The Senate bill introduced earlier this month that would make sweeping changes to the way that information security is practiced both in the federal government and the private sector has a number of good elements, but the flaws in the proposed legislation outweight the benefits, writes Steve Bellovin.
A security expert and computer science professor at Columbia University, Bellovin analyzes the Cybersecurity Act of 2009 piece by piece and finds plenty to like, but also finds a number of serious problems.
Let’s start with the good stuff. Section 2 summarizes the threat. If anything, it understates it. Section 3 calls for the establishment of an advisory committee to the president on cybersecurity issues. Perhaps that’s Just Another Committee; on the other hand, it reports to the president and “shall advise the President on matters relating to the national cybersecurity program and strategy”. That’s good — but whether or not the president (any president!) actually listens to and understands their recommendations is another matter entirely…
Suppose that we only wanted to protect the water, power, and communications systems, and hence their networks, while other networks were under attack. How would spare parts be ordered, if the vendors’ factory networks weren’t functioning? Where would fuel come from, if trucking and shipping company networks were not protected? Could these companies even communicate with their employees, given how many rely on commercial ISPs for telecommuting? For that matter, these companies themselves rely on commercial ISPs to link their various locations. The ability of the Presiden to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network” would be of dubious utility.
Bellovin knows whereof he speaks, and as someone who has served on committees that have produced recommendations on improving information security, he has a valuable perspective. “The short answer is that just as there is no royal road to geometry, there is no presidential or Congressional road to cybersecurity. You have to do it step by step, system by system,” he writes.