Just over a year ago, I wrote my first Internet Evolution Security Clan blog, about the federal government turning to the private sector to solve the key problem of trusted identities. As should be obvious, many cybersecurity problems would simply vanish if we could judge, with consistent accuracy, the source and authenticity of digital communications. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is aimed at achieving precisely this.
NSTIC coordinator Jeremy Grant estimated at the time that the program would see results in three to five years. It may be churlish, therefore, to inquire about progress so far, but I have a reason for doing so. With the House of Representatives preparing to vote on four cybersecurity bills, this week seems as good a time as any to grade progress in securing the national infrastructure, not to mention our information, privacy, and intellectual property.
The Cyber Intelligence Sharing and Protection Act (CISPA) (HR 3523)
Federal Information Security Amendments (FISMA) (HR 4257)
The Cybersecurity Enhancement Act (HR 2096)
A reauthorization of the Networking and Information Technology Research and Development (NITRD) program (HR 3834)
CISPA has attracted by far the most attention. Last week, I made the argument that CISPA was, in fact, not the return of SOPA/PIPA in disguise, and that it contained -- albeit clumsily worded -- safeguards against snooping. By the time my blog appeared, the hotly contested references to "intellectual property" as a cybersecurity issue had been removed.
The second part of my argument, which received less attention, was that CISPA wouldn't achieve much, except to impose a framework on the kind of sharing of security intelligence which can -- and should -- take place anyway.
FISMA, on the other hand, is a vital piece of legislation. It would mandate security standards among federal agencies, including a requirement for continuous threat monitoring. Although the cost of implementing FISMA has been estimated at around $700 million over the next five years, that's a bargain if the national government's cyberenvironment could be secured.
The Cybersecurity Enhancement Act seeks to coordinate cybersecurity research across federal departments, while the NITRD program represents broad collaboration on advanced IT issues, including cybersecurity as just one element.
Will all or any of these bills survive scrutiny? They stand a better chance, at least, than any legislation addressing the cybersecurity of the nation's critical infrastructure. Regular readers will recall that the Senate reached an impasse over two competing national cybersecurity bills, one of which mandated action from the DHS, while the other affirmed that the private sector was doing just fine, and should be left alone.
In the House, the Homeland Security Committee actually stripped important provisions from its equivalent legislation, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PRECISE) Act of 2011 (HR 3674), leading ranking Democrat member Bennie Thompson (Mississippi) to conclude:
This substitute does little to address known risks to critical infrastructure. It replaces the value judgment of dozens of current and former top national security officials with the narrow view of the House Republican leadership.
PRECISE is not on the docket this week. Meanwhile, China continues to flex its cyberattack muscles.
Coming back to NSTIC, it turns out to be one of the national cybersecurity priorities embedded in the NITRD program, alongside public trust in healthcare IT, secure systems in transportation, and a number of other initiatives (PDF here; page 12). Excitingly, NSTIC envisions making five to eight awards for pilot trusted identity projects, in the event it can get the funding required. The earliest start date for these programs? September this year. Let's hear from Jeremy Grant again:
While we've thrown out the date of January 1, 2016 [for a fully functioning identity ecosystem], we think through efforts like these... we can actually start to drive some very material improvements in the very near term -- I would say 12 to 18 months.
Very compelling comparison with patent law, hbetts3. And agreed that the government so far has not proven to be constructive in efforts to legislate around IT.
As I was reading your blog I was wondering if cyber-security shouldn't have a better priority as it's everyone's concern. 2016 sounds to me too far in the future when I come to think of the so many changes that cyber-security will suffer until then.
"Check back with me in... oh, two years from now."
I will make sure you are on my 2014's to-do list. :)
"...since politicians as a group have not proved to have the technical chops to understand what they're legislating -- with potentially disastrous results."
This sounds more than scary. If politicians are not able to understand what they are legislating wouldn't it be better if they had a selected group of cyber-security professionals doing the job instead? I believe it would be a good idea, and citizens could be sure someone with the right knowledge and expertise studied the reasons behind the legislations.
Working now, as I am, with secure systems, I can only say that security is an illusion. It is a constant battle to keep the black hats out and the white hats in and there are so many changing sides (including some wolves in sheeps clothing) that it's hard to know the players without a scorecard.
Security itself is an illusion. We are never secure, we are just not in a position of immediate threat. Where data is concerned (IP, DLP, etc), hacking is business and business is good for some. I fully believe that there are more resources dedicated to cracking security than there are to keeping systems secure. Versions of TLS have been cracked, XMLSec has been cracked, OpenSSL has bugs that allow for key compromise -- nothing is secure or safe.
With regard to the basic premise that the government first wants to secure identity management -- How could any entity ensure identity? They can't. Any method they use is subject to hacking up to, and including 2 factor authentication. So, what has to happen is a "least risky" choice has to be made. The problem with that is "least risky" is not a pragmatic evaluation -- it's not six-sigma, it is a grey area. I think the government is looking to private sector (a.k.a. Industry) to solve its identity management problem and the fact is that the private sector cannot solve its own problem in that arena.
With regard to legislation... I have no words. It is my firm opinion (not humble in the least) that we should not legislate common sense (nor should we depend on legislation to dictate what is common sense). Unfortunately, for the government, legislation == authorization (from a legal and budgetary perspective). I think these bills that are in the works will be misused by certain businesses within the private sector. Don't agree? Ask yourself this, "Have the patent laws been abused, of late, by companies seeking to stymie the growth of competition?" You'll find the answer to that is "Yes." And you understand why people in general are skeptical of legislation that can, even in appearance, limit freedoms, or expression of free thought, or expression of creativity, or competition within business sectors.
You bring up so many good points but ultimately, it is just a "wait and see" game. If you are in the security industry, it's a good time to be a white hat because there are lots of opportunities for excellence. If you are in IT and looking for the next growth industry, look no further than your own network. There's plenty of opportunity to secure your networks, your communication, and your data.
For sure Mary! I've felt the seeminly non-existant efforts of our "Cyber-security" apparatus have been a joke from the start.
I remain suspicious of this new idea, and the thought that you can legislate security in the first place!
I seems to me that hardware and software assurance proposals would go a long way toward a common goal in my mind. Simply giving industry and private coalitions the tools to go after criminals, and nefarious governments, by setting us up to equality with Microsoft's efforts would go a long way.
They don't even bother gathering data from affected victims in this industry! They could care less if you can't prove some kind of loss above $5000. How can you put a price on lost innovation, or intellectual property?!
Thanks for this summary, Kim. In some ways, it may be a good thing that some bills aren't going anywhere at the moment, since politicians as a group have not proved to have the technical chops to understand what they're legislating -- with potentially disastrous results.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Edward Snowden was so convinced that the Prism program involved secretive surveillance through Internet backdoors that he walked out on his job and his girlfriend, spoke to the media, and resigned himself to jail, or worse. It turns out, he might just be wrong.
In one of the nastiest -- not to mention large scale and long-term -- hacking exploits yet to be reported, it appears that the Chinese army has been rummaging through the data of those who have served in the US Armed Forces.
ASA Risk Consultants added its voice this week to the slowly growing chorus of voices demanding a coordinated international response to cyberattacks. In a research note circulated by IDG, ASA asserts that "nations will need to come to an agreement on how cyber warfare should be handled."
Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Ontario's information privacy commissioner explains the unintended consequences of facial recognition technology and how biometric encryption can make it safer.
David Vladeck, Director of the Bureau of Consumer Protection of the Federal Trade Commission, discusses the state of "Do Not Track" and the problem with consumer behavior tracking online.
The US government is funding controversial projects to collect daily Internet activity, including Web searches, Twitter messages, Facebook and blog posts, and the digital location trails generated by billions of cellphones. Its goal is to map these interactions to predict social behavior, such as protests.
Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
