Good News and Bad News On Obama Cybersecurity Legislative Proposal Letter

When President Obama was a mere candidate, he promised that he would enact legislation and focus more attention on growing cyber security problems. The president followed through on this promise last week when the administration transmitted a cybersecurity legislative proposal to Capital Hill. The 5-page document provides some high-level objectives like protecting the American people (online), protecting critical infrastructure, protecting federal government computers and networks, and providing a new framework to protect individuals’ privacy and civil liberties. Anyone who buys goods, conducts business, or entertains themselves online should applaud this effort. In fact, many members of Congress have issued statements supporting the President’s initiative. For example, U.S. Senator Kirsten Gillibrand (D-NY) issues a press release that stated, “I am encouraged the Administration is taking the growing international cyber threat seriously. Now it is time for Congress to come together and pass bipartisan legislation to address this national security imperative.”Well Senator Gillibrand, I too and encouraged that the Administration is taking the growing international cyber threat seriously. Unfortunately, I am not encouraged by the track record of Washington actually RESPONDING to the growing international cyber threat. Surely Senators Lieberman, Carper, and Collins were “taking the growing international cyber threat seriously” when they authored the Cybersecurity and Information Freedom Act (S.3480) which has been stuck in the Senate for several months. The same thing is true of other bills sponsored by Senators Rockerfeller (D-WV)and Snowe (R-ME), Congressman Langevin (D-RI) and others. This threat is not new, and while we citizens are indeed vulnerable, the Federal government is especially at risk. In 1998, security professionals discovered an ongoing attack on the Pentagon, NASA, and the Dept. of Energy amongst others (aka “Moonlight Maze). A similar pattern of network infiltration occurred in 2003 (aka “Titan Rain”). In the past year or so, we’ve seen attacks on technology vendors like Google and RSA, sophisticated malware aimed at industrial control systems (Stuxnet), and countless breaches of American businesses. ESG Research also indicates that the 18 segments designated as critical infrastructure by DHS are at risk. In a recent report (available for free at www.esg-global.com), 20% of respondents believed that their critical infrastructure organization’s security policies, procedures, and technology safeguards with either fair or poor. Yikes! I appreciate the efforts of the Administration and support from Congress, but there’s been way too much talk and not enough action out of Washington on cybersecurity. I hope the Administration follows through, demonstrates leadership, pushes for consensus, and establishes a stake in the ground to improve cybersecurity protection throughout the land. Based upon the past I have to admit that I am quite skeptical but I certainly hope for the best and happy to help in any way that one security analyst and citizen can.