Lieberman Cybersecurity Bill Could Change IT Procurement

While it may seem like cybersecurity issues have taken a back seat in Washington, there is actually a lot of work happening on Capitol Hill. Senate majority leader Harry Reid (D, NV), is pushing all Senate committees with any type of cybersecurity or industry oversight to get on their legislative horse and address the existing mess.To that end, Senator Joseph Lieberman (I, CT) is working with colleagues Susan Collins (R, ME) and Thomas Carper (D, DE) on a fairly comprehensive cyberseurity bill called the Protecting Cyberspace as a National Asset Act. The bill seeks to revamp the paper-centric FISMA Act of 2002, centralized cybersecurity management in DHS, and establish a more proactive public/private partnership for cybersecurity risk management.The essence of the bill is certainly welcome. We need to address cybersecurity issues ASAP like President Obama promised he would do more than a year ago. Unfortunately, the Lieberman bill has a few significant flaws in my opinion. One major problem is with the bill’s link to federal procurement. The Lieberman bill seeks to legislate security in federal IT spending by, “creating a system that requires acquisition officers in the federal government to have the knowledge that they need about the vulnerabilities in products.” This in itself is a good idea but:1. How do you do this? There is some talk in Washington about insisting that vendors pass some type of security certification that governs their development processes and cyber supply chain assurance model. Okay, but this certification doesn’t exist today and certification can be nothing more than a check box exercise like FISMA is. In the current state of the industry, this requirement is ludicrous. 2. Product vulnerabilities are one ingredient. The Lieberman bill’s focus on product vulnerabilities harkens back to cybersecurity issues circa 2004 when it was fashionable to blame Microsoft for all security problems. Yes, these remain important but we need to think about system vulnerabilities (i.e. a superset of product vulnerabilities), comprehensive testing, and a lot more security training. I don’t claim to be an expert on the Lieberman bill but it seems to me that we are falling into the old Washington scapegoat mentality of looking for a villain (i.e. the IT industry). Don’t get me wrong, lots of vendors should be called to task for unacceptable security practices but these provisions seem overly simple or impossible to enforce to me. While the Feds figure out the next act in the cybersecurity play, it is really up to the IT industry to step up and establish its own security best practices and self-certification methodology. Strong examples already exist from vendors like EMC, HP, IBM, and Oracle. While some folks will certainly flame me for saying so, Microsoft’s SDL is also a model for the rest of the industry. Legislators are caught between a rock and a hard place. They have to do something but these are uncharted and highly technical waters. This being the case, the IT industry has to do a better job of stepping in and demonstrating leadership. If this doesn’t happen, the U.S. IT industry will face difficult, costly, and confusing legislation that could impact financial results for years to come.