Just over a year ago, I wrote my first Internet Evolution Security Clan blog, about the federal government turning to the private sector to solve the key problem of trusted identities. As should be obvious, many cybersecurity problems would simply vanish if we could judge, with consistent accuracy, the source and authenticity of digital communications. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is aimed at achieving precisely this.
NSTIC coordinator Jeremy Grant estimated at the time that the program would see results in three to five years. It may be churlish, therefore, to inquire about progress so far, but I have a reason for doing so. With the House of Representatives preparing to vote on four cybersecurity bills, this week seems as good a time as any to grade progress in securing the national infrastructure, not to mention our information, privacy, and intellectual property.
The Cyber Intelligence Sharing and Protection Act (CISPA) (HR 3523)
Federal Information Security Amendments (FISMA) (HR 4257)
The Cybersecurity Enhancement Act (HR 2096)
A reauthorization of the Networking and Information Technology Research and Development (NITRD) program (HR 3834)
CISPA has attracted by far the most attention. Last week, I made the argument that CISPA was, in fact, not the return of SOPA/PIPA in disguise, and that it contained -- albeit clumsily worded -- safeguards against snooping. By the time my blog appeared, the hotly contested references to "intellectual property" as a cybersecurity issue had been removed.
The second part of my argument, which received less attention, was that CISPA wouldn't achieve much, except to impose a framework on the kind of sharing of security intelligence which can -- and should -- take place anyway.
FISMA, on the other hand, is a vital piece of legislation. It would mandate security standards among federal agencies, including a requirement for continuous threat monitoring. Although the cost of implementing FISMA has been estimated at around $700 million over the next five years, that's a bargain if the national government's cyberenvironment could be secured.
The Cybersecurity Enhancement Act seeks to coordinate cybersecurity research across federal departments, while the NITRD program represents broad collaboration on advanced IT issues, including cybersecurity as just one element.
Will all or any of these bills survive scrutiny? They stand a better chance, at least, than any legislation addressing the cybersecurity of the nation's critical infrastructure. Regular readers will recall that the Senate reached an impasse over two competing national cybersecurity bills, one of which mandated action from the DHS, while the other affirmed that the private sector was doing just fine, and should be left alone.
In the House, the Homeland Security Committee actually stripped important provisions from its equivalent legislation, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PRECISE) Act of 2011 (HR 3674), leading ranking Democrat member Bennie Thompson (Mississippi) to conclude:
This substitute does little to address known risks to critical infrastructure. It replaces the value judgment of dozens of current and former top national security officials with the narrow view of the House Republican leadership.
PRECISE is not on the docket this week. Meanwhile, China continues to flex its cyberattack muscles.
Coming back to NSTIC, it turns out to be one of the national cybersecurity priorities embedded in the NITRD program, alongside public trust in healthcare IT, secure systems in transportation, and a number of other initiatives (PDF here; page 12). Excitingly, NSTIC envisions making five to eight awards for pilot trusted identity projects, in the event it can get the funding required. The earliest start date for these programs? September this year. Let's hear from Jeremy Grant again:
While we've thrown out the date of January 1, 2016 [for a fully functioning identity ecosystem], we think through efforts like these... we can actually start to drive some very material improvements in the very near term -- I would say 12 to 18 months.
KD:="As should be obvious, many cybersecurity problems would simply vanish if we could judge, with consistent accuracy, the source and authenticity of digital communications. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is aimed at achieving precisely this."
Phil Zimmerman explained how to do this in his original essay on PGP back in June, 1993
Thanks Kim; our organization sent some suggestions to the NIST comment window; but I'm not sure I even liked our "suggestions", because I realize our proposal, looked a lot like this solution. I'm just nervous I guess; free men everywhere should be, I hope.
that I get. and to that point, it shames me that the DOD, DISA, FBI, CIA, and other agencies can't act without congressional authorization. We've hamstringed what should be our thinking organizations with bureaucracy.
The way Americans tend to sort out this problem is through the Lobbyists who are a big part of the Political Process in DC today.
The Lobbyists(most of whom tend to be paid by companies who are most affected by these laws);tend to lobby the laws so that it fits best according to their needs.
I know its not the same as having A committee of experts drafting laws(thats the system in place in China BTW);but it just happens to have served America reasonably well;inspite of whatever the naysayers would have you say-After all America is still the Numero Uno economy in the world & where anyone with a great idea wants to be.
JCitizen: if the legislation passed, I am sure we'd see the DHS outsourcing the compilation of standards, whether to NIST or DARPA or some other body I don't know. If acronyms were any defense, we'd be laughing.
hbetts, I think I was actually unclear. Rather than referring to cyberterrorism, I was just making a comparison. Because we can't hope to be immune to terrorism doesn't mean we shouldn't take steps to protect ourselves; likewise, because we can't be immune to cyberattacks...etc.
I agree the extraordinary steps are warranted, but right now it seems hard to get Congress to take baby steps.
then we need a "UL" type of institution for these standards. Since United Laboratories has been a success; why not model it after that? I'm not sure I even want IEEE issuing all security standards - there are agendas in that organization, that I'm not sure have freedom and liberty as a central interest - I don't know if I trust the organization completely.
It may be a slow and cumbersome process attracting a lot of federal scrutiny and criticisms but in the long run program's benefits will outweigh and reward for the investment of time and money. However, this doesnt mean that the federal security agencies can relax and follow the plan. There should always be analysis as to how speedily implementation of the program can be achieved. And ideally, it should be before the a cyber attack ensures that the damage is widespread and costly and a wake up call is received.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
When David E. Sanger of The New York Times broke the news that the United States was responsible for the Stuxnet malware exploit against Iran's nuclear program, Senator John McCain accused the administration of deliberately leaking the story to enhance President Obama's national security record.
The Gamma Group's business of supplying surveillance technology exclusively for use by government agencies may be legitimate. But not when it poses as the popular, free, open-source web browser Firefox.
Yesterday's hack of the official Associated Press Twitter feed demonstrated the enormous risk attached to the platform's lazy, single factor approach to security.
Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Ontario's information privacy commissioner explains the unintended consequences of facial recognition technology and how biometric encryption can make it safer.
David Vladeck, Director of the Bureau of Consumer Protection of the Federal Trade Commission, discusses the state of "Do Not Track" and the problem with consumer behavior tracking online.
The US government is funding controversial projects to collect daily Internet activity, including Web searches, Twitter messages, Facebook and blog posts, and the digital location trails generated by billions of cellphones. Its goal is to map these interactions to predict social behavior, such as protests.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Ushering in a new era of cognitive computing systems, IBM announced today the IBM Watson Engagement Advisor, a technology breakthrough that allows brands to crunch big data in record time to transform the way they engage clients in key functions such as customer service, marketing, and sales.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
