Skip to content

The Politics of Security

January 17, 2011

“Wheels within wheels, in a spiral array, a pattern so grand and complex…”Rush, Natural Science

As the new session of Congress gets into full swing, it will be interesting to see how two critical pieces of cyberspace legislation –  the Protecting Cyberspace as a National Asset Act of 2010 (put forward by Senators Lieberman [I-CT], Collins [R-ME] and Carper [D-DE]), and the National Cyber Infrastructure Protection Act of 2010 (introduced by Senators Bond [R-MO] and Hatch [R-UT])- will fare.

Much has been written about the pros and cons of these legislative pieces (some analysis leaning toward “this is exactly what we need”, others more toward “this is the end of private control of the Internet”), but regardless of what you think, one thing is clear: there’s going to be a legislatively-driven reckoning for failing to adequately protect information in this country.  While some have characterized the former piece of legislation as a “government takeover of the Internet”, and the latter as “another layer of bureaucracy pushing another paper exercise like FISMA”, the fact is, we’re inching ever-closer to an all-encompassing, over-arching information security law at the federal level… one which may — or may not – be compatible with all the other wonderful existing security regulations, best practices, and standards to which we’re already subject.

Now, let’s be clear: there are some bad people out there who wish to do our country and our people great harm; and the fact is, they’ll stop at nothing in their attempts to do so.  The truth is that unless we take appropriate steps to protect this country’s critical infrastructure from cyber attacks, we will fail to do everything we can to protect ourselves.  However, that also means that we need to legislate responsibly, to address the actual problems of security.  Providing the President with the authority to shutdown critical infrastructure if it’s compromised, or providing yet another multi-layered reporting and coordination effort in the event of a major cyber attack, are both methods of addressing the problem after the fact, and are really of limited use in preventing the problem from occuring in the first place.

So, how could Congress pass a law that actually reduces the likelihood of a major cyber attack — particularly one against critical infrastructure – while ensuring that any response to such an attack is both measured and properly coordinated?  Well… I’m glad you asked. 🙂  Here are a few key issues that need to be addressed, if not by modifying existing bills, then by scrapping them in favor of more effective legislation:

Focus on continuous monitoring. Information security is the science of determining what’s not normal.  You can have all the best security technologies in the world deployed in your environment, but unless you’re monitoring for the anomalies, you’re not likely to see a successful attack, especially if that attack utilizes multiple vectors and has a complex payload (such as Stuxnet).  Even today’s signature-based point technologies — SIEM, DLP, NAC, IDS, IPS, [insert your three-letter security technology acronym here] – cannot detect and alert you on every legitimate security threat.  Organizations need to collect and correlate across all types of security data — and not just the event-based stuff.  Otherwise, you’re not likely to even know that you’ve been breached — let alone how to respond to it.

Risk-based security. Not every facility is a nuclear reactor, Army base, or intelligence agency.  The fact is, risk must drive the need for information security: there’s no need to spend $1,000.00 to protect $4.95 worth of data or other assets.  What’s lacking in the current proposed bills is a clear definition and demarcation between what is — and isn’t – “critical infrastructure” for the purpose of determining a response.  In the former bill, for example, the entire Internet (or at least, the part of it that is controllable by the United States) can be shut down via a Presidential “kill switch” for a period of up to 120 days (and that’s the more restrictive amended version of the legislation!)  Really?  Does an a limited attack on a portion of critical infrastructure (say, the electricity distribution network) really warrant shutting down the whole kit-‘n-caboodle?  When the remedy is more painful than the sickness, you’ve got a problem.  These bills need to more clearly state the scope of potential response to a cyber attack, preferably through a tiered definition of the criticality of assets.

Centralized crisis management. If there is a successful cyber attack (and let’s fact it: there’s no such thing as “100% secure”, so this will happen at some point), one person needs to be ultimately accountable and responsible for coordinating a response; but similarly, that person needs to be empowered to command and control the myriad tentacles of federal agencies and NGO’s that are involved in the process.  Any law that relies on a “multi-lateral effort between various heads of agencies”, or some other such language that attempts to placate Washington’s culture of career politicans, is doomed to failure.

Getting a cybersecurity bill agreed and onto the statute books — and quickly – should be one of the most important objectives for 2011.  However, it needs to be the right law, not just the one that’s most politically expedient.  It is, I believe, critical that people from both sides of the aisle get truly useful legislation scheduled as quickly as possible, so that a final draft can be agreed on.  Our safety and security may depend on it.

2 Comments leave one →
  1. March 8, 2011 11:55 pm

    I agree with many of your points. The problems with the legislation is that it raises more questions that it answers, and you raise many of the points here. I fully agree we need to clearly define the risks, and responses. But do we really need another agency?

  2. March 10, 2011 3:12 pm

    Tom – Excellent food for thought. Thanks!

    I don’t necessarily know that we need another *agency*, but I think there’s good value in another *regulation*, provided it meets some of the key criteria above: (1) it has to systemically address problems, not just be a reactive band-aid; (2) it has to address security threats with a scalpel, not a bludgeon; and (3) it has to have the tools required to make the problems go away quickly.

    I think that with all the different overlays of cybersecurity in the federal space today — each agency’s own team(s), coupled with meta-groups like DHS/NCCIC, we already have plenty of organizational structures (and some would say way too many…) The big need, as I see it, is giving each of these agencies visibility into the security metrics of the other (although not necessarily the security details), and most importantly, when that “big event” hits — and we all know that someday it will – having someone (as in “individual”, not “multi-lateral group”) with the authority to bring all those myriad resources together.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: