Implications of proposed Cybersecurity Act of 2009, Part 2

The long view of security strategies for your network.

In the first of this two-part series, Bill Garamella raised the issue of the “Cybersecurity Act of 2009” consisting of S.773 and S.778. Everything that follows is entirely Bill’s work with minor edits.

* * *

The proposed “Cybersecurity Act of 2009” is a hot topic. Its premises:

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In the first of this two-part series, Bill Garamella raised the issue of the “Cybersecurity Act of 2009” consisting of S.773 and S.778. Everything that follows is entirely Bill’s work with minor edits.

* * *

The proposed “Cybersecurity Act of 2009” is a hot topic. Its premises:

• Society can not function without the cyber infrastructure;
• The current state of cybersecurity is unacceptable and threats of a major attack on the cyber infrastructure are real;
• All users of the cyber infrastructure should provide and prove cybersecurity for the good of all users.

Pundits are discussing this proposed legislation with enthusiasm or vehemence, according to their preferences.

Supporters are saying the president needs this authority to shut down the private networks on the Internet to defend against a cyberatack. One supporter states: “The market has failed to secure cyberspace. A ten-year experiment in faith-based cybersecurity has proven this beyond question.” Opponents are saying civil liberties are at stake and suggest that the impact to private business could be too costly. Some suggest extension of a liability regime as an alternative to regulation.

Both positions contain elements of truth.

An effective attack could disrupt or disable elements such as public utilities, including power, water and gas. Ground and air traffic control systems are also potential targets. These critical elements warrant no less protection than defense, finance and healthcare. There is a proliferation of data breaches from all sectors of the cyber infrastructure. Left alone, this situation will only get worse.

Security guru Bruce Schneier wrote an interesting entry in his blog on April 2, 2009, entitled “Who Should be in Charge of U.S. Cybersecurity?” about potential government involvement in overall cybersecurity and the NSA’s role. He calls for the government to act as a facilitator but for the NSA to back off.

Even as I write this, Grant Gross of the IDG News Service reports that spies from China, Russia and elsewhere have gained access to the U.S. electrical grid and have installed malware tools designed to shut down service.

The discussion over whether private networks should be regulated and how is exactly what is needed. We must act, carefully, thoughtfully and without delay. I urge that legislators consider the following key points:

• Government functions as regulator and facilitator;
• Cybersecurity must be elevated to a priority across all sectors;
• Existing private cybersecurity sector is mature and likely the best resource for crafting method for private sector implementation;
• A common language is needed to bridge government and non-government sectors;
• Identify baseline cyber security standards appropriate for each industry;
• Standardized metrics will streamline enforcement process;
• View enforcement as an opportunity to educate.

An opportunity exists for government and the private sector to join in a debate that can draw out the best ideas from both. As a facilitator, government can provide a flexible framework that can accommodate all elements of the cyber infrastructure. With this we can build a partnership to better protect all.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.