Federalizing Cybersecurity: Necessary or Nitwitted?

The U.S. Government has had a lot of trouble getting its IT security house in order. Hackers from China and elsewhere keep breaking into government networks to conduct espionage. Federal cybersecurity directors keep quitting.

And so it’s no surprise that some IT security practitioners are underwhelmed by the suggestion that government needs the authority to enforce cybersecurity in the private sector. As one security pro put it in an exchange on Twitter Wednesday morning, “Well, they do such a fine job of keeping their own stuff in order.”

The reaction is to a Washington Post report that such legislation may be introduced as early as this week by Senate Commerce Committee Chairman John D. Rockefeller IV, D-W.Va., and Sen. Olympia J. Snowe, R-Maine. The legislation, which had yet to be filed as this report was written, would extend the government’s authority beyond the security of its own networks and into such private systems as those run by companies providing critical infrastructure for water and electricity.

Reportedly, the meat of the legislation would be based on recommendations of a study conducted last year by the Center for Strategic and International Studies. It would also come at a time when the still-new Obama Administration is working to solidify its cybersecurity agenda. [See: 5 Must-Do Cyber Security Steps for Obama]

Rich Mogull, a former Gartner analyst and founder of security consultancy Securosis, said a deeper government reach into the private sector may make sense under certain circumstances, but not in the broader sense.

“I think it’s reasonable for critical infrastructure and government contractors, but if it extends into general business, it’s doomed to failure,” he said.

For one thing, he said, the government has shown no ability to secure itself. “Perhaps the re-prioritization of a new administration will improve that, but there is immeasurable institutional momentum to overcome,” he said.

While the NSA plays a critical role in cyber-intelligence, Mogull said it is not the right entity to manage our national defensive cybersecurity. “The missions fundamentally conflict,” he said. “If we want to leverage their extensive expertise, a separate agency should be created and charged with the defensive role, reporting to a cybersecurity head outside the intelligence infrastructure.”

Pete Stagman, owner-senior engineer at Stag Data & Cable and senior engineer at Global Digital Forensics, said the prospect of federalized cybersecurity leaves him uneasy.

“I’m not crazy about this at all, especially the part that ‘would require the National Institute of Standards and Technology to establish measurable and auditable cybersecurity standards that would apply to private companies as well as the government [and] require licensing and certification of cybersecurity professionals,'” he said. “Creating a set of standards will create a false sense of security among private sectors higher ups, who will say, ‘If we are following the government guidelines, then we’re safe.”

Any professional walking in with a new set of recommendations is going to hit a brick wall, he added.

If such a bill is filed, it’s far from certain that it would ever become law. Private entities are certain to push back, and, even if passed in the Senate, it would have to go through the House of Representatives and White House gauntlet, a process certain to move slowly if at all.