[Infowarrior] - Comments: Proposed Cybersecurity Legislation
Richard Forno
rforno at infowarrior.org
Fri Apr 3 14:10:20 UTC 2009
Several security and DOD-oriented lists I participate in have been
abuzz with the propsed cybersecurity legislation being floated around
in the Senate this week by Sens Snowe and Rockefeller. After a few
days of discussion, I've decided to just add my comments to the fray
here on infowarrior-l based on the following DefenseTech article:
Proposed Cyber Security Legislation
http://www.defensetech.org/archives/004779.html
Summary: They appear to be reinventing the wheel (again) -- and the
results will be no different.
Comments below:
> The proposed legislation calls for the creation of a Cyber Security
> Advisory Panel that is composed of outside experts from industry,
> academia, and nonprofit groups that would advise the president on
> related matters.
They have them - NSTAC, NIAC, and other Advisory Counsels. In fact,
my April prank this week (yeah yeah) was along just such lines,
because any such advisory body likely will be composed of those least
knowledgeable about what's really going on (ie, mostly hand-picked
senior executives from the corner offices) Of course, those in
charge do NOT want to have truly knowledgeable folks advising them,
for they will not like what they are being told. Groupthink reigns
supreme in Washington policy circles, as does lobbying influence.
http://infowarrior.org/aprilfools/aprilfools09.html (for those who
missed it)
> The proposed legislation calls for the creation of a public/private
> clearinghouse for cyber threats and vulnerability information
> sharing, establishment of measurable and auditable cyber security
> standards from the National Institute of Standards and Technology.
Umm, the SEI CERT/CC has been around for 20 years doing just that.
Highly trusted and regarded folks, they are. Do we need another group
to do this? (Disclaimer: I am a visiting scientist @ SEI)
> The proposed legislation would also require that cyber security
> professionals be licensed and certified.
> Provision: The proposed legislation would also require that the
> Cyber Security Adviser conduct a review of the U.S. cyber security
> program every four years and require officials to complete a number
> of reviews and reports.
The security experts whom I respect and admire the most (mentioned
above) cut their teeth and made their reputations by hard work and
demonstrated professional activities (jobs, papers, con talks,
research, etc) and not simply by passing a test. As this proposal
reads, will people like Dorothy Denning, Whit Diffie, Matt Blaze, Dan
Geer, Bruce Schneier, and how many other VERY competent and
knowledgeable security experts be prevented from consulting to the
government because they do not have (to my knowledge) any
certification? Or will there be waivers? And will "waivers for
awesome people" be the new norm?
As one securitygeek told me, "The fed gov needs X IA pros. They need
to be certified. My guess is the difficulty in getting that cert has
to be low enough that you can have X + enough to fill the pipe." So
at what point does this policy become meaningless and ineffective
because getting a cert is "so simple to pass even a Caveman can do it?"
Requiring certification for infosec people is conventional thinking.
As with those security experts and hackers whom I respect and admire,
the "enemy" will be effective not because the have certifications but
because of their personal attributes --- ie, qualities like
inquisitiveness, tenacity, professional interests, tacit knowledge,
and drive --- things that CAN NOT be externally taught, nor externally
certified present. Just as when folks are surprised when I bring up
"stuff" (such as threats/vulns/risks/observations) during red team
exercises that they thought was uber-classified and known to only a
handful of people, the same analogy applies here.....if you maintain
the belief in the sanctity and exclusiveness of your standards, don't
be surprised when others are able to run circles around you!
So who's the real beneficiary here? The certification-issuing folks,
who stand to profit handsomely from this. And, those executives/
managers/CIO/CTOs who are forced to use these certified professionals,
for they have received a legislated Get-Out-of-Jail-Free card -- if
there are problems, damages, or losses, they can point to these
certified people and say "these EXPERTS told me what to do, and I did
it" ... ie, they can dodge accountability for problems happening on
their watch. How convenient!
> The proposed legislation calls for the creation of state and
> regional cyber security centers to help small and midsize businesses
> adopt security measures.
Yep. We love those "fusion center" operations, don't we? That's the
hottest ticket in town, building these centers.
> The proposed legislation would establish a Secure Products and
> Services Acquisitions Board that would to review and approve the
> security and integrity of products purchased by the federal
> government.
Isn't that what NIST and NSA were supposed to be doing all along in
examining and certifying technology products for federal use and
security requirements? Do we need another entity now?
> The proposed legislation would require government and private sector
> networks that control the critical infrastructure to comply with a
> set of cyber security standards established by the National
> Institute of Standards and Technology (NIST).
They're probably there in one form or other - just need to consolidate
things. Okay, fine.
> This legislation is past due! Report after report has highlighted
> the increased complexity and frequency of cyber attacks on business,
> government and our critical infrastructure. Delays in pushing this
> legislation through could have serious consequences. So time is of
> the essence in preparing for the passage and enactment of this
> legislation.
This reporter knows nothing about cybersecurity issues and is simply
parrotting the typical DC response to problems --- We must do
something now, because the threats are immediate. Forget thinking
things through and objectively coming to rational, effective
solutions, we need solutions NOW. *facepalm* Something must be
done; this is something, therefore we must do it. :(
> mandatory reporting within 24 hours of discovery is critical.
> Another area of concern is training. While the proposed legislation
> touches on training, it does not specifically address continuing
> education. Cyber attack techniques and criminal scams are highly
> dynamic and rapidly evolving.
Nor does it do ANYTHING in terms of forcing accountability on people,
agencies, vendors, and service providers to build, develop, deploy,
and administer resilient systems. Remember that "good enough" has
become the accepted standard of cybersecurity excellence. There is
no economic motivation for anyone to do anything more to fix these
problems short of offering more consultants and "stuff" to deploy on
top of foundations that remain fundamentally flawed and unstable.
After all, if you think about it, "good enough" is too damn profitable!!
Also, IIRC there is also talk of developing a "national cybersecurity
dashboard" where someone (WH, DHS) can see at anytime the
"cybersecurity health" of the country and then point at some network
node and say "disconnect it now". The former notion might - might -
be doable, but the latter point is downright scary, especially when we
see things like this article, where the FBI creates huge collateral
damage "disconnecting" an Internet site: FBI Agents Raid Dallas
Computer Business
http://cbs11tv.com/local/Core.IP.Networks.2.974706.html. But we've
got to have *some* pie-in-the-sky thinking here, right?
As I said, this is More of The Same Stuff. Just a different
Administration, and Different Congress.
I remain cynical.
-rick
More information about the Infowarrior
mailing list