http://www.pcworld.com/news/article/0,aid,111535,00.asp Grant Gross, IDG News Service July 11, 2003 WASHINGTON -- Businesses will get legal guidelines this year on how to secure their pieces of cyberspace, but lawmakers aren't giving details yet. Forthcoming cybersecurity legislation will be "meaningful regulatory approach to securing private-sector critical infrastructure" says Representative Adam Putnam (R-Florida), who chairs a Congressional subcommittee dealing with cybersecurity. Because many members of Congress don't seem to recognize the potential threat of cyber attacks, the law Putnam has in mind will not be as wide-ranging as the Sarbanes-Oxley Act of 2002, which governs accounting procedures at public companies. "There are a couple of areas where I believe the subcommittee will be drafting bills towards the end of this year that would impact the private sector," Putnam said at an e-government and cybersecurity event here this week. "We hope to begin that process before a major catastrophe. We would like to be on the front side of that." Caution Urged Right now, it's difficult to say what that cybersecurity legislation will look like, added Putnam, who chairs the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census. Putnam's comments came in response to a question from Daniel Burton, vice president of government affairs for security vendor Entrust Technologies. Burton cited Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as examples of a "creeping aggregation of regulations." Congress shouldn't take a "knee-jerk, let's legislate" approach to cybersecurity, Putnam answered. He noted that many people in Congress and in the public don't realize how many pieces of the U.S. critical infrastructure are controlled through networked technology. He used the example of flood-control gates on the Mississippi River or the power grids that serve stock markets. After a disaster, Congress' response "is not the most well thought-out," Putnam added. "We want to put something out there that makes sense, that's balanced, that accomplishes the same goals, without it being this headlong rush to prove that we're doing something for our constituents because we were asleep at the switch when there was this digital Pearl Harbor." After Putnam's speech, Burton said it sounds like Putnam's subcommittee will bring clarity to regulations on businesses. "Regulations are already here; people are just trying to understand what they mean," he said. Expanding Standards Congress has made good progress in learning about cybersecurity, said Tim Hoechst, senior vice president for technology at Oracle. He took Putnam's comments to mean Congress will make some mandates about cybersecurity. "It sounds like we're getting beyond the just-talking-about-it stage, and that makes me happy," Hoechst said. "But it could go in a million different directions." Putnam also said his subcommittee will consider whether government agencies other than the Defense Department should require certain security standards of their software. In January 2000, the DOD set certification for software used in national security-related functions. "We're taking a pretty serious look at whether that requirement should be expanded government-wide," Putnam said. The time and cost of meeting the standard actually gives an advantage to vendors of non-certified software, said Oracle's Hoechst, who was encouraged by Putnam's remarks. "There aren't too many agencies left in government that aren't related to national security," Hoechst noted. "We hope the government uses its buying power to encourage others to buy software meeting those standards as well." Putnam also criticized government agencies' cybersecurity efforts, saying the problems aren't technological but related to personnel and workplace culture. Fourteen of 24 government agencies received failing grades in a cybersecurity report card issued by Congress in late 2002, he noted. He also placed some blame with his colleagues in Congress. "Frankly, I'm finding a lack of attention and a lack of understanding by the Congress and the (Bush) administration as to the serious nature of the threat," he said. "It's not nearly as sexy, or as engaging, or as interesting as the threats that are posed by terrorists boarding aircraft, or terrorists threats to the Brooklyn Bridge ... or to Disney World, and so the cyber threat has taken a back seat to the physical threat. I think that is a dangerously lopsided approach to homeland security." Progress Cited While Putnam ripped the U.S. government's cybersecurity efforts, Mark Forman, administrator of the Office of Electronic Government at the White House Office of Management and Budget, defended the Bush administration's direction. Government agencies have a lot more work to do in cybersecurity, Forman said, but they are making progress. Agencies must conduct yearly security assessments, with an independent audit, and OMB conducts quarterly e-government reviews of government agencies. Those reviews include security as one of five criteria, Forman said in a presentaiton. Agencies are rated on a scale from green to red, and President Bush questions agency heads when their ratings fall, Forman said. "For some strange reason, when the (agency) secretaries see their scores next to each other, and they see who's red and who's green, red is not a very good place to be," Forman said. "When the president asks, 'Mr. Secretary, why are you not making progress in these three areas,' when everybody else has, it's not a very good place for a secretary. There's recognition of the importance of cybersecurity at the secretary level, all the way up to the president." The forum on cybersecurity and e-government, titled "E-government: Securing the Information Infrastructure," was hosted by the Business Software Alliance and the Center for Strategic International Studies. Attendees included members of Congress and their staffs, federal officials, and industry executives. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 05:57:36 PDT