[Infowarrior] - OpEd: Boost national cybersecurity without stifling freedom

Thu May 7 14:30:05 UTC 2009

from the May 06, 2009 edition - http://www.csmonitor.com/2009/0506/p09s03-coop.html
Boost national cybersecurity without stifling freedom
The US government should apply stricter control over its own network,  
but it should leave public networks alone.
By Bryann Alexandros

Virginia Beach, Va.

For years, the US government has been fretting over national network  
vulnerabilities with banking and financial assets, government and  
military data, and the energy and utilities grid. Just last year, the  
Defense Department detected 360 million attempts to penetrate its  
networks, up from 6 million in 2006.

One such attack involved overseas hackers that breached both the  
nation's electricity grid and the Pentagon's biggest weapons program,  
the $300 billion Joint Strike Fighter, according to the Wall Street  
Journal.

"We are literally under attack every day as our networks are  
constantly probed and our adversaries seek to exploit  
vulnerabilities," Lt. Gen. William Shelton, the Air Force's chief  
information officer, told a House Armed Services Committee panel this  
week.

To be sure, America is so e-vulnerable in so many e-ways that security  
officials now say Washington has no other choice but to extend its  
national security efforts across the Internet. This makes sense at  
first glance. However, the "Cybersecurity Act of 2009" (introduced  
recently in the Senate and apparently lacking independent expert  
testimony) would advance a plethora of shady mandates that could  
impinge on America's freedom and actually put it at greater risk.

The bill requires federal agencies to take some needed steps to secure  
their computer networks. But it also essentially decrees the  
government grand overseer of Internet and network security, granting  
agencies such as the National Security Agency and Department of  
Commerce rights to regulate and impose their own universal security  
standards across public and private networks. It would even grant the  
president the most epic privilege: the ability to control and shut  
down any network the government wanted in the name of a "cyber  
emergency" – though that term isn't defined.

The government tried its hand at managing the national network  
infrastructure ( the system of digital networks that electronically  
link the electrical grid, defense systems and the White House) with  
The Federal Information Security Act of 2002 (FISMA). It enforced  
security rules for government information systems. But it seemed bent  
on compliance and report cards rather than on actual measurable  
performance.

Security experts later lambasted the act as a lethargic piece of  
legislation that stymied action and built nothing but paper  
fortresses. Even former White House security adviser Howard A. Schmidt  
admitted recently that despite laudable goals, FISMA "has not managed  
to solve security problems."

The Cybersecurity Act would be no better. It proposes uniform protocol  
that those companies it classifies as "critical infrastructure" must  
use. (Think websites in the sectors of public health, government,  
telecommunications, and finance). While politicians suggest that a  
federally mandated security scheme would benefit the national network  
infrastructure, lawmakers don't seem to foresee the inefficiency here,  
let alone the potential for great risk.

If companies were required by law to use identical security  
configuration across all systems as the bill proposes, it would make  
it easier for hackers to attack on a broad scale because then all  
networks would share the same weaknesses. Also, software companies  
could lose incentive to innovate beyond the federally mandated level,  
and overall network security would suffer.

The bill causes complications for IT professionals by requiring  
mandatory separate federal licensing if they work within "critical  
infrastructure." The problem with this is that the information  
technology world is already replete with ways to certify technological  
competence among individuals. These certification tests are authored  
either by the software/hardware vendors or by independent security  
groups, which do a good job.

The bill also calls for a study of "an identity management and  
authentication program, with the appropriate civil liberties and  
privacy protections, for government and critical infrastructure  
information systems and networks." It holds an eerie verisimilitude to  
the controversial REAL ID Act of 2005.

The solution? While the government may be wise to reinforce stricter  
control over its own network infrastructure, it does not need to  
interfere in the network security of the public or private sector.

Lawmakers are hawking power-grabbing legislation on a topic that  
actually needs the weigh-in of independent security experts. Instead,  
we are flanked with justifications from the director of national  
intelligence, Homeland Security, former Bush administration officials,  
and government think tanks.

Independent experts would explain that the biggest problems in  
computer security are not sinister IT professionals and the way they  
configure firewalls, but are in the software we choose to run.  
Software isn't perfect, but it surely evolves. It's beautiful in  
function but once we find that bit of flawed code, we fix it and patch  
it; we thus grow smarter, and our software more stable and secure. In  
fact, it is through this process that the ideas and innovation which  
make the US are formed. We cannot afford to stifle that.

There is no bulletproof solution to computer and network security.  
Right now we must design our systems and networks accordingly. We must  
ponder the obstacles we face, and fitly fortify ourselves. The most  
practical way is not through sweeping government mandates, but by  
focusing on current software and hardware vulnerabilities, system  
design, and best industry practices at a local and regional level.

Certainly national security is something we should all be concerned  
about, but it doesn't mean forgoing common sense or freedom. The  
Cybersecurity Act of 2009 grants immense power without any judicial  
checks over a digital problem lawmakers can't fully understand without  
an independent coterie of real and competent security experts.

Before this Act goes any further, we all need to honestly ask whether  
the government should meddle in regulating the last frontier for free  
information.

Bryann Alexandros is a freelance writer and has previously worked as a  
systems administrator in the IT industry.