Themes: I’ve read this thing back and forth, and one theme emerges overall: We’ve talked for the better part of a decade about what it’s going to take to “solve” this problem that is IT security, from an internal Federal Government standpoint, from a military-industrial complex standpoint, from a state and local government standpoint, from a private-sector standpoint, and from an end-user standpoint. This bill takes some of the best though on the issue, wraps it all up, and presents it as a “if you want to get the job done, this is the way to do it”.
Missing: The role of DHS. Commerce is highly represented, over-represented to my mindset. Looking at the pieces of who owns what:
Commerce security organizations:
NTIA–Technically not a security organization, but they manage the DNS root and set telecom policy.
NIST–They write the standards for security.
FTC–They regulate trade and have oversight over business fraud.
DHS Security organizations:
NPPD–They are responsible for critical infrastructure and national risk management.
NCSD–They do the security operations side of our national cybersecurity strategy and run US-CERT. (BTW, hi guys!)
Secret Service–They have the primary responsibility of protecting the US Currency which also includes computer crimes against financial infrastructure.
Science and Technology Directorate–They are responsible for research and development, including IT security.
DOJ Security Organizations:
FBI–Surprise, they do investigations.
So you see, some of the things that are tasked to Commerce are done by DHS and DOJ. This is probably the nature of the bill, it was introduced in the Commerce committee so it’s understandable that it would be Commerce-centric.
Cost: One thing kept nagging me in the back of my head while going through this bill is the cost to do everything We’re asking to do a lot in this bill, now what’s the total cost? Typically what happens when a bill makes it out of committee is that the Congressional Budget Office attached a price to the legislation as far as the total cost and then what’s the breakdown for the average American household. That data isn’t published yet on the bill’s page, so we’ll see in the next iteration.
In-Your-Face Politics: Really, this bill is showing us how to do the full security piece. It includes everything. It’s challenging people to come up with alternatives. It’s challenging people to delete the sections that don’t make sense. It’s challenging people to fix the scope issues. Like it or hate it, it definitely stirs up debate.
Final Thoughts: S.773 is a pretty decent bill. It has some warts that need to be fixed, but overall it’s a pretty positive step.
Capitol photo by bigmikesndtech.
Posted in Public Policy | No Comments »
Tags: cashcows • comments • dhs • government • infosec • infosharing • itsatrap • law • legislation • management • moneymoneymoney • NIST • publicpolicy • risk • S773 • scalability • security • stategovernment