With some fanfare, the US executive branch (the White House) unveiled a proposal for cybersecurity legislation “focused on improving cybersecurity for the American people, our Nation’s critical infrastructure, and the Federal Government’s own networks and computers.”
At first glance, it’s more of the same. Which is not much. A lot of it is voluntary, which means it won’t happen. Like government assistance to industry, states, and local governments when a breach happens. Sounds a lot like the scariest statement you can hear: “We’re from the Government, and we’re here to help.” I guess there is some value to understanding the process to engage the feds, especially if you plan to use APT in your PR spin. There are also some ideas on voluntary information sharing, which would be great. Again, if it happens, but there are many pesky details to figure out before you can actually share information safely, as I discussed in the Benchmarking series.
The section on Protecting Federal Government Computers and Networks is also more of the same. Update FISMA. Yawn. Give DHS more flexibility to hire security folks in a competitive market. Good luck with that. They also want to give DHS purview over all the federal IPS devices protecting civilian computers. That’s great news for investors in IPS companies, as it means the feds will continue buying IPS forever. You thought it was hard to kill a technology in your shop? Imagine if you needed an act of Congress to change your architecture. (Note: I am aware there is some flexibility in what is called an ‘IPS’.) Guess the IPS lobbyists are better than the AV lobby, as they didn’t get mentioned specifically.
The feds are also embracing the cloud and want to put some language in there to prevent specific states from mandating where a data center is built. Good luck getting that through Congress.
The Fact Sheet also talks about privacy issues and consulting “privacy and civil liberties experts,” while requiring approval of the Attorney General to implement the cybersecurity program. This will ensure folks are doing the right thing, right? That makes me feel comfy, since the AG always has our best interests in mind (PATRIOT Act, anyone?). What could possibly go wrong?
Not sure this is change we can believe in. With one exception. We all like the new National Data Breach Reporting requirement (it’s about time!), and the ability to use RICO to prosecute computer criminals. Accepting that a lot of computer crime is driven by organized crime factions, which are typically prosecuted through RICO, is progress. Treble damages are no fun, nor are 20+ year jail terms. If you believe in penalties as a deterrent for crime this is good news. And something I think they will have very little trouble getting passed.
But let’s be clear about the reality. This is just a legislative proposal. Now the fun begins, where lobbyists, special interests, and all the other wackiness kicks in to water this down before it becomes a law, and to bolt about $10 billion worth of pork onto it. You’ve got to keep the locals happy, no?
I know, I’m a little cynical. I’m glad Howard Schmidt is keeping busy with press releases, but this new proposal will have no short term and limited mid-term (2-3 year) impact. Like the changes resulting from the 2009 Cyberspace Policy Review. Right – there were none. In the computer security world, being two days behind the times is a killer. Legislation is 5 years behind on a good day. And that’s being kind.
Unless you sell IPS – then you are probably pretty happy.