department of Homeland Security was equipped to lead the coordination of the nation’s cybersecurity in the civilian sectors.

“This cybersecurity endeavor is not just about DHS,” he said. “The mission is for the entire homeland security enterprise, which includes many agencies.”

DHS is currently working with federal agencies along with the private sector and state governments. In the past year, DHS has focused on dealing with the growing threat in cyberspace, according to Reitinger.

“The United States confronts a dangerous combination of known and unknown vulnerabilities, strong and rapidly expanding adversary capabilities and a limited comprehensive threat and vulnerability awareness,” he said. “We face persistent and unauthorized intrusions to federal executive branch civilian networks that often are difficult to attribute.”

Reitinger also pointed to the stealing of intellectual property from U.S. government and private systems, along with the growing threat from terrorism.

“Sensitive information is routinely stolen from both government and private sector networks,” he said. “Terrorist groups and their sympathizers have expressed interest in using cyberspace to target and harm the United States and its citizens.”

A principle concern about the terrorist threat is also the growing availability of cyber tools on the Internet, according to Reitinger.

“While some have commented on terrorists’ own technical abilities, of equal concern is the wide availability of advanced technical tools for purchase or for free off the Internet,” he said.

The United States is the most networked nation in the world and perhaps the most reliant on networks. DHS is working to increase cooperation and awareness about the threat in an effort to enhance domestic cybersecurity.

“Teamwork … is essential to securing cyberspace,” Reitinger said. “The cybersecurity mission cannot be accomplished by any one agency or even solely within the federal realm; it requires teamwork and coordination across all sectors because it touches every aspect of our lives.”

In order to defend U.S. networks, DHS is advocating a defense-in-depth approach. With defense-in-depth, systems and security is essentially layered to provide maximum protection, rather than relying on one piece or technology such as a firewall.

“The Department’s strategy, which supports a defense-in-depth, requires situational awareness of the state of federal networks, and early warning capability, near real-time and automatic identification of malicious activity and the ability to disable intrusions before harm is done,” Reitinger said.

He also provided a response to the proposed Protecting Cyberspace as a National Asset Act of 2010. While Reitinger praised the Committee its focus on cybersecurity, he said certain portions of the bill were unnecessary.

“We believe that it is preferable to maintain a singular organizational integration between physical and cybersecurity operations, rather than create a separate cyber organization,” he said. “We continue to believe that the nexus point between critical (physical) infrastructure that have cybersecurity vulnerabilities … can best be made resilient through a single organizational entity that works to prevent, mitigate and recover from all-hazards attacks where the lines of cyber and physical security are erased.”

Bob Gourley

Last week, Sens. Joe Lieberman, Susan Collins and Tom Carper unveiled the Protecting Cyberspace as a National Asset Act of 2010, S.3480. The bill will create a permanent Office of Cyber Policy in the White House and form a give the Department of Homeland Security the power to enforce cyber policy in the government and private sector.

Bob Gourley, CTO of Crucial Point LLC, recently wrote an article with his analysis of the bill. One of the issues Gourley points out is the bill’s provision that the Cyber Coordinator position would be Senate-confirmed, which “will help underscore for the executive branch that this issue should be taken a bit more serious.”

The creation of the National Center for Cybersecurity and Communications (NCCC) within DHS also reinforces that message, according to Gourley. “Tt also empowers an individual and group to do something that no one has been authorized to do before (at least no one under the rank of President),” he writes. “This office will have authority to lead across government.”

For that be effective, Gourley writes that the Department must choose the a capable and intelligence technology leader to head the NCCC. “The nation must choose wisely and put a very smart technology leader in this position,” he writes. “Someone who can enforce the right standards and give direction when required but can back off and let agency IT leaders run things when required and that person must be smart enough to know when and how to decide what to decide about.”

Gourley also praises the movement towards a system of continuous monitoring rather than the current FISMA structure. “Updating FISMA is long overdue,” he writes. “Moving towards real-time monitoring is GREAT!”

Additionally, making NCCC the central coordination point across the federal government is “a solid move.” The proposed effort to create secured supply chains, remove any impediments to sharing information and factoring in the human side of cybersecurity are also important, Gourley writes.

In addition to his praise for the bill, Gourley has one additional piece he would like to see added to the bill.

“I want to suggest that the U.S. Intelligence Community be tasked with providing a detailed yearly cyber intelligence threat assessment  for unclassified dissemination,” he writes. “The IC does a good job of providing some counterintelligence assessments and frequently mentions cyber in open fora like Congressional Testimony, but I believe this issue deserves a focused, NIE-like report dedicated to this topic.  Of course the IC should also be tasked with support to the NCCC.”

The Protecting Cyberspace as a National Asset Act of 2010, S.3480, would create a new office in the White House called the Office of Cyber Policy, whose director would be confirmed by the Senate. The Department of Homeland Security would also have a National Center for Cybersecurity and Communications, whose director would also be Senate confirmed. The office would enforce cyber policy in the government and private sector.

The Homeland Security and Governmental Affairs Committee intends to hold a hearing on the bill on June 15.

“The Internet may have started out as a communications oddity some 40 years ago but it is now a necessity of modern life, and sadly one that is under constant attack,” said Lieberman. “It must be secured, – and today, Senators Collins, Carper, and I have introduced a bill which we believe will do just that. The Protecting Cyberspace as a National Asset Act of 2010 is designed to bring together the disjointed efforts of multiple federal agencies and departments to prevent cyber theft, intrusions, and attacks across the federal government and the private sector. The bill would establish a clear organizational structure to lead federal efforts in safeguarding cyber networks. And it would build a public/private partnership to increase the preparedness and resiliency of those private critical infrastructure cyber networks upon which our way of life depends.”

Lieberman also said the Internet is a dangerous place with new risks from new enemies.

“For all of its ‘user-friendly’ allure, the Internet can also be a dangerous place with electronic pipelines that run directly into everything from our personal bank accounts to key infrastructure to government and industrial secrets,” he said. ” Our economic security, national security and public safety are now all at risk from new kinds of enemies — cyber-warriors, cyber-spies, cyber-terrorists and cyber-criminals.”

The bill would also update the Federal Information Security Management Act (FISMA) and would require critical infrastructure to report significant data breaches to DHS. Additionally, the bill would require OPM to change the way cyber professionals are recruited and retained by the government.

“For too long, our approach to cyber security has been disjointed and uncoordinated. Our vital legislation would fortify the government’s efforts to safeguard America’s cyber networks from attack,” Collins said. “This bill would build a public/private partnership to promote national cyber security priorities and help prevent and respond to cyber attacks.”

Wu’s concerns are not new. A number of cyber security experts, including many who appeared slated for the position, have raised the apparent lack of authority with the position of cyber coordinator. The position is slated to be within the White House and will have access to the president, though it appears that the access will not be as constant or direct as many believe is necessary.

Rep. Susan Collins has proposed that the cyber coordinator should actually sit in DHS to coordinate the national cyber security effort. This appears unlikely, and a number of security experts believe that, given the proper authority, operating from the White House is the best place for the cyber coordinator.