Cybersecurity Laws Expected

[InfoSec News <isn () c4i org>]

http://www.pcworld.com/news/article/0,aid,111535,00.asp

Grant Gross, 
IDG News Service
July 11, 2003

WASHINGTON -- Businesses will get legal guidelines this year on how to
secure their pieces of cyberspace, but lawmakers aren't giving details
yet.

Forthcoming cybersecurity legislation will be "meaningful regulatory
approach to securing private-sector critical infrastructure" says
Representative Adam Putnam (R-Florida), who chairs a Congressional
subcommittee dealing with cybersecurity.

Because many members of Congress don't seem to recognize the potential
threat of cyber attacks, the law Putnam has in mind will not be as
wide-ranging as the Sarbanes-Oxley Act of 2002, which governs
accounting procedures at public companies.

"There are a couple of areas where I believe the subcommittee will be
drafting bills towards the end of this year that would impact the
private sector," Putnam said at an e-government and cybersecurity
event here this week. "We hope to begin that process before a major
catastrophe. We would like to be on the front side of that."

Caution Urged Right now, it's difficult to say what that cybersecurity
legislation will look like, added Putnam, who chairs the House
Government Reform Committee's Subcommittee on Technology, Information
Policy, Intergovernmental Relations, and the Census.

Putnam's comments came in response to a question from Daniel Burton,
vice president of government affairs for security vendor Entrust
Technologies. Burton cited Sarbanes-Oxley and the Health Insurance
Portability and Accountability Act (HIPAA) of 1996 as examples of a
"creeping aggregation of regulations."

Congress shouldn't take a "knee-jerk, let's legislate" approach to
cybersecurity, Putnam answered. He noted that many people in Congress
and in the public don't realize how many pieces of the U.S. critical
infrastructure are controlled through networked technology. He used
the example of flood-control gates on the Mississippi River or the
power grids that serve stock markets.

After a disaster, Congress' response "is not the most well
thought-out," Putnam added. "We want to put something out there that
makes sense, that's balanced, that accomplishes the same goals,
without it being this headlong rush to prove that we're doing
something for our constituents because we were asleep at the switch
when there was this digital Pearl Harbor."

After Putnam's speech, Burton said it sounds like Putnam's
subcommittee will bring clarity to regulations on businesses.  
"Regulations are already here; people are just trying to understand
what they mean," he said.

Expanding Standards

Congress has made good progress in learning about cybersecurity, said
Tim Hoechst, senior vice president for technology at Oracle. He took
Putnam's comments to mean Congress will make some mandates about
cybersecurity.

"It sounds like we're getting beyond the just-talking-about-it stage,
and that makes me happy," Hoechst said. "But it could go in a million
different directions."

Putnam also said his subcommittee will consider whether government
agencies other than the Defense Department should require certain
security standards of their software. In January 2000, the DOD set
certification for software used in national security-related
functions.

"We're taking a pretty serious look at whether that requirement should
be expanded government-wide," Putnam said.

The time and cost of meeting the standard actually gives an advantage
to vendors of non-certified software, said Oracle's Hoechst, who was
encouraged by Putnam's remarks.

"There aren't too many agencies left in government that aren't related
to national security," Hoechst noted. "We hope the government uses its
buying power to encourage others to buy software meeting those
standards as well."

Putnam also criticized government agencies' cybersecurity efforts,
saying the problems aren't technological but related to personnel and
workplace culture. Fourteen of 24 government agencies received failing
grades in a cybersecurity report card issued by Congress in late 2002,
he noted.

He also placed some blame with his colleagues in Congress. "Frankly,
I'm finding a lack of attention and a lack of understanding by the
Congress and the (Bush) administration as to the serious nature of the
threat," he said. "It's not nearly as sexy, or as engaging, or as
interesting as the threats that are posed by terrorists boarding
aircraft, or terrorists threats to the Brooklyn Bridge ... or to
Disney World, and so the cyber threat has taken a back seat to the
physical threat. I think that is a dangerously lopsided approach to
homeland security."

Progress Cited

While Putnam ripped the U.S. government's cybersecurity efforts, Mark
Forman, administrator of the Office of Electronic Government at the
White House Office of Management and Budget, defended the Bush
administration's direction. Government agencies have a lot more work
to do in cybersecurity, Forman said, but they are making progress.

Agencies must conduct yearly security assessments, with an independent
audit, and OMB conducts quarterly e-government reviews of government
agencies. Those reviews include security as one of five criteria,
Forman said in a presentaiton.

Agencies are rated on a scale from green to red, and President Bush
questions agency heads when their ratings fall, Forman said.

"For some strange reason, when the (agency) secretaries see their
scores next to each other, and they see who's red and who's green, red
is not a very good place to be," Forman said. "When the president
asks, 'Mr. Secretary, why are you not making progress in these three
areas,' when everybody else has, it's not a very good place for a
secretary. There's recognition of the importance of cybersecurity at
the secretary level, all the way up to the president."

The forum on cybersecurity and e-government, titled "E-government:  
Securing the Information Infrastructure," was hosted by the Business
Software Alliance and the Center for Strategic International Studies.  
Attendees included members of Congress and their staffs, federal
officials, and industry executives.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.