Implications of proposed Cybersecurity Act of 2009, Part 1

The long view of security strategies for your network.

Legislators mean well, but their proposals for regulation of areas that depend on technical expertise always make my hackles rise - even before I've read the details.

One of these cases is the occasion for today's and our next columns. I received a thoughtful note from Bill Garamella, a graduate of the MSIA Program of the School of Graduate Studies at Norwich University about the situation and invited him to write for the column. Here’s the first of Bill’s two-part contribution; everything that follows is entirely Bill’s work with minor edits.

* * *

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Legislators mean well, but their proposals for regulation of areas that depend on technical expertise always make my hackles rise - even before I've read the details.

One of these cases is the occasion for today's and our next columns. I received a thoughtful note from Bill Garamella, a graduate of the MSIA Program of the School of Graduate Studies at Norwich University about the situation and invited him to write for the column. Here’s the first of Bill’s two-part contribution; everything that follows is entirely Bill’s work with minor edits.

* * *

Cyberattacks often originate outside of the jurisdictions they occur in and authorities may lack reciprocal extradition agreements. Extradition assumes that the perpetrators can be identified; often they cannot. These limitations create problems with enforcement issues and increase the importance of defensive measures.

The ramifications of a successful attack on critical elements of the cyber infrastructure are making their way into mainstream media. With this growing awareness comes a call to arms. However, although it is high time for awareness and action, we must move carefully when building defenses.

All users of the information infrastructure would benefit from minimum enforceable security standards. A common analogy is the need to standardize driving rules and highway regulations: allowing an untrained driver onto public roads poses a threat to all other users. Likewise, vehicles equipped with seatbelts save lives when used as directed.

Government, financial, and healthcare segments of the information infrastructure are subject to enforceable standards and, as a result, are arguably more secure than many unregulated segments. It follows that unregulated segments of the information infrastructure pose a greater threat to everyone.

The fact the Internet works at all is a result of established protocols that were agreed on many years ago. The only way a computer can connect to other computers is by following the same rules as the other computers. Unfortunately, when these rules were established, little attention was given to security factors. The early architects designed the cyber infrastructure to accommodate a relatively small number of trusted insiders. They never imagined this would grow to include billions of users, including bad actors.

On April 1, 2009, the "Cybersecurity Act of 2009," consisting of S.773 and S.778, was introduced in the U.S. Senate. Its stated purpose:

S. 773 – “To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes.” 

and

S.778 – “A bill to establish, within the Executive Office of the President, the Office of National Cybersecurity Advisor.”

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.