Security Legislation: A Rat's Nest of Agendas
Dec 20, 2011 5:00 AM PT
The United States government launched initiatives this past week to enhance cybersecurity, but these efforts may add to the confusion around the issue in federal government circles.
One development involves the unveiling of the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act (PrECISE) by the U.S. House of Representatives' Homeland Security Committee.
This seeks to give the U.S. Department of Homeland Security the authority to govern cybersecurity efforts. It also seeks to set up a National Information Sharing Organization, or NISO, to promote the sharing of cybersecurity information between the private and public sectors.
Caring and Sharing
NISO will be a quasi-governmental entity that will act as a clearinghouse for the exchange of information about cyberthreats and vulnerabilities between the private and public sectors.
It will be a non-profit organization with a board of directors appointed by DHS from federal agencies and the private sector. NISO will integrate with the National Cybersecurity and Communications Integration Center at the DHS.
Obstacles to Free Information Flow
However, there's another bill on cybersecurity also before Congress. This is the Cyber Intelligence Sharing and Protection Act of 2011.
The Cyber Intelligence Sharing and Protection Act is a bipartisan bill drafted by the House Intelligence Committee and backed by Verizon Wireless and other corporations.
However, it has been strongly criticized as being a threat to consumer privacy.
Further, the FBI already has its own National Information Sharing Strategy (NISS), and how that will play with NISO, if the latter organization is indeed established, remains to be seen.
Testifying on the Precise Act before the House last week, Gregory T. Nojeim of the Center for Democracy and Technology indicated it was preferable to the Cyber Intelligence Sharing and Protection Act but stated it still has some flaws.
DHS Issues Cybersecurity Blueprint
This past week also saw the DHS issuing its Blueprint for a Secure Cyber Future.
This describes two areas of action: Protecting the United States' critical information infrastructure today and building a stronger cyber ecosystem for tomorrow.
The document lists four goals for protecting critical information infrastructure, supported by nine objectives. It also lists four goals for strengthening the cyber ecosystem and 11 objectives supporting these.
However, some have questioned whether actions will match words.
"I'm ... concerned about a seemingly ongoing disconnect between high-level federal pronouncements and practical action," Scott Crawford, a research director at Enterprise Management Associates, told TechNewsWorld. "Better interagency cooperation should be another practical goal [rather] than making high-level pronouncements, which may have a positive political effect but may be less practical in application."
CyberScope is an example of a case where "the government mandated adoption of a program that should ... be beneficial but hampered the effort by issuing unrealistic deadlines and unfunded mandates for adoption," Crawford elaborated.
CyberScope is an application worked on jointly by the DHS and the U.S. Department of Justice to handle manual and automated inputs of agency data for FISMA reporting.
FISMA or Fiction?
FISMA is the Federal Information Security Management Act. Security experts have complained for years that it's simply a checklist of actions and that checking the boxes listed doesn't make for better security.
At least one federal agency, the U.S. Nuclear Regulatory Commission, could perhaps follow FISMA's guidelines more closely.
An independent evaluation of NRC's FISMA implementation for fiscal year 2011 found three information system security program weaknesses.
These include a well-defined risk management program and better discipline over configuration and change management.
The Carrier IQ Case Continues
Meanwhile, the brouhaha over Carrier IQ, whose information tracking software is used by carriers on over 100 million cellphones, seems to have intensified.
Carrier IQ's executives have reportedly met with officials at the U.S. Federal Trade Commission and the U.S. Federal Communications Commission, as well as the staffs of three senators who had written to the company expressing their concerns over the issue.
An End to Spear Phishing?
Abaca has developed an algorithm that John Jefferies, the company's general manager, claims can block almost all spearphishing attempts.
Spearphishing is a tactic wherein the attackers send an email crafted to appeal to a particular target audience that either contains a poisoned link or has a poisoned attachment.
The algorithm combines "all the evidence we observe" and can react instantly to spam, which includes spear phishing attempts, because it's not rules-based, Jefferies told TechNewsWorld.