13-08-2012, 10:35 AM
The Cybersecurity Act of 2009
The Cybersecurity Act of 2009.docx (Size: 26.76 KB / Downloads: 25)
Four senators (Rockefeller, Bayh, Nelson, and Snowe) have recently introduced S.773, the Cybersecurity Act of 2009. While there are some good parts to the bill, many of the substantive provisions are poorly thought out at best. The bill attempts to solve non-problems, and to assume that research results can be commanded into being by virtue of an act of Congress. Beyond that, there are parts of the bill whose purpose is mysterious, or whose content bears no relation to its title.
Let's start with the good stuff. Section 2 summarizes the threat. If anything, it understates it. Section 3 calls for the establishment of an advisory committee to the president on cybersecurity issues. Perhaps that's Just Another Committee; on the other hand, it reports to the president and "shall advise the President on matters relating to the national cybersecurity program and strategy". That's good — but whether or not the president (any president!) actually listens to and understands their recommendations is another matter entirely.
Section 10 ("Promoting Cybersecurity Awareness") and Section 13 ("Cybersecurity Competition and Challenge") are innocuous, though I'm not convinced they'll do much good. (I suspect that folks reading this blog already realize this, but I'll state it explicitly anyway: the odds on anyone, whether in a "challenge" or not, finding a magic solution to the computer security problems are exactly 0. Most of the problems we have are due to buggy code, and there's no single cause or solution to that. In fact, I seriously doubt if there is any true solution; buggy code is the oldest unsolved problem in computer science, and I expect it to remain that way.)
The idea seems to have come from the "Securing Cyberspace for the 44th Presidencywritten earlier. True, this bill calls for "appropriate civil liberties and privacy protections", but a centralized authentication system is likely to lead to serious security risks. As a National Academies study noted, "A centralized password system, a public key system, or a biometric system would be much more likely to pose security and privacy hazards than would decentralized versions of any of these." (Disclaimer: I was part of the committee that wrote that report. Naturally, I'm not representing the Academy in this posting.) The 44th President report wanted to ensure that certain actions were strongly tied to authorized individuals, but this approach simply won't accomplish that goal. I say that for many reasons; now, I'll mention just one: consider the effect of a tailored virus that infected the computer of someone who is supposed to control critical infrastructure systems. That virus could do anything it wanted, with the proper person's credentials.
Section (6)(a)(7) sounds great — national compliance standards for all software — but it's doomed. We've been down that road before, ranging from the Orange Book to the Common Criteria. All of these projects tried to establish standards and evaluation criteria for trusted software systems. The problem is that building and testing such systems, and going through external evaluations, are slow and expensive processes. Far fewer systems were evaluated than should have been, because purchasers wanted to buy cheap commercial hardware and software. The result was an endless set of waivers. Is the government willing to pay premium prices, for all of its systems? Let me rephrase the question: will each and every government agency be willing to spend its own budget dollars on such systems, and will Congress appropriate enough money? Allow me to express serious doubt. "C2 by '92" (an attempt by DoD to enforce minimal levels of security via use of C2-level systems by 1992) never went anywhere; I don't think this one will succeed, either. There are many further reasons for skepticism — who will pay for private sector deployments; what security model is appropriate (the Orange Book was geared to the military classification model, which is simply wrong for most civilian use); whether the flaws are in the OS at all, etc.), and more — and we can't just legislate useful, usable standards into being. Legislation may be appropriate when we know the goal (we don't), or we have good reason to believe we'll know it and can reach it in not very many years. Neither is the case here.