One can't help but think that McFate (as Nabokov called him) has a special place for Sarah Palin and Senators Lieberman and Collins. After Palin called for 'drill , baby, drill' McFate obligingly arranged for BP to have a spectacular oil spill. Then, no doubt pleased with himself, McFate arranges for Middle Eastern governments to hit the kill switch on the Internet a few months after the Senators introduce the so-called Internet kill switch bill.
The bill, now stripped of its kill switch provision (though the same authority still resides in Section 706 of the Telecommunications Act of 1934) has been reintroduced by Senators Lieberman, Collins, and Calpers)as the Cybersecurity and Internet Freedom Act (S413).
I'm not going to take up the refrain already coming from the privacy community (mafia would be a better term) -- I have my own issues with their perspective. My concerns about S413 are based on the boring reality of life-- that oftentimes it is the details that matter. (And, in the interests of full disclosure, the text of S413 is not available as I write this, so I'm basing my comments on provisions in the earlier bill).
Here's the problem: the heart of the bill is a well-meaning attempt to create a public-private partnership to protect 'the nation's most critical infrastructures' that will result in one of two outcomes:
- MOST LIKELY, it will mean little and accomplish nothing;
- IN THE WORST CASE (if McFate's evil twin has his way), the bill would create a system for national security- driven cybersecurity investments that will make Ptolemaic astronomical predictions look commonsensical by comparison.
As I said, the bill was written by well-meaning people. Within DHS it would create a National Center for Cybersecurity and Communication (NCCC) with a Senate approved Director. With the NCCC in place three things would happen:
1. Mandatory security requirements would be imposed on 'specific systems or assets whose disruption would cause a national or regional catastrophe.' These 'covered critical infrastructures' would be identified collaboratively, of course, with the private sector. And, in a version of the Lawyers and Lobbyists Full Employment Act, owners/operators of covered critical infrastructures could appeal their inclusion through 'administrative procedures' (unspecified?).
2. Hopefully a collaborative environment between the NCCC and the private sector would emerge. The bill seems to waffle a bit on this; according to the accompanying White Paper 'although owners/operators of covered critical infrastructures would be required to report on cyber attacks.. the NCCC would not have the authority to compel this disclosure.'
3. The NCCC would set risk-based security performance requirements for covered systems in conjunction with the private sector. The risk/mitigation profile would drive the choice of security measures that would, in ways unspecified, satisfy the risk-based security performance requirements.
In other words, some cyber systems would be designated as national security critical; owners/operators of these systems would have to invest in additional security to meet national security criteria.
This approach has many problems but here's two: first, that there is almost no data, let alone an agreed upon approach, for doing most cyber-based risk analysis; and second, the link between reducing risk and taking certain security actions is tenuous at best.
For instance, insider threats (say, security violations coming from people who have legitimate passwords) are widely acknowledged as being among the most serious threats, and certainly would be an important element in any risk-based security performance requirements. Two problems -- there are no -- repeat no -- records of insider threats other than anecdotes or those unfortunates who are not only caught but also prosecuted (a tiny number); and two, it is unclear (or more pedantically, 'a research challenge') as to what to do to address the insider threat.
Hence my observation -- we have in S413 a potential requirement that private owner/operators invest in additional security, but without any solidly based mechanisms to establish how, or why, the resources should be spent.
This is a recipe for bringing forth numerology and astrology dressed up as analysis, with a solid foundation of lobbying, as the basis for decisions.
I'm all in favor of the goal of S413 -- solid risk based investment to secure critical national infrastructures. I just wish policy makers would embark on this process with their eyes wide open.
(These comments also appear on cybersecuritycommunity.org -- a website promoting more meaningful dialogue about making cyber security partnerships actually work. Come or participate via webcast to the Symposium "Cybersecurity: Shared Risks, Shared Responsibilites" at the Moritz College of Law, Ohio State University April 1, 2011)