Hmmm.... Federalized cyber security

[PocketProtector]

http://www.washingtonpost.com/wp-dyn...103684_pf.html

[Neo31rex31]

Senate Legislation Would Federalize Cybersecurity
Rules for Private Networks Also Proposed

By Joby Warrick and Walter Pincus
Washington Post Staff Writers
Wednesday, April 1, 2009; A04

Key lawmakers are pushing to dramatically escalate U.S. defenses against cyberattacks, crafting proposals that would empower the government to set and enforce security standards for private industry for the first time.

The proposals, in Senate legislation that could be introduced as early as today, would broaden the focus of the government's cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. At the same time, the bill would add regulatory teeth to ensure industry compliance with the rules, congressional officials familiar with the plan said yesterday.

Addressing what intelligence officials describe as a gaping vulnerability, the legislation also calls for the appointment of a White House cybersecurity "czar" with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway, the officials said.

How industry groups will respond is unclear. Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, which represents private companies and civil liberties advocates, said that mandatory standards have long been the "third rail of cybersecurity policy." Dempsey said regulation could also stifle creativity by forcing companies to adopt a uniform approach.

The legislation, co-sponsored by Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) and Sen. Olympia J. Snowe (R-Maine), was drafted with White House input. Although the White House indicated it supported some key concepts of the bill, there has been no official endorsement.

Many of the proposals were based on recommendations of a landmark study last year by the Center for Strategic and International Studies.

Currently, government responsibility for cybersecurity is split: The Pentagon and the National Security Agency safeguard military networks, while the Department of Homeland Security provides assistance to private networks. Previous cybersecurity initiatives have largely concentrated on reducing the vulnerability of government and military computers to hackers.

A 60-day federal review of the nation's defenses against computer-based attacks is underway, and the administration has signaled its intention to incorporate private industry into those defenses in an unprecedented way.

"People say this is a military or intelligence concern, but it's a lot more than that," Rockefeller, a former intelligence committee chairman, said in an interview. "It suddenly gets into the realm of traffic lights and rail networks and water and electricity."

U.S. intelligence officials have warned that a sustained attack on private computer networks could cause widespread social and economic havoc, possibly shutting down or compromising systems used by banks, utilities, transportation companies and others.

The Rockefeller-Snowe measure would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. It would require the National Institute of Standards and Technology to establish "measurable and auditable cybersecurity standards" that would apply to private companies as well as the government. It also would require licensing and certification of cybersecurity professionals.

The proposal would also mandate an ongoing, quadrennial review of the nation's cyberdefenses. "It's not a problem that will ever be completely solved," Rockefeller said. "You have to keep making higher walls."

Last week, Director of National Intelligence Dennis C. Blair told reporters that one agency should oversee cybersecurity for government and for the private sector. He added that the NSA should be central to the effort.

"The taxpayers of this country have spent enormous sums developing a world-class capability at the National Security Agency on cyber," he said.

Blair acknowledged there will be privacy concerns about centralizing cybersecurity, and he said the program should be designed in a way that gives Americans confidence that it is "not being used to gather private information."

[Morel42]

It sounds all spooooky..

However without reading the actual bill I'd withhold my judgement. We currently depend on private networks for many national security activities, and these currently have an undefined and haphazard standards process when it comes to security and intruder detection.

You also have EXTREMELY lax security training for government agencies. Employee's sending unsecured emails, IM's, and peer to peer file sharing going on that introduces huge gaping security holes inside any private network..

Server configurations that are incorrect, policies leaving critical server information open to those who know how to look. Password policies that are laughable..

FYI, with a simple email sent I can usually find out the following (Unless email was sent through a secure proxy, or other such measures being used)

Your location
Your Name
Operating System type and version
Computer specs
Type of Modem (DSL/Cable/Dialup) used

Having those.. I can find out where you live, your hobbies, your friends, your phone number, where your kids go to school, how much your house is worth, your criminal record, how many times you were caught speeding and where, your drivers license number, and pretty much anything else ever recorded on any database/site you've ever visited..

It's a hackers life for me ho ho ho!

[adymond]

If the cybersecurity to be federalized is for federal agencies only I'm okay with it I think, but if this means there will be a federal version of Norton mandated for private networks I am totally against this. I can't figure out which it is.

[PocketProtector]

Color me crazy but IMHO, it's just more snooping eyes.

[••SpraynPray••]

hmm I was wondering where all that bail-out money went..

[Morel42]

If the cybersecurity to be federalized is for federal agencies only I'm okay with it I think, but if this means there will be a federal version of Norton mandated for private networks I am totally against this. I can't figure out which it is.

Quoted for Truth.. And put more simply then I stated. Damn my tendency to rant

[adymond]

Quoted for Truth.. And put more simply then I stated. Damn my tendency to rant

Finding common ground with the enemy daily since July 2008 .

I'd also add the comment about this seeming to be more snooping eyes if they are talking about personal networks being forced to accept federalized cybersecurity.

No, I wouldn't damn your tendency to rant. It prooves pretty entertaining sometimes.