Proposal Would Shore Up Govt. Cyber Defenses
While cyber attacks have evolved dramatically since the beginning of this decade, the regulations governing how federal agencies defend against digital intruders haven't been updated since 2002. Legislation expected to be introduced Tuesday in the Senate would seek to correct that imbalance.
The "U.S. Information and Communications Enhancement Act of 2009," which would update the Federal Information Security Management Act, or FISMA, calls for the creation of hacker squads to test the defenses of federal agency networks. In addition, agencies would be required to show that they can effectively detect and respond to the latest cyber attacks on their information systems.
Critics of the current law say it merely requires agencies to show they have the proper cyber security policies in place, but not necessarily demonstrate that those policies are helping to block or mitigate real-world attacks.
"Only about five federal agencies are testing to see whether they are actually implementing these requirements," said Alan Paller, director of research for the SANS Institute, a security training group based in Bethesda, Md. "Agencies need to be measured on how well they block known attacks, and that's the opposite of what they're measured against now, which is how secure they are on paper."
Paller said the changes are needed because criminal and nation-state hackers are improving their attack techniques far faster than the U.S. government is improving its defenses, and that the threat is increasing at an accelerating rate.
"Hackers and nation states have more deeply penetrated civilian government agencies and the critical national infrastructure computer networks than the public and most members of Congress have been told," Paller said.
The legislation also envisions the creation of a council of chief information security officers, which would call on CISOs from each federal agency to share information about threats they're facing and the best ways to combat them.
In addition, the bill, to be introduced by Sen. Tom Carper (D-Del.), would establish a presidentially appointed, Senate-confirmed position as "director of the national office for cyberspace," to be housed within the Executive Office of the President.
The new legislation follows a sweeping cyber security proposal introduced earlier this month by Senate Commerce Committee leaders, which calls for the appointment of a White House cybersecurity "czar" with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway.
Greg Nojeim, senior counsel at the Center for Democracy & Technology, said it's wasn't clear from reviewing a draft of the Carper bill how much responsibility the proposed cyberspace director would have, and how that position would fit with the duties assigned to the White House's newly created and filled slots for chief information officer (CIO) and chief technology officer.
"The bill lays out four areas where that office would work, and only one of them is security," Nojeim said. "One of those other areas is to enhance economic prosperity. That's a pretty broad charge."
Some clarity on that point may come tomorrow. Carper chairs the Senate Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, which is expected to hear testimony Tuesday from Vivek Kundra, whom President Obama has tapped as his CIO.
A draft copy of the Carper bill is available here (PDF).
April 27, 2009; 9:44 PM ET
Categories: U.S. Government | Tags: U.S. ICE, federal cio cto ciso, sen. tom carper
Save & Share: Previous: Scammers, Spammers Embrace Swine Flu News
Next: Adobe Warns of Potential Reader Flaw
Posted by: anthonymfreed | April 28, 2009 10:23 AM | Report abuse
Posted by: Davidm4955 | April 28, 2009 11:03 AM | Report abuse
The comments to this entry are closed.