Just over a year ago, I wrote my first Internet Evolution Security Clan blog, about the federal government turning to the private sector to solve the key problem of trusted identities. As should be obvious, many cybersecurity problems would simply vanish if we could judge, with consistent accuracy, the source and authenticity of digital communications. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is aimed at achieving precisely this.
NSTIC coordinator Jeremy Grant estimated at the time that the program would see results in three to five years. It may be churlish, therefore, to inquire about progress so far, but I have a reason for doing so. With the House of Representatives preparing to vote on four cybersecurity bills, this week seems as good a time as any to grade progress in securing the national infrastructure, not to mention our information, privacy, and intellectual property.
The four bills in the House are:
- The Cyber Intelligence Sharing and Protection Act (CISPA) (HR 3523)
- Federal Information Security Amendments (FISMA) (HR 4257)
- The Cybersecurity Enhancement Act (HR 2096)
- A reauthorization of the Networking and Information Technology Research and Development (NITRD) program (HR 3834)
CISPA has attracted by far the most attention. Last week, I made the argument that CISPA was, in fact, not the return of SOPA/PIPA in disguise, and that it contained -- albeit clumsily worded -- safeguards against snooping. By the time my blog appeared, the hotly contested references to "intellectual property" as a cybersecurity issue had been removed.
The second part of my argument, which received less attention, was that CISPA wouldn't achieve much, except to impose a framework on the kind of sharing of security intelligence which can -- and should -- take place anyway.
FISMA, on the other hand, is a vital piece of legislation. It would mandate security standards among federal agencies, including a requirement for continuous threat monitoring. Although the cost of implementing FISMA has been estimated at around $700 million over the next five years, that's a bargain if the national government's cyberenvironment could be secured.
The Cybersecurity Enhancement Act seeks to coordinate cybersecurity research across federal departments, while the NITRD program represents broad collaboration on advanced IT issues, including cybersecurity as just one element.
Will all or any of these bills survive scrutiny? They stand a better chance, at least, than any legislation addressing the cybersecurity of the nation's critical infrastructure. Regular readers will recall that the Senate reached an impasse over two competing national cybersecurity bills, one of which mandated action from the DHS, while the other affirmed that the private sector was doing just fine, and should be left alone.
In the House, the Homeland Security Committee actually stripped important provisions from its equivalent legislation, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PRECISE) Act of 2011 (HR 3674), leading ranking Democrat member Bennie Thompson (Mississippi) to conclude:
This substitute does little to address known risks to critical infrastructure. It replaces the value judgment of dozens of current and former top national security officials with the narrow view of the House Republican leadership.
PRECISE is not on the docket this week. Meanwhile, China continues to flex its cyberattack muscles.
Coming back to NSTIC, it turns out to be one of the national cybersecurity priorities embedded in the NITRD program, alongside public trust in healthcare IT, secure systems in transportation, and a number of other initiatives (PDF here; page 12). Excitingly, NSTIC envisions making five to eight awards for pilot trusted identity projects, in the event it can get the funding required. The earliest start date for these programs? September this year. Let's hear from Jeremy Grant again:
While we've thrown out the date of January 1, 2016 [for a fully functioning identity ecosystem], we think through efforts like these... we can actually start to drive some very material improvements in the very near term -- I would say 12 to 18 months.
Check back with me in... oh, two years from now.
— Kim Davis , Community Editor, Internet Evolution