[ISN] Cybersecurity Laws Expected

From: InfoSec News (isnat_private)
Date: Mon Jul 14 2003 - 01:33:45 PDT

  • Next message: InfoSec News: "[ISN] Hackers Hijack PC's for Sex Sites"

    http://www.pcworld.com/news/article/0,aid,111535,00.asp
    
    Grant Gross, 
    IDG News Service
    July 11, 2003
    
    WASHINGTON -- Businesses will get legal guidelines this year on how to
    secure their pieces of cyberspace, but lawmakers aren't giving details
    yet.
    
    Forthcoming cybersecurity legislation will be "meaningful regulatory
    approach to securing private-sector critical infrastructure" says
    Representative Adam Putnam (R-Florida), who chairs a Congressional
    subcommittee dealing with cybersecurity.
    
    Because many members of Congress don't seem to recognize the potential
    threat of cyber attacks, the law Putnam has in mind will not be as
    wide-ranging as the Sarbanes-Oxley Act of 2002, which governs
    accounting procedures at public companies.
    
    "There are a couple of areas where I believe the subcommittee will be
    drafting bills towards the end of this year that would impact the
    private sector," Putnam said at an e-government and cybersecurity
    event here this week. "We hope to begin that process before a major
    catastrophe. We would like to be on the front side of that."
    
    Caution Urged Right now, it's difficult to say what that cybersecurity
    legislation will look like, added Putnam, who chairs the House
    Government Reform Committee's Subcommittee on Technology, Information
    Policy, Intergovernmental Relations, and the Census.
    
    Putnam's comments came in response to a question from Daniel Burton,
    vice president of government affairs for security vendor Entrust
    Technologies. Burton cited Sarbanes-Oxley and the Health Insurance
    Portability and Accountability Act (HIPAA) of 1996 as examples of a
    "creeping aggregation of regulations."
    
    Congress shouldn't take a "knee-jerk, let's legislate" approach to
    cybersecurity, Putnam answered. He noted that many people in Congress
    and in the public don't realize how many pieces of the U.S. critical
    infrastructure are controlled through networked technology. He used
    the example of flood-control gates on the Mississippi River or the
    power grids that serve stock markets.
    
    After a disaster, Congress' response "is not the most well
    thought-out," Putnam added. "We want to put something out there that
    makes sense, that's balanced, that accomplishes the same goals,
    without it being this headlong rush to prove that we're doing
    something for our constituents because we were asleep at the switch
    when there was this digital Pearl Harbor."
    
    After Putnam's speech, Burton said it sounds like Putnam's
    subcommittee will bring clarity to regulations on businesses.  
    "Regulations are already here; people are just trying to understand
    what they mean," he said.
    
    Expanding Standards
    
    Congress has made good progress in learning about cybersecurity, said
    Tim Hoechst, senior vice president for technology at Oracle. He took
    Putnam's comments to mean Congress will make some mandates about
    cybersecurity.
    
    "It sounds like we're getting beyond the just-talking-about-it stage,
    and that makes me happy," Hoechst said. "But it could go in a million
    different directions."
    
    Putnam also said his subcommittee will consider whether government
    agencies other than the Defense Department should require certain
    security standards of their software. In January 2000, the DOD set
    certification for software used in national security-related
    functions.
    
    "We're taking a pretty serious look at whether that requirement should
    be expanded government-wide," Putnam said.
    
    The time and cost of meeting the standard actually gives an advantage
    to vendors of non-certified software, said Oracle's Hoechst, who was
    encouraged by Putnam's remarks.
    
    "There aren't too many agencies left in government that aren't related
    to national security," Hoechst noted. "We hope the government uses its
    buying power to encourage others to buy software meeting those
    standards as well."
    
    Putnam also criticized government agencies' cybersecurity efforts,
    saying the problems aren't technological but related to personnel and
    workplace culture. Fourteen of 24 government agencies received failing
    grades in a cybersecurity report card issued by Congress in late 2002,
    he noted.
    
    He also placed some blame with his colleagues in Congress. "Frankly,
    I'm finding a lack of attention and a lack of understanding by the
    Congress and the (Bush) administration as to the serious nature of the
    threat," he said. "It's not nearly as sexy, or as engaging, or as
    interesting as the threats that are posed by terrorists boarding
    aircraft, or terrorists threats to the Brooklyn Bridge ... or to
    Disney World, and so the cyber threat has taken a back seat to the
    physical threat. I think that is a dangerously lopsided approach to
    homeland security."
    
    Progress Cited
    
    While Putnam ripped the U.S. government's cybersecurity efforts, Mark
    Forman, administrator of the Office of Electronic Government at the
    White House Office of Management and Budget, defended the Bush
    administration's direction. Government agencies have a lot more work
    to do in cybersecurity, Forman said, but they are making progress.
    
    Agencies must conduct yearly security assessments, with an independent
    audit, and OMB conducts quarterly e-government reviews of government
    agencies. Those reviews include security as one of five criteria,
    Forman said in a presentaiton.
    
    Agencies are rated on a scale from green to red, and President Bush
    questions agency heads when their ratings fall, Forman said.
    
    "For some strange reason, when the (agency) secretaries see their
    scores next to each other, and they see who's red and who's green, red
    is not a very good place to be," Forman said. "When the president
    asks, 'Mr. Secretary, why are you not making progress in these three
    areas,' when everybody else has, it's not a very good place for a
    secretary. There's recognition of the importance of cybersecurity at
    the secretary level, all the way up to the president."
    
    The forum on cybersecurity and e-government, titled "E-government:  
    Securing the Information Infrastructure," was hosted by the Business
    Software Alliance and the Center for Strategic International Studies.  
    Attendees included members of Congress and their staffs, federal
    officials, and industry executives.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 05:57:36 PDT