Oak Street Blog
Following the action as Federal Cybersecurity requirements start falling into place. Researched and assembled by Mary Fetherolf, President, Oak Street Associates, Inc.
Thursday, April 30, 2009
Overview: Information and Communications Enhancement (ICE) Act, May 2009
Sponsorship:
Sen. Thomas Carper (D-Del.)
All Bill Actions as of April 29, 2009
To be introduced May 5, 2009.
Content of the Bill
· Places a federal "cyber office" directly below the president
· The National Office for Cyberspace would coordinate cybersecurity response between the Department of Homeland Security, the Department of Defense (DoD), the National Security Agency and the private sector
· Follows comments made by Melissa Hathaway, President Barack Obama's acting senior director for cyberspace, calling for the centralization of cybersecurity authority directly under the White House. She stated efforts to defend citizens and networks against cyberattacks are a "fundamental responsibility of our government" during her keynote address last week at RSA Conference 2009 in San Francisco.
· The ICE Act would also be introduced under the pall created by the data breach of the DoD's $300 billion dollar Joint Strike Fighter program and the U.S. Air Force's air traffic control system.
Commentary
· The ranking member of the U.S. Senate's Homeland Security Committee, Susan Collins (R-Maine), today 4/28 raised questions about recent calls for a direct White House role in coordinating national cybersecurity affairs. At a hearing this morning 4/28 on strategies for securing cyberspace, Collins said that putting the White House in charge would make it harder for Congress to exercise needed oversight over critical cyber policies and budgets.
Sen. Thomas Carper (D-Del.)
All Bill Actions as of April 29, 2009
To be introduced May 5, 2009.
Content of the Bill
· Places a federal "cyber office" directly below the president
· The National Office for Cyberspace would coordinate cybersecurity response between the Department of Homeland Security, the Department of Defense (DoD), the National Security Agency and the private sector
· Follows comments made by Melissa Hathaway, President Barack Obama's acting senior director for cyberspace, calling for the centralization of cybersecurity authority directly under the White House. She stated efforts to defend citizens and networks against cyberattacks are a "fundamental responsibility of our government" during her keynote address last week at RSA Conference 2009 in San Francisco.
· The ICE Act would also be introduced under the pall created by the data breach of the DoD's $300 billion dollar Joint Strike Fighter program and the U.S. Air Force's air traffic control system.
Commentary
· The ranking member of the U.S. Senate's Homeland Security Committee, Susan Collins (R-Maine), today 4/28 raised questions about recent calls for a direct White House role in coordinating national cybersecurity affairs. At a hearing this morning 4/28 on strategies for securing cyberspace, Collins said that putting the White House in charge would make it harder for Congress to exercise needed oversight over critical cyber policies and budgets.
Wednesday, April 29, 2009
Overview: Cybersecurity Act of 2009 - Introduced April 1, 2009
Assembled, but not written, by Mary Fetherolf.
Official Bill Title
A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.
Sponsorship
Sen. John Rockefeller [D, WV]
and 3 Co-Sponsors
Sen. Evan Bayh [D, IN]
Sen. Bill Nelson [D, FL]
Sen. Olympia Snowe [R, ME]
Apr 01, 2009: Read twice and referred to the Committee on Commerce, Science, and Transportation.
Introduced on Apr 01, 2009.
Content of the Bill
· Bill text: http://cdt.org/security/CYBERSEC4.pdf
· 2009 Cybersecurity Act would require a complete threat assessment — not just for government systems, but also for private corporations that own 80 percent of the nation’s critical infrastructure. Those corporations would also have to follow federal security standards.
· Directs the president to create an advisory panel, with specialists from the private and public sectors, to offer cybersecurity guidance.
· The bill is one of two introduced last week by Sens. John Rockefeller, D-W.Va., and Olympia Snowe, R-Maine. The other would create a position, the national cybersecurity adviser, within the Executive Office of the President
· President Barack Obama has already promised to appoint a cybersecurity adviser; the bill would make that a Senate-confirmed position
· Requires a quadrennial cybersecurity review, similar to the Defense Department’s Quadrennial Defense Review
· Envisions a public-private clearinghouse to share standards, and requires the president to choose one agency to respond to cyberattacks[1]
· President would have the authority to declare a “cybersecurity emergency.”[2]
Commentary
It’s unclear how industry will respond to the bill, though, since it effectively allows the federal government to shut down private computer networks.
“The cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy,” said Leslie Harris, CEO of the Center for Democracy and Technology, an industry group.
Industry groups say the bill doesn’t provide enough detail on what is considered “critical infrastructure.” Rockefeller and Snowe have promised to solicit public opinion and then revise the bill.
Critics also say imposing uniform standards on computer networks could be counterproductive: Hackers who find a way around the government’s defenses would have unfettered access to critical networks.
Paller was critical of the big role the bill gives the National Institute of Standards and Technology. NIST would be in charge of setting standards for the government and the private sector. But many experts have been critical of the agency, saying its current cybersecurity guidance isn’t based on data about actual attacks.
“NIST doesn’t have current attack and threat knowledge,” Paller said. “If you allow them to do the threat standards, you’re going to be defending against the wrong thing.” A spokesman for NIST said the agency was familiar with the bill but could not comment on pending legislation. Lewis defended the agency and said there would be a learning curve for any agency tasked with creating nationwide standards.
Lawmakers briefed on the review told reporters that it will recommend coordinating cybersecurity through the White House and increased staffing for the Office of Management and Budget, which oversees the governmentwide implementation of that policy.
[1] This is a tangent to another story, with NSA lobbying for chief responsibility for cybersecurity of federal government offices.
[2] Hence the fears of some that the President would have the power to “shut down the Internet”
Official Bill Title
A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.
Sponsorship
Sen. John Rockefeller [D, WV]
and 3 Co-Sponsors
Sen. Evan Bayh [D, IN]
Sen. Bill Nelson [D, FL]
Sen. Olympia Snowe [R, ME]
Apr 01, 2009: Read twice and referred to the Committee on Commerce, Science, and Transportation.
Introduced on Apr 01, 2009.
Content of the Bill
· Bill text: http://cdt.org/security/CYBERSEC4.pdf
· 2009 Cybersecurity Act would require a complete threat assessment — not just for government systems, but also for private corporations that own 80 percent of the nation’s critical infrastructure. Those corporations would also have to follow federal security standards.
· Directs the president to create an advisory panel, with specialists from the private and public sectors, to offer cybersecurity guidance.
· The bill is one of two introduced last week by Sens. John Rockefeller, D-W.Va., and Olympia Snowe, R-Maine. The other would create a position, the national cybersecurity adviser, within the Executive Office of the President
· President Barack Obama has already promised to appoint a cybersecurity adviser; the bill would make that a Senate-confirmed position
· Requires a quadrennial cybersecurity review, similar to the Defense Department’s Quadrennial Defense Review
· Envisions a public-private clearinghouse to share standards, and requires the president to choose one agency to respond to cyberattacks[1]
· President would have the authority to declare a “cybersecurity emergency.”[2]
Commentary
It’s unclear how industry will respond to the bill, though, since it effectively allows the federal government to shut down private computer networks.
“The cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy,” said Leslie Harris, CEO of the Center for Democracy and Technology, an industry group.
Industry groups say the bill doesn’t provide enough detail on what is considered “critical infrastructure.” Rockefeller and Snowe have promised to solicit public opinion and then revise the bill.
Critics also say imposing uniform standards on computer networks could be counterproductive: Hackers who find a way around the government’s defenses would have unfettered access to critical networks.
Paller was critical of the big role the bill gives the National Institute of Standards and Technology. NIST would be in charge of setting standards for the government and the private sector. But many experts have been critical of the agency, saying its current cybersecurity guidance isn’t based on data about actual attacks.
“NIST doesn’t have current attack and threat knowledge,” Paller said. “If you allow them to do the threat standards, you’re going to be defending against the wrong thing.” A spokesman for NIST said the agency was familiar with the bill but could not comment on pending legislation. Lewis defended the agency and said there would be a learning curve for any agency tasked with creating nationwide standards.
Lawmakers briefed on the review told reporters that it will recommend coordinating cybersecurity through the White House and increased staffing for the Office of Management and Budget, which oversees the governmentwide implementation of that policy.
[1] This is a tangent to another story, with NSA lobbying for chief responsibility for cybersecurity of federal government offices.
[2] Hence the fears of some that the President would have the power to “shut down the Internet”
Monday, April 27, 2009
Overview: White House Cybersecurity Review - previewed April 23, 2009
· Melissa Hathaway, who just completed a 60-day review of the government's cybsersecurity preparedness, said that while cybersecurity needs to be a shared private and public sector effort, the task of leading it "is the fundamental responsibility of our government."
· Hathaway stressed the need for greater collaboration between the private and public sector on cybersecurity matters because such a large portion of the critical infrastructure is owned by private companies.
· Having made no public comments during the past two months, Hathaway took center stage Wednesday 4/22 at the 2009 RSA Conference in SF to deliver a summary of her team's review of the country's cybersecurity policies and structures.
· Hathaway's report on the state of U.S. cybersecurity was delivered to President Barack Obama on Friday (4/24); she said the results should be made public in the coming days (4/29, nothing yet). It isn't known what if any recommendations might result from it.
· Hathaway is a former Bush administration aide who has been working as a cybercoordination executive for the Office of the Director of National Intelligence. She headed a multiagency group called the National Cyber Study Group that was instrumental in developing the Comprehensive National CyberSecurity Initiative which was approved by former President George W. Bush early last year.
· Hathaway may be front-runner for senior director for cyberspace and could then be granted authority needed to enforce cybersecurity practices across the government and the private sector.
· The review touches on every facet of government networks, including the missions of computer network defense, law enforcement investigations, military and intelligence activities, and how those intersect with information assurance, counterintelligence, counterterrorism, telecommunications policies and general critical infrastructure protection.
· Her team identified more than 250 needs, tasks and recommendations, and requested that government agencies identify new or existing requirements they may have. She added that her team connected with the security industry, academia, civil liberties and privacy entities, state governments and executive branches of government.
· While short on details, Hathaway's 30-minute speech stressed the need for collaboration between the public and private sectors in securing cyberspace, and in turn the economy, civil infrastructure, public safety and national security.
· Endorsing a viewpoint that's been gaining currency in the security industry, Hathaway called for a more direct White House role in coordinating national cybersecurity efforts.
· "Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law," she said. “It requires leading from the top: from the White House, to departments and agencies, state, local, tribal governments, the C-Suite, and to the local classroom and library.”
Commentary
· "Hathway called this a marathon," Kellerman said. "It's very important that they not change runners," in the middle of it.
· “There are now at least three camps involved in the decision that the president will make about control of cybersecurity,” James A. Lewis, a senior fellow at the Center for Strategic and International Studies said:
o traditional national security policy analysts who are not focused on the cyberthreat;
o intelligence and military agencies that are seeking to consolidate power and influence over cyberpolicy;
o an influential group that has said stricter cybersecurity regulations could damage innovative Internet industries associated with Silicon Valley.
· Hathaway stressed the need for greater collaboration between the private and public sector on cybersecurity matters because such a large portion of the critical infrastructure is owned by private companies.
· Having made no public comments during the past two months, Hathaway took center stage Wednesday 4/22 at the 2009 RSA Conference in SF to deliver a summary of her team's review of the country's cybersecurity policies and structures.
· Hathaway's report on the state of U.S. cybersecurity was delivered to President Barack Obama on Friday (4/24); she said the results should be made public in the coming days (4/29, nothing yet). It isn't known what if any recommendations might result from it.
· Hathaway is a former Bush administration aide who has been working as a cybercoordination executive for the Office of the Director of National Intelligence. She headed a multiagency group called the National Cyber Study Group that was instrumental in developing the Comprehensive National CyberSecurity Initiative which was approved by former President George W. Bush early last year.
· Hathaway may be front-runner for senior director for cyberspace and could then be granted authority needed to enforce cybersecurity practices across the government and the private sector.
· The review touches on every facet of government networks, including the missions of computer network defense, law enforcement investigations, military and intelligence activities, and how those intersect with information assurance, counterintelligence, counterterrorism, telecommunications policies and general critical infrastructure protection.
· Her team identified more than 250 needs, tasks and recommendations, and requested that government agencies identify new or existing requirements they may have. She added that her team connected with the security industry, academia, civil liberties and privacy entities, state governments and executive branches of government.
· While short on details, Hathaway's 30-minute speech stressed the need for collaboration between the public and private sectors in securing cyberspace, and in turn the economy, civil infrastructure, public safety and national security.
· Endorsing a viewpoint that's been gaining currency in the security industry, Hathaway called for a more direct White House role in coordinating national cybersecurity efforts.
· "Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law," she said. “It requires leading from the top: from the White House, to departments and agencies, state, local, tribal governments, the C-Suite, and to the local classroom and library.”
Commentary
· "Hathway called this a marathon," Kellerman said. "It's very important that they not change runners," in the middle of it.
· “There are now at least three camps involved in the decision that the president will make about control of cybersecurity,” James A. Lewis, a senior fellow at the Center for Strategic and International Studies said:
o traditional national security policy analysts who are not focused on the cyberthreat;
o intelligence and military agencies that are seeking to consolidate power and influence over cyberpolicy;
o an influential group that has said stricter cybersecurity regulations could damage innovative Internet industries associated with Silicon Valley.
Monday, April 20, 2009
Overview: CSIS Recommendations, December 2008
Assembled, but not written, by Mary Fetherolf.
http://www.csis.org/component/option,com_csis_pubs/task,view/id,5157/
The Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency has released its final report, "Securing Cyberspace for the 44th Presidency." The Commission’s three major findings are:
Cybersecurity is now one of the major national security problems facing the United States;
Decisions and actions must respect American values related to privacy and civil liberties; and
Only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation.
U.S. government should:
· Overhaul its approach to cybersecurity by imposing sweeping new regulations on businesses and creating a centralized cybersecurity office in the White House
o White House office is needed because the Department of Homeland Security isn't equipped to protect the federal government against cyberattacks
o DHS retain responsibility for the U.S. Computer Emergency Readiness Team and related functions, but it envisions a new White House National Office of Cyberspace that would coordinate and oversee cybersecurity efforts governmentwide
· Develop new government regulations focused on protecting computer networks in the U.S. Many of those regulations would focus on refining government efforts to protect its own cyber infrastructure, but regulations on private industry are needed as well
· Reject the market-driven approach to cybersecurity advanced by President Bush
· Develop new regulations are needed for the IT, finance and energy industries — including the use of identity authentication credentials — and for supervisory control and data acquisition, or SCADA, systems
· Change government’s own acquisition rules for IT products to focus more on cybersecurity
· Allow U.S. residents to use government-issued cyber credentials for their online activities
· Develop a new national cybersecurity strategy that includes diplomacy, military action, changes in policy and the involvement of intelligence and law enforcement officials in the U.S.
· Put a new emphasis on having the government work with the private sector, with clearly defined responsibilities and a focus on building trust with the business community.
· Increase spending on cybersecurity research and create a scholarship program to encourage more college students to obtain cybersecurity degrees.
http://www.csis.org/component/option,com_csis_pubs/task,view/id,5157/
The Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency has released its final report, "Securing Cyberspace for the 44th Presidency." The Commission’s three major findings are:
Cybersecurity is now one of the major national security problems facing the United States;
Decisions and actions must respect American values related to privacy and civil liberties; and
Only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation.
U.S. government should:
· Overhaul its approach to cybersecurity by imposing sweeping new regulations on businesses and creating a centralized cybersecurity office in the White House
o White House office is needed because the Department of Homeland Security isn't equipped to protect the federal government against cyberattacks
o DHS retain responsibility for the U.S. Computer Emergency Readiness Team and related functions, but it envisions a new White House National Office of Cyberspace that would coordinate and oversee cybersecurity efforts governmentwide
· Develop new government regulations focused on protecting computer networks in the U.S. Many of those regulations would focus on refining government efforts to protect its own cyber infrastructure, but regulations on private industry are needed as well
· Reject the market-driven approach to cybersecurity advanced by President Bush
· Develop new regulations are needed for the IT, finance and energy industries — including the use of identity authentication credentials — and for supervisory control and data acquisition, or SCADA, systems
· Change government’s own acquisition rules for IT products to focus more on cybersecurity
· Allow U.S. residents to use government-issued cyber credentials for their online activities
· Develop a new national cybersecurity strategy that includes diplomacy, military action, changes in policy and the involvement of intelligence and law enforcement officials in the U.S.
· Put a new emphasis on having the government work with the private sector, with clearly defined responsibilities and a focus on building trust with the business community.
· Increase spending on cybersecurity research and create a scholarship program to encourage more college students to obtain cybersecurity degrees.
Archives
Subscribe to Posts [Atom]