Source: WiredKim Zetter
After three years of haggling to produce bipartisan cybersecurity
legislation that addresses the security of the nation’s critical
infrastructure systems, the Senate finally got a bill this week that
seemed destined to actually pass.
That is, until a hearing on Thursday to discuss the bill in which
Sen. John McCain (R-Arizona) sideswiped lawmakers behind the proposed
legislation and announced that he, and seven other Senate ranking
members, were opposed to the bill and would be introducing a competing
bill in two weeks to address failings they see in the legislation.
McCain and his colleagues oppose the current bill on the grounds that
it would give the Department of Homeland Security regulatory authority
over private businesses that own and operate critical infrastructure
systems and that it doesn’t grant the National Security Agency, a branch
of the Defense Department, any authority to monitor networks in
real-time to thwart cyberattacks.
The bill neglects to give authority “to the only institutions
currently capable of [protecting the homeland], U.S. Cybercommand and
the National Security Agency (NSA),” McCain said in a written statement presented at the hearing.
“According to [General Keith Alexander, the Commander of U.S.
Cybercommand and the Director of the NSA] in order to stop a cyber
attack you have to see it in real time, and you have to have those
authorities…. This legislation does nothing to address this significant
concern and I question why we have yet to have a serious discussion
about who is best suited to protect our country from this threat we all
agree is very real and growing.”
The current cybersecurity bill proposes to do what nothing else has
succeeded in doing to date – that is, improve the security of critical
infrastructure systems. It would do this by giving the government
regulatory power over companies that operate such systems to force them
to do due diligence.
Sen. Joe Lieberman (I-Conn.) introduced the legislation on Tuesday
along with Sen. Susan Collins (R-Maine) and Sen. Jay Rockefeller
(D-W.Va.).
The Cybersecurity Act of 2012
(.pdf) requires the government to assess which sectors of critical
infrastructure pose the greatest immediate risk and gives the Department
of Homeland Security regulatory authority over the private companies
that control designated critical infrastructure systems — such as
telecommunications networks and electric grids and any other network
“whose disruption from a cyber attack would cause mass death,
evacuation, or major damage to the economy, national security, or daily
life.”
The bill keeps the authority for critical infrastructure security
oversight in the hands of DHS, a civilian agency, as opposed to McCain’s
preference for the NSA, which protects the military’s networks and the
government’s classified networks.
But Homeland Security head Janet Napolitano testified in support of
enhanced authority for DHS, noting that the government’s expanding
efforts in this area include a 2013 budget request of a whopping $769
million for cybersecurity efforts – 74 percent higher than 2012′s budget
request.
The legislation would require owners and operators of critical
infrastructure to meet security standards established by the National
Institute of Standards and Technology, the National Security Agency and
other designated entities, or face unspecified civil penalties. Critical
infrastructure entities would be allowed to determine how best to meet
the standards based on the nature of their business sector, but they
would be required to certify annually that they do meet them.
The bill would protect entities that adhere to the standards from
being sued in civil court for punitive damages should they experience a
cyber-attack, though the bill says nothing about protecting them from
suits for actual damages.
Critical infrastructure owners and operators can “self-certify” that
they are compliant or obtain an audit from a third-party, similar to the
way that companies that process credit and debit card payments
currently obtain third-party audits certifying that they adhere to
standards set by the payment card industry.
This raises questions, however, about how effective such certifications will be for securing critical infrastructure.
Certifications in the payment card industry have been widely criticized as ineffective
since third-party auditors that certify systems against a checklist of
requirements are paid to do so and have an incentive to pass a system
less they not be invited back to conduct subsequent assessments. A
number of the most high-profile and expensive credit card data breaches
have occurred at companies that were certified compliant at the time
they were breached, highlighting the unreliability of such measurements.
Chris Wysopal, chief technology officer for computer security firm VeraCode,
expressed doubts that the proposed legislation would improve security
unless it included some tangible way to verify that the standards, as
implemented by companies, are actually tested to ensure that they secure
critical facilities.
“There has to be some reality-based testing of whether the stuff is
actually effective,” Wysopal told Wired. “That’s what the U.S.
government does when they want real assurance – they have a Red Team at
the NSA test to see if what they’re doing is really working.”
He suggested the government might take a random sampling of critical
infrastructure companies each year to conduct penetration tests to
verify that the standards – and the ways that companies are implementing
them – are doing what they’re meant to do.
Wysopal also says that for the standards to be effective they have to
be re-assessed each year and altered to adapt to new threats.
“We’re dealing with a very evolving tech landscape and threat
landscape,” he said. “Attackers change their attacks all the time, and
anything that’s a standard has to be a totally living standard that
people realize they will have to re-address each year.”
