Sunday, July 4, 2010

Senate Committee Unanimously Passes Major Cybersecurity Bill
- Risk mitigation shifting to continuous monitoring and dynamic response

On June 24th, the Senate Homeland Security and Governmental Affairs Committee unanimously approved an amended 200 page version of a controversial The Protecting Cyberspace as a National Asset Act of 2010 cyber security bill which will move forward to the full Senate floor for consideration.

SANS Director Alan Paller’s related testimony (written – 17 pages, and discussed) at the June 15th Senate hearing: Protecting Cyberspace as a National Asset: Comprehensive Legislation for the 21st Century (webcast) strongly emphasizes more effective risk management and less "paperchasing" as currently demanded by FISMA (with NIST standards and guidance mandatory). “When you demand that someone perform huge numbers of things, with limited budgets, you get dysfunctional results.”

The committee's bill includes a number of key elements, many of particular interest to critical infrastructure organizations:

  1. Creates an Office of Cyberspace Policy in the President's Executive Office to be ran by a Senate-confirmed Director. The Director will advise the President on all cybersecurity matters, harmonize federal efforts to secure cyberspace and will develop a national strategy that incorporates all elements of cyberspace policy, including military, law enforcement, intelligence, and diplomatic.
  2. Creates a National Center for Cybersecurity and Communications (NCCC) at the Department of Homeland Security (DHS) to be ran by the Director. This will elevate and strengthen the Department’s cyber security capabilities and authorities. The NCCC will include the United States Computer Emergency Response Team (US-CERT).
  3. Updates the Federal Information Security Management Act (FISMA) to modernize federal agencies practices of protecting their internal networks and systems. Reforms will allow agencies to move towards real-time monitoring to secure critical systems (and away from the system of after-the-fact paperwork compliance).
  4. Requires the NCCC to work with the private sector to establish risk-based security requirements that strengthen cyber security for the nation’s most critical infrastructure that, if disrupted, would result in a national or regional catastrophe.
  5. Requires critical infrastructure to report significant breaches to the NCCC to ensure the federal government has a complete picture of the security of these sensitive networks. The NCCC must share information, including threat analysis, with owners and operators regarding risks to their networks. The Act will provide specified liability protections to owners/operators that comply with the new risk-based security requirements.
  6. Creates a responsible framework, developed in coordination with the private sector, for the President to authorize emergency measures to protect the nation’s most critical infrastructure if a cyber vulnerability is being exploited or is about to be exploited. The President must notify Congress in advance before exercising these emergency powers. Any emergency measures imposed must be the least disruptive necessary to respond to the threat and will expire after 30 days unless the President extends them. The bill authorizes no new surveillance authorities and does not authorize the government to “take over” private networks.
  7. Develops a comprehensive supply chain risk management strategy to address risks and threats to information technology products and services the federal government relies upon. This strategy will allow agencies to make informed decisions when purchasing IT products and services.
  8. Requires the Office of Personnel Management to reform the way cyber security personnel are recruited, hired, and trained to ensure that the federal government has the talent necessary to lead the national cyber security effort and protect its own networks.
With respect to NERC Reliability Standards, including the cyber security focused CIPs, an extensive compliance paperchase remains underway in 2010 with both industry and regulatory bodies facing a substantial phase in of standards going through their first extensive audits. Much of the focus is based on the the language and intepretation of the Standards and associated Reliability Standard Audit Worksheets (RSAWS) - visit Resources at link. Even if this bill would become law today, it could be years before related expectations and improvements are signficantly reflected in the Standards.


- Lieberman, Collins, Carper Unveil Major Cybersecurity Bill to Modernize, Strengthen, and Coordinate Cyber Defenses (w/video ~10m) 6/10/2010
- Other recent hearings, such as before the House Appropriations Committee, also emphasizing key elements in the bill: DHS Cyber Security Programs – What progress has been made and what still needs to be improved? 4/15/2010