Cyber Security Kill Switch Bill

On April 1st, Sen. John D. Rockefeller IV (D-W.Va.) and Sen. Olympia Snowe (R-Me.) introduced Senate Bill 773, also known as the Cybersecurty Act of 2009. This bill seeks to provide increased protections to United States critical infrastructure from the threat of a cyber attack. In the abstract, I think that is a good idea. The specific implementation of this bill however, has some problems. I won't go through the entire bill but I'll provide some highlights.

This bill calls for a Cybersecurity Advisory Panel that will be created by the President to track the state of security of critical infrastructure. The panel will report to Congress "not less frequently than once every two years".

The bill calls for the creation of a cybersecurity dashboard that can track the state of security of all critical infrastructure assets in real time.

It calls for the creation of regional cybersecurity centers who will "transfer" standards to the private sector with a focus on small to mid-sized businesses. These regional centers will also have funding to make loans to small businesses to promote enhanced security.

The bill tasks NIST with the task of creating much more robust standards including standards for secure coding and software configuration.

It also calls for the implementation of a "secure" DNS solution.

The bill will also make it illegal for "any individual to
engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President's designee, as a critical infrastructure information system or network, who is not licensed and certified under the program."

The bill establishes the "Department of Commerce as the clearinghouse of cybersecurity threat and vulnerability information to Federal Government and private sector owned critical infrastructure information systems and networks." In this role, the Dept. of Commerce "shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access".

The bill requires that "within 1 year after the date of enactment of this Act, the President, or the President's designee, shall review, and report to Congress,
on the feasibility of an identity management and authentication program, with the appropriate civil liberties and privacy protections, for government and critical infrastructure information systems and networks."

The bill gives the President the authority to "declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised
Federal Government or United States critical infrastructure information system or network" and to "order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security"

You will note that throughout these summary points, the phrase "critical infrastructure" is stated frequently. Whether any specific organization or network is "critical infrastructure" will determine if it falls under the purview of this bill. According to the bill, the President will determine what makes up "critical infrastructure".

I'm going to avoid any purely political analysis of this bill. Whether you think the federal government should be responsible for cybersecurity of private industry is for you to decide. I want to comment on whether this bill will achieve the desired objectives of making our critical infrastructure more secure. In short, I believe that not only will our critical infrastructure not be more secure, it will in fact become less so.

I have done a lot of work with regulated companies; health care, pharma, financial, retail, etc. While the regulations covering them are different, I have seen one common factor - something I call the checklist syndrome. When organizations are forced to comply with a security regulation, they start by developing a checklist of what is required. They then audit themselves to determine where their gaps are. Finally, they work to fill the gaps and believe themselves secure. In taking this approach, I have seen more than one organization intentionally ignore a good security measure because it was not required for compliance. I have seen companies re-word strong policies so they will only apply to the subset of their systems required for compliance. Guess what?!?!? The attackers also have access to the compliance standards. Setting up a security program that is precisely and only what is required for compliance is giving the attackers a picture of your strengths and weaknesses.

Imagine if we were required by law to secure our homes. The law states that we must lock all doors and windows when we are away. It also requires that sensors be installed on all ground floor doors and windows to detect unauthorized access. It also requires that motion sensors be installed on the ground floor. In theory, homes adhering to these standards would be more secure but let's now assume that people forced to comply with this do so by adhering to the principles of checklist syndrome. They do exactly what is listed in the law and consider themselves secure. Attackers, knowing this, take advantage of the lack of exterior lighting (not required by the law) to provide cover as they climb to the second story, break a window and steal what they can find. Because they never go to the first floor, they never trip the sensors but the victims are still victims. I understand that my example is overly simplistic but Hannaford Supermarkets was "PCI DSS compliant" up until they suffered a massive compromise.

Aside from the checklist syndrome problems, there are a number of other problems I see with this bill.

The Cybersecurity Advisory Panel is only required to report every two years. How much changes in the world of information security in two years. The state of cybersecurity could go from "outstanding" to "epic fail" in two days under the right circumstances, let alone two years.

Requiring cypersecurity professionals to be licensed and certified sounds nice but has some dramatic potential impacts. Who will create the certification and licensing process and how much will it cost? If infosec people need to invest time and money into this licensing/certification, what will that do to all of the existing certification organizations (e.g. SANS, (ISC)2, ISACA, etc.? As these licensing requirements get put in place, those who are licensed will become more valuable and thus will demand higher pay. Many organizations already struggle trying to maintain infosec expertise on staff. This may make it far more difficult. What about consulting firms who do security related but not security specific work? Is deploying Active Directory or a Cisco router security work? What about a firewall? Will the folks that do this type of work also need to be cybersecurity certified.

I'm entirely in favor of better security but I'm not sure this is the way to go about it. If it were up to me and I was inclined to draft legislation about cybersecurity, I think I might keep it far more simple:

1) Thou shalt incorporate risk assessment into strategic and operational business decisions.

2) Thou shalt make security decisions based on assessed risk such that (a)unacceptable risk shall be mitigated and (b)acceptable risk shall be documented.

3) Thou shalt establish proper standards for security; the standards shall be implemented based on assessed risk and thou shalt regularly audit for compliance with established standards.

4) Thou shalt establish roles and responsibilities for promoting security and one such roll shall be responsible for maintaining a current understanding of security threats, techniques, technologies and trends.

5) Security shall be prioritized equally with performance and functionality and a lack of any of these shall not be accepted.

6) Failing to implement reasonable controls to protect against commonly understood threats is negligence.

7) Security is not a technology issue; rather it is a business issues that involves technology, people, policy and process. Similarly, technology does not provide the full security solution.

8) Computing hardware and software is extremely complex and will have vulnerabilities. Expect them and build security around that fact.

9) Security is not about protection only; rather it involves protection, detection, response and recovery; the ratios of which are determined by by assessing risk.

10) Security can never be 100% effective as long as people are involved.

Another approach would be to make getting compromised illegal. Perhaps that would get organizations to pay security proper attention. (wink, wink, nudge, nudge)