There are a couple news items worth observing as the government focuses on cyber security, and in particular, begins looking at the role of government in the private sector when it comes to cyber security. Here is the first article on the reform of FISMA and DHS.

A controversial Internet security bill proposed in 2010 by Sen. Joe Lieberman (I-Conn.) could yet become law in the current session of Congress, said Jeff Greene, counsel on the majority staff of the Senate Homeland Security and Governmental Affairs Committee.

The bill, S.3480, “Protecting Cyberspace as a National Asset Act of 2010” is garnering early bipartisan support in the new Congress, Greene said during a Jan. 19 ACT-IAC meeting in Falls Church, Va.

“FISMA hasn’t necessarily worked out as well as we had hoped,” said Greene. “Current structures are disorganized, they’re decentralized, they’re inefficient and generally speaking, they’re fairly weak.”

FISMA is basically a failure. Originally passed in 2002 following 9/11, government has been very slow to adopt FISMA certification standards and implement them throughout a number of agencies. The standards set up by government are so complex that the only cloud computering collaboration platform to meet certification is the Google Apps for Government (GAPE) system. In theory, that means any agency using Microsoft Business Productivity Online Standard Suite (BPOS) is using a product that doesn’t even meet Federal certification standards for cloud computering. No big deal right? Tell that to the Department of Interior.

Even if we ignore the inability of both the Federal agencies and private sector, except Google, to meet FISMA standards – the real concern of the cyber bill is how DHS is expanding authority towards the private sector.

Federal cybersecurity intervention in private sector critical infrastructure and systems–what some critics have called Lieberman’s “kill switch” proposal–would not be taken lightly, said Greene, and would follow the DHS infrastructure protection definition in case of a cyber attack.

“This requires the disruption or destruction of a system that would cause a regional or national catastrophe. Which generally, by DHS regs, has been $25 billion first year damage, 2,500 immediate deaths or mass evacuations or relocations of citizens,” said Greene. “So it’s a pretty high bar. We’re not talking about Amazon going down.”

Funny thing how high bar status in the original idea seems to get lower and lower over time. Indeed, it looks like we are already looking for ways to lower the bar.

The Obama administration will provide universities and businesses with government intelligence and law enforcement information about malicious Internet activities so that they can protect their critical assets, the president’s cyber czar said on Tuesday.

“I think we all recognize that the government has unique access to information,” Howard Schmidt, cybersecurity coordinator and special assistant to the president, told congressional staff, policymakers and interest groups at a Washington conference. “We need to continue to look for ways to share that information, but also give our universities and our businesses information to be able to protect themselves.”

I am particularly disturbed by the arrogance, or perhaps ignorance, of the newly appointed chairman of the House Judiciary Subcommittee on Intellectual Property, Competition and the Internet, Rep. Bob Goodlatte, R-Va.

“We need solutions that contain incentives to encourage business to adopt best practices to security” and “no one-size fits all mandate from Washington” that becomes outdated by the time it is implemented, Goodlatte said.

FISMA, the law by which government is supposed to establish security standards for Federal agencies, is a big fat failure – and now government is going to take a more proactive approach in exercising power and influence over the security of the private sector? I respect the interest government has in critical infrastructure, and think engagement is important, but it is important to recognize that the weak link in capability is government, and providing anything other than intelligence information to the private sector in the name of security is almost certainly an overreach of power and authority – and likely to backfire.

Cyber security law represents an example where the individual rights of Americans are going to be pissed away in the name of security. Would an internet “kill switch” have protected Iran from Stuxnet? Nope, the targets of Stuxnet were computer systems not connected to the internet, and transfer of the worm was conducted primarily by jump drives. This is government thinking though – the nuclear weapons solution to the poisonous mosquito.

This is the best advice for those who think about cyber warfare issues: The reason no one understands cyber warfare is because nobody understands cyber warfare. Repeat that sentence until you get it. Cyber warfare is people, not networks. Think of domain as terrain, and attacking the network is like bombing the ocean. Security in cyber warfare is measured by mitigation, risk assessment, and resiliency; and measures that go beyond those areas almost always do more harm than good and do not represent security at all – rather represent attempt at control.

Cyber warfare is a tough issue, and protection from cyber attack is an important government function. Security standards, the original basis for FISMA, is also important. What is most important though is understanding how quickly government can overreach in the name of security, and easily adopt solutions that provide the illusion of security when in fact those solutions aren’t real. $25 billion damage is damage measured in penny’s compared to the cost of an internet kill switch, even if it was for just a few minutes. DHS has demonstrated very strange definitions lately for the term security, whether it is airline flights or cyberspace. American elected officials need to require definitions for security, and insure that policies are aligned towards mitigation, risk assessment, and resiliency; because DHS Whack-a-mole policies continue to consistently take the ‘attempt at control’ approach that is in clear violation of Constitutionally protected individual rights; policies that do not provide a clear homeland security function with a holistic approach to the resiliency of the state to disruption. Until such a policy is required of DHS, our nations political leaders will continue to overreact to every incident with political and economic reactions on the scale similar to a 10 year land war in Asia.

Posted by galrahn in Cyber

You can leave a response, or trackback from your own site.

  • M. Ittleschmerz

    “Security in cyber warfare is measured by mitigation, risk assessment, and resiliency; and measures that go beyond those areas almost always do more harm than good and do not represent security at all – rather represent attempt at control.”

    Could very, very easily be rewritten to also read as:
    “Security is measured by mitigation, risk assessment, and resiliency; and measures that go beyond those areas almost always do more harm than good and do not represent security at all – rather represent attempt at control.”

    Modern day security is much more of a “risk elimination” approach than a “mitigation” approach. And that philosophy is corrosive to the military structure and culture in a way that only imaginative, creative, and daring people understand.

  • While there has been a range of opinion on FISMA the assertion that it has failed is entirely without merit. FISMA has done more to improve information security in the federal civilian government than any other law, effort, initiative or program. Working in the federal civilian government prior to FISMA the amount of influence information security professionals had in improving a systems security posture was negligible. There were a handful of weak regulations and laws that any sufficiently adept bureaucrat could bypass with a few pen strokes. The only chance a security professional had was to get buy in from an enlightened senior manager. After FISMA this changed, it became a matter of course to consider security as an integral part of ensuring systems could become operational. The deficits of the FISMA law and guidance pale in comparison to this sea change in federal cybersecurity efforts.

    It is also misleading to state “the only cloud computering [sic] collaboration platform to meet certification is the Google Apps for Government (GAPE) system”. So of the two possibilities (Google Apps and BPOS Federal/Office 365) only one has passed so far? This doesn’t mean much, does not include the many private cloud collaboration implementations authorized in the federal government and does not support your FISMA assertion. The Microsoft cloud IaaS (Global Foundation Services) which supports BPOS Federal was issued an Authorization To Operate in December.

    It is also worth noting that the cloud computing specific guidance for FISMA, the Federal Risk and Authorization Management Program (FedRAMP) has not yet been finalized. Cloud computing systems which are being authorized now do not have the benefit of being tested against a more cloud computing focused FISMA process.