• United States



by Robert Maley

Former PA CISO: National cybersecurity bill won’t work

Jul 29, 20104 mins
CareersComplianceData and Information Security

The Lieberman, Collins, Carper cybersecurity bill would do nothing but slow down real progress and undercut Howard Schmidt's authority, former State of Pennsylvania CISO Robert Maley warns.

It has been four months since moving from public service as CISO for the Commonwealth of PA into the private sector as a consultant. The thing about cybersecurity is that, although the private sector is just as important as the public, it seems that the government has been dominating the news and direction of cyber protection.

The recent introduction of the Lieberman, Collins, Carper cybersecurity bill is a prime example.

It is a complex matter, to say the least, and I have no confidence that the bill will actually make our critical infrastructure more secure.

As Tom Burghardt says in Through the Wormhole: The Secret State’s Mad Scheme to Control the Internet, “Fueling administration moves to “beef up,” i.e. tighten state controls over the free flow of information is cash, lots of it. The Washington Post reported June 22 that “Cybersecurity, fast becoming Washington’s growth industry of choice, appears to be in line for a multibillion-dollar injection of federal research dollars, according to a senior intelligence official.”

In the Lieberman, Collins, Carper letter to Cisco, Oracle and IBM, a public/private partnership is mentioned, which on its face is a good thing. The private sector is motivated to enhance security and reduce risk because it affects the bottom line of the company. The bill talks about securing the supply chain through a risk management strategy, which I think is overdue. When a government entity acquires a product or system that eventually fails, who is really to blame? The company that met all the requirements of a low-bid contract, or the entity that failed to include specific security deliverables in the request for bids?

The bill also calls for the creation of a national center for cybersecurity and communications and an office for cyber policy.

Last December, Howard Schmidt was appointed the President’s cybersecurity coordinator. I thought that position was to lead the administration’s cyber strategy, so I am not sure that the addition of new government agencies and bureaucracy would improve things.

In a March interview, Schmidt said that “There is no cyber war. I think that is a terrible metaphor and I think that is a terrible concept.” He went on to say that “the government needs to focus its cybersecurity efforts to fight online crime and espionage.” (He made a similar statement in the CSO story Howard Schmidt: Cybersecurity battle ‘different’ this time.

The Lieberman letter claims the bill will give that position the authority to be the lead in many of the bill’s requirements, which would be a good thing. But how new government overhead would make things more secure escapes me.

Then there is the controversial provision granting the government the authority to “take over the Internet” in certain cases of national emergency. Lieberman makes the case that bill sets up a process that clearly defines and limits the systems and assets that can be identified as critical infrastructure subject to takeover, but since when did government regulation provide clarity?

The Lieberman letter states that “by working in partnership and voluntarily sharing information with the private sector, the NCCC will have a better understanding of the threats and vulnerabilities our nation faces in cyberspace”. How effective has the government been in the past with voluntarily sharing full and accurate information? Historically, the private sector has been required through all the various regulatory acts to disclose, yet the government still looks at information sharing on a “need-to-know” basis, or sometimes filtering information to minimize the political impact of full disclosure.

The bill lacks the strategic value to address our real-world cybersecurity issues, and introduces enough government oversight to slow down any real progress in the battle.

The private sector should continue its initiatives to share information, increase situational awareness via the network of ISACs and take the initiative in securing its own products and infrastructure. And, the government should follow its cybersecurity coordinator’s advice: Fight the real threat, online crime and espionage.