Can an Act of Congress Give the US the Cybersecurity It Needs?
The Cybersecurity Enhancement Act of 2009 flew through the U.S. House of Representatives this month and now awaits Senate approval. The bill calls for new federal plans, new research, new education and training, and new evaluations. The bill also mentions a unified and standardized individual identification system. Is this the protection we need, is it a limp law, or is it Big Brother?
02/22/10 6:00 AM PT
Within about a year, the United States may be better prepared to defend itself against a cyberattack, if the Senate passes Bill H.R. 4061, also known as the Cybersecurity Enhancement Act of 2009.
This bill is a combination of the Cybersecurity Research and Development Amendments Act of 2009 and the Cybersecurity Coordination and Awareness Act of 2009. It was overwhelmingly passed in the House of Representatives earlier this month and will now go to the Senate.
Among other things, the Act calls for the establishment of a federal cybersecurity research and development strategic plan; requires the National Science Foundation to conduct social and behavioral research in the field of cybersecurity; provides for education and training in the field; and requires the Office of Science and Technology Policy (OSTP) to look at the cybersecurity workforce and figure out what's needed to improve it.
Inside Bill H.R. 4061
The Cybersecurity Enhancement Act of 2009 requires a strategic plan for federal cybersecurity research and development. It also calls on the National Science Foundation to establish a post-doctoral fellowship program in cybersecurity and conduct social and behavioral research into cybersecurity.
Social and behavioral research is critical -- human beings are often the weakest link in computer security. Skilled hackers often engage in "phishing" or the manipulation of social behavior to lure victims onto their sites or open malware packages. For example, hackers have posted photographs of celebrities on social networking sites with links to sites purported to have juicy details about their lives. Clicking on these sites downloads malware into visitors' computers instead.
"It's clear that the biggest security risk on most networks is the person at the keyboard," said Stewart Baker, distinguished visiting fellow at the Center for Strategic and International Studies. "Research into social engineering aspects of computer attacks is worth thinking about."
However, it's unclear whether that research can do more than contribute to our knowledge of why people react the way they do to phishing attacks. "Whether there are really ways to prevent social engineering is a tougher question," Baker told TechNewsWorld.
Education and training is another problem area in the Federal cybersecurity infrastructure. The bill requires the OSTP to assess the current and future workforce needs of the federal government and to compare the skills needed by each federal agency, the supply of talent, and any barriers to recruitment.
Former White House cybersecurity advisor Melissa Hathaway said during a Cisco TV Web broadcast recently that government cybersecurity staff need to have further on-the-job training. She also called on Washington to define the skills and abilities required by federal chief information security officers.
"Research and education can accomplish much -- but more in the nature of an evolution rather than a revolution," Scott Crawford, managing research director at Enterprise Management Associates (EMA), told TechNewsWorld. "I think this initiative is a step in the right direction, and is very much needed to improve the capabilities of both people and systems that we very much need today."
In terms of barriers to recruitment, the relatively low federal pay scale is a major factor. In general, senior federal IT officers are poorly paid compared to the private sector, and they often cite this factor when leaving public service for work at a business.
There Can Be Only One Identity
H.R. 4061 also directs the U.S. National Institute of Science and Technology (NIST) to look into unifying and standardizing identity, privilege and access control management frameworks, among other things.
Here's where things get interesting. Is the act seeking to create some sort of national identity card that all citizens must carry at all times? And would that be a good or a bad thing?
"There would be some definite advantages to federal identity, particularly as a standardized way to establish identity," EMA's Crawford said. "But it also raises the question as to how much information would be considered justifiable to link with this identity data." Should we, for example, link business transactions to federal identities?
"It's unfortunate that the bill does not seem to recognize that identity management systems can in themselves be a threat to privacy and anonymity," Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, told TechNewsWorld. "Given our constitutional commitment to civil liberties like freedom of speech, of religion, of the press, of association, and of course the right to privacy, there are obvious limits to how far identity management should and can lawfully go."
That attitude doesn't cut much ice with the CSIS' Baker. "I don't have a lot of sympathy for people trying to find potential for government abuses when there are such serious actual criminal abuses already occurring," he pointed out. "We seem so determined to prevent government from doing anything objectionable that we are preventing government from doing anything, period."
The possibility of corporations and criminals abusing federal identities is another concern for EMA's Crawford. We are more likely to see private companies further exploiting personal data for marketing purposes if a federal identity is established than we are to encounter government exploitation, he said.
To sum it up, then, a federal identity could be a good thing if enough safeguards are built in to prevent abuse by the government, businesses or cybercriminals.
There's little doubt, however, that our cybersecurity defenses do need shoring up, as the recent Cyber ShockWave simulated cyberattack on America showed.