Cybersecurity Bill on Hiatus... Again

Anthony Di Bello A letter sent by Sen. Jay Rockefeller (D-WV) to the CEOs of the Fortune 500 a sparked a lot of conversation over the past months. The senator’s letter was sparked by his belief that the United States Chamber of Commerce's opposition to the Cybersecurity Act of 2012 is out of step with the desires of the nation’s most powerful CEOs. Rockefeller also saw the Chamber’s influence as part of the reason why so many senators were blocking a vote on the bill and thereby keeping it from seeing the light of day.

                                                  

The late-minute push to get the Cybersecurity bill through the Senate on November 14^th resulted in a 51-47 vote to end debate on the bill and move to a final vote, however 60 votes were needed to move the bill forward. While congress may take the issue up again this month, or in January, there is speculation the President may issue an executive order given the perceived urgency of cyber legislation.

I think there are a number of reasons why the Cybersecurity Act of 2012, of which Sen. Rockefeller is a cosponsor, was met with pushback from businesses and some members of the senate.

                                                                                           

First, the focus leans too heavily toward so-called best practices. As anyone who has been watching cybersecurity over the years knows, there’s a rapidly moving arms race. Attackers continuously adjust their attacks, and enterprises continuously adjust their defenses. It's a study in game theory, as is most any situation that involves an intelligent adversary. For example, at one time, network firewalls, encryption, anti-virus software, and authentication were all considered state of the art when it came to best IT security practices. Today, a program that simply has those components in place would be considered rudimentary, and certainly not a leader.

In fact, any security best practices, or security technology checklist, approach is doomed to fail in short order unless there are efforts in place to continuously update those practices and drop those that are no longer necessary. This is why, because of the slow-moving nature of government, business leaders could be wary of a government-led effort to establish best practices. We may just end up with more checklist security. Certainly, we don’t need that.

Second, just a couple of years ago, “incident response,” as it applied to the corporate market, was completely new. The value of being able to automate host-based queries and responses based on detected events wasn’t entirely understood, or even valued. As new technology like this is developed, how does the federal government plan to keep up to date its best practices that may be delivered via the cybersecurity bill? In fact, how would this bill improve upon what is already in place with organizations such as the National Institute of Science and Technology (NIST) delivering best practices? NIST published incident response best practices years ago in its Special Publication 800-86.

Additionally, we’ve seen examples of out-of-date best practices being held up by non-federal organizations as security requirements. For instance, in 2004, the NSA conducted and released findings that a single overwrite was sufficient to purge classified data from electronic media.  Yet, many still cling to the false notion that electronic media requires three to seven passes to meet the NSA standard.

Third, we know from experience that public and private IT security data sharing tends to flow one way: from businesses to the government. The government collects public data, but provides data back (when it actually does) that is either stale (happened last year) or vague (providing only high-level observations like: SQLi attacks are on the rise). To be fair, the government can’t share information if there's a chance of a criminal investigation or trial. But by the time data are made public, there is little value.

Certainly, we need ways to share useful information without sharing overly sensitive security or confidential data and to encourage ongoing public–private cooperation. The answer may require novel uses of technology, for example, the entropy near-match capability in EnCase Cybersecurity that allows the creation of value, or signature, that would enable a government agency to provide that signature (or a new zero-day malware attack, for instance) to the private sector so organizations can scan it against their systems and find similar signatures. This way actual malware, or any information that could be misused is never actually publicly released.

And that’s just one example. I’m sure there are many other ways data can be anonymized so that they could be safely shared publicly. But will the government try such acceptable approaches? If history is a guide, probably not.