Rybolov Note: this is part 3 in a series about S.773. Go read the bill here. Go read part one here. Go read part two here. Go read part four here. Go read part 5 here. =)
SEC. 13. CYBERSECURITY COMPETITION AND CHALLENGE. This section of the bill creates a series of competitions for a range of ages and skills… with cash prizes! Mostly it’s just the administration of competitions–cash prizes, no illegal activities, etc.
This goes back to the age-old discussions of glorification of illegal activities, giving tools to people who are too young to know how to stay out of jail.
But then again, I know why this section of the bill is in there. If we want to grow enough security professionals to even remotely keep up with demand, we need to do a much better job at recruiting younger techies to the “security dark side”. Competitions are a start, the next step is to get them into formal education and apprenticeships to learn from the gray-hairs that have been in industry for awhile.
Once again, the same verbiage about tasking Commerce with leading this effort… I’m not sure they’re the ones to do this.
Verdict: Already happening although in ad-hoc fashion. I’m not sold on teaching high school kids to hack, but yeah, we need to do this.
SEC. 14. PUBLIC-PRIVATE CLEARINGHOUSE. Although the title of this sounds really cool, like super-FOIA stuff, it’s really just information-sharing with critical infrastructure owners and operators.
One interesting provision is this:
“The Secretary of Commerce–
(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access”
In other words, all your critical infrastructure information belong to Feds. This is interesting because it can run the range from the Feds asking power grid operators for information and getting what they get, or it can be stretched into justification for auditing of privately-owned critical infrastructure. I’m pretty sure that they mean the former, but I can see the latter being used at a later stage in the game.
One thing I thought was interesting is that this section only refers to information sharing with critical infrastructure. There is a big gap here in sharing information with state and local government, local (ie, non-Federal) law enforcement, and private industry. I think other sections–most notably section 5–deal with this somewhat, but it’s always been a problem with information dissemination because how do you get classified data down to the people who need it to do their jobs but don’t have any level of clearance or trustability other than they won an election to be sheriff in Lemhi County, Idaho? (population 5000) Also reference the Homeland Security Information Network to see how we’re doing this today.
Verdict: Really, I think this section is a way for the Feds to gather information from the critical infrastructure owners and I don’t see much information flow the other way, since the means for the flow to critical infrastructure owners already exists in HSIN.
Capitol photo by rpongsaj.
SEC. 15. CYBERSECURITY RISK MANAGEMENT REPORT. This small section is to do some investigation on something that has been bouncing around the security community for some time now: tying security risks into financial statements, cyberinsurance, company liability, etc.
Verdict: Seems pretty benign, hope it’s not just another case where we report on something and nothing actually happens. This has potential to be the big fix for security because it deals with the business factors instead of the symptoms.
SEC. 16. LEGAL FRAMEWORK REVIEW AND REPORT. This section requires a review of the laws, national-level policies, and basically what is our national-level governance for IT security. As weird as this sounds, this is something that needs to be done because once we have a national strategy that aligns with our laws and policies and then is translated into funding and tasks to specific agencies, then we might have a chance at fixing things. The one caveat is that if we don’t act on the report, it will become yet another National Strategy to Secure Cyberspace, where we had lots of ideas but they were never fulfilled.
Verdict: Some of this should have been done in the 60-day Cybersecurity Review. This is more of the same, and is a perfect task for the Cybersecurity Advisor when the position is eventually staffed.
SEC. 17. AUTHENTICATION AND CIVIL LIBERTIES REPORT. This section is really short, but read it verbatim here, you need to because this one sentence will change the game considerably.
“Within 1 year after the date of enactment of this Act, the President, or the President’s designee, shall review, and report to Congress, on the feasibility of an identity management and authentication program, with the appropriate civil liberties and privacy protections, for government and critical infrastructure information systems and networks.”
So my take on it is something like REAL-ID and/or HSPD-12 but for critical infrastructure.
My personal belief is that if you have centralized identity management, it runs contrary to civil liberties and privacy protections: the power of identification lies with the group that issues the identification. Hence the “rejection” of REAL-ID.
If I operated critical infrastructure, I would definitely protest this section because it gives the Government the decision-making authority on who can access my gear. Identity and access management is so pivotal to how we do security that there is no way I would give it up.
On the bright side, this section just calls for a feasibility report.
Verdict: Oh man, identification and authentication nation-wide for critical infrastructure? We can’t even do it in a semi-hierarchical top-down world of Government agencies, much less the privately-owned critical infrastructure.