Yet Another Bill (YAB) on Cyber Security

On Wed (17th), Rep. Bennie Thompson, Jane Harman and Yvette Clarkeintroduced the "Homeland Security Cyber and Physical InfrastructureProtection Act of 2010".  (http://homeland.house.gov/press/index.asp?ID=593&SubSection=0&Issue=0&DocumentType=0&PublishDate=0) Rep. Thompson is the Chairman of theCommittee on Homeland Security and the bill is intended to enhance theDHS's cyber security capacity. We've seen a bunch of these over thepast year and will see some more in the next one. Cyber Security is ahot topic of late and rightfully so. Our collective environments havebeen under significant attack by ever more sophisticated actors in thepast 6 years. James Lewis at the Center for Strategic and InternationalStudies has a running list of issues since 2006 that everyone shouldread (http://csis.org/publication/cyber-events-2006).

While the bills are important to address an issue that I've personallydedicated my career to, I think they fall short of success. One of themost significant issues that these bills are dealing with is if we placean edict on the private sector to address security (i.e. regulatoryaction) or have it be a self governing function. We've all seen howregulatory actions have been burdensome and not met the underlyingintent (SOX). I strongly recommend that there is more of a carrotapproach to the bills where incentives are used to motivate vs. a stick.It's been done in the past on critical issues and this one is nodifferent. Unfortunately, none of the bills have incentives in them.There are some key points to all of the bills that need to be readthrough.

 Private / Public management of Critical Infrastructure

 The core premise of the bills is to protect national criticalinfrastructure. That being underscored that about 90% of governmentwork is done by private companies makes it even more challenging.What's even more complicated is that the majority of the privatecompanies are small and don't have the resources to fund a matureInformation Security program to be compliant let alone do what isindustry leading. The bills need to ensure that these small companieswill be supported in implementing new controls or we need to expect thatthey will not survive and our overall services will be hindered.Without incentives, these companies will not be able to fund the newrequirements.

 Lack of Information Sharing

Since most companies have been compromised by targeted attacks and thereis a significant lack of reporting, true remediation or even knowledgeof the compromise in private companies that makes it very difficult forthe US-CERT to coordinate a response or take action against themalicious actors. This is made more difficult by the fact that there isstill a distrust, on both sides, of the other. Private companies arefearful that their information, that is attributed to them, will bereleased and they will have some brand damage to their customers.Public agencies are fearful that the information they share will beleaked to the overall public putting their intelligence and / orinvestigation into jeopardy. Without information sharing, privatecompanies will not get the collective information they need to defendthemselves and law enforcement won't get what they need to stop theattackers. A non-profit organization setup for the informationcollection, coordination and dissemination can be done in that regardsbut most importantly, there needs to be more relationship buildingbetween the FBI and private companies. An outreach program from the FBIto the various local CISO's would be a fantastic step forward inbuilding the trust.

Lack of a good Risk Management or Controls definition

One of the most significant problems we have in industry is theinability to wrap our hands around risk management. We've all used theterm but very few have a deep understanding on what that means. Withall of these bills there is the requirement of implementation ofcontrols in a "Risk Management" approach. Some, such as theLeiberman-Collins bill, states the use of NIST's method, is not goodenough as they are very unrealistic to use at an enterprise level. Theyare great for project based work, but to detail out a true RM method,they just don't work. This is one of the reasons that I've talkedabout our RM model for some years. Where, not perfect, it does go toenterprise Information Security Risk Management.

A Threats based model also is necessary to ensure a living organization.With current controls based models (COBIT, FISMA, etc) the controls arealready dated as they don't incorporate a process for building newcontrols based on new threats. By starting with threats we can resolvethis problem to ensure the controls reflect what our true threats areand more detailed than the very high level and abstracted frameworkssuch as COBIT.