S.773 – The Cyber Security Act of 2009 – part 2

Written by SoVaSec on June 1st, 2009

This is the second part in a series concerning the Cybersecurity Act of 2009. s773.  As per request I have broken a large single page into sections. If you liked it the other way let me know. Please forgive my use of the term -cyber-, and any other marketing buzzwords. I’m just reflecting the terminology used.

s.773 Cybersecurity Act of 2009 part 2.


The relationship between the national intelligence agencies, and the private information technology sector has long since been consummated.  There exists a tight federal and private partnership, with the majority of intelligence work being outsourced from the federal level to the corporate.  This legislation is nothing more then a formality. It makes the partnership public knowledge, and gives the intelligence industrial complex an official voice in the white house.

SEC. 3. CYBERSECURITY ADVISORY PANEL.

    (a) IN GENERAL- The President shall establish or designate a Cybersecurity Response Advisory Panel.
    (b) QUALIFICATIONS- The President–
    (1) shall appoint as members of the panel representatives of industry, academic, non-profit organizations, interest groups and advocacy organizations, and State and local governments who are qualified to provide advice and information on cybersecurity research, development, demonstrations, education, technology transfer, commercial application, or societal and civil liberty concerns; and
    (2) may seek and give consideration to recommendations from the Congress, industry, the cybersecurity community, the defense community, State and local governments, and other appropriate organizations.

The President will select people who are qualified to provide advice and information on cybersecurity research, development, demonstrations, education, technology transfer, commercial application, or societal and civil liberty concerns.

This is quite a broad section of potential appointees. There is no mention about how the selection process would be carried out, or what makes one person more qualified then another to serve on the panel. The President is neither qualified to carry out the selection process, nor able to comprehend the details of recommendations given to him.  Instead it would be necessary to create a “National Cyber Security Czar.”  A sort of interpreter to advise the President in terms he can understand, and to give the President’s speech writer terms most people can comprehend.  I suspect what we will ultimately see is the creation of a new cabinet position, a ‘Secretary of Cyberdefense’. Though it seems this has been done in the form of the National Cybersecurity Center.

US Cyber Head Quits Over Threats To Democracy

Rod Beckstrom, the head of the Department of Homeland Security’s National
Cyber Security Center, said last week he would be stepping down
effective March 13.

In a letter to Homeland Security Secretary Janet Napolitano, Beckstrom said
the NSA “dominates most national cyber efforts” and “effectively controls
DHS cyber efforts through detailees, technology insertions and the proposed
move” of the NCSC to an NSA facility at the agency’s Fort Meade, Md.,
headquarters.

In addition to the NCSC there is also the position of White House Cybersecurity Chief. With regards to part one of this article, I feel it important to note that the acting White House Cybersecurity Chief Melissa Hathaway was Senior Advisor to the Director of National Intelligence, Mike McConnell and Cyber Coordination Executive, she specialized in cybersecurity strategies with consulting firm Booz Allen Hamilton.


President Obama made an announcement in regards to the nation’s cybersecurity direction. Included in this plan is the appointment of Chief Cybersecurity Coordinator. It seems they will not be going with the title ‘czar’ this go round. It makes sense for the first people to be approached for positions on the panel will be people already currently employed in the service of the government. Those quoted in the findings would be an excellent example of potential panel members.  Despite the new campaign from the Department of Defense to recruit hackers out of high school, I strongly doubt there will be any application process for independent civilian admission onto the panel. With Ms. Hathaway on the inside, and her former boss on the outside, it seems that not only has the chess board been set, the game has been played and what we are seeing is the results of the match finalized and put down on paper.

Spies for Hire, US pays Carlyle Group to spy-2/3

(c) DUTIES- The panel shall advise the President on matters relating to the national cybersecurity program and strategy


The National Cybersecurity Program and Strategy.

What is the strategy? The duties do not initially require the creation of a strategy. The panel will assess trends and developments in cybersecurity science research and development. That is what security researchers do everyday. Why the need for a special panel to follow these trends and developments? With the existing intelligence gathering network, and competent information security people, these agencies likely monitor social networks devoted to the subject of security.  Is it wrong to believe they are competent? If this is not the case, then why should they be trusted with even more responsibility?

President Obama’s administration has announced the US cyber security strategy. The 76 page review deserves its own analysis. Covering It’s details would be too great of a detour for this article.  For now we can only hope that the President has realized the necessity to let someone else deal with the details of cybersecurity.

The Panel is to assess the balance among the components, including the funding. Those who have been selected to the panel are expected not only to defend the nation, but also to be concerned with their budget as well. Additionally, the panel is to become introspective, self-auditing,  and decide if they are really doing a good enough job.  Is the public expected to think that the panel will decide  ‘hey, you know what? We’re doing a terrible job, we all need to be fired!’? It does not seem to be a very plausible scenario.   More likely would be a hand picked group of yes men, who will bring prearranged solutions proposed by their respective parent groups. The respect for civil liberty will be left to the values of the individuals of the group. Even if a representative of the Electronic Frontier Foundation was invited to the panel, they would have just one voice amongst the myriad defense, and intelligence representation. As mentioned in the previous article, civil liberties are not rights, they are privileges, which can be easily revoked in the name of national security. The NSA already has everything under control.

(d) REPORTS- The panel shall report, not less frequently than once every 2 years, to the President on its assessments under subsection (c) and its recommendations for ways to improve the strategy.

In two years, many things could have changed. In two days a major vulnerability discovered, in two minutes a massive amount of systems could be compromised.



SEC. 4. REAL-TIME CYBERSECURITY DASHBOARD.

    The Secretary of Commerce shall–
    (1) in consultation with the Office of Management and Budget, develop a plan within 90 days after the date of enactment of this Act to implement a system to provide dynamic, comprehensive, real-time cybersecurity status and vulnerability information of all Federal Government information systems and networks managed by the Department of Commerce; and

(2) implement the plan within 1 year after the date of enactment of this Act.

The Secretary of Commerce, secures the deal with the panel for the ‘Cybersecurity Dashboard’ and sells the product to the Office of Management and Budget.  SANS Internet Storm Center already provides a similar service. Perhaps this will be their new role. They do already have excellent existing services already utilized on the federal level. Another SANS service called DShield, sends threat data to a central database to provide metrics. A combination of these services would create the Dashboard with very little investment.  Many of the proposals put forth in this Act seem to be redundant in relation to existing security methods.  Perhaps they merely want to consolidate these existing practices into a comprehensive guideline for the overall security of critical systems. Effectively using this act as a vessel to appropriate funding to institutions which could best carry out the best laid plans of top security professionals, in order to ensure that standards are adopted universally.

SEC. 5. STATE AND REGIONAL CYBERSECURITY ENHANCEMENT PROGRAM.

(a) CREATION AND SUPPORT OF CYBERSECURITY CENTERS- The Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards.



The Secretary of Commerce will be providing is sales assistance. His job is “to foster, promote, and develop the foreign and domestic commerce.” What does that have to do with cybersecurity? He doing is acts as a facilitator to ensure the funding from the Office of Management and Budget will end up in the correct pockets, because they are building an industry around the threat of cyber attacks with the promise of centralized cybersecurity.

Let’s recall what the former Director of National Intelligence said.

DNI nominee lists cybersecurity as priority

The Office of the Director of National Intelligence plays a central roll in
coordinating the government’s Comprehensive National Cyber Security
Initiative and Mike McConnell, the outgoing director of national
intelligence, recently said cybersecurity was “the soft underbelly of
this country.”

and that

if the 9/11 attackers had chosen computers
instead of airplanes as their weapons and had waged a massive assault
on a U.S. bank, the economic consequences would have been `an order of
magnitude greater’ than those cased by the physical attack on the World
Trade Center.


If they felt this was true, don’t you think the reaction, proposals, and preparations would be much different? The nation is under attack by terrorists who can attack any place at any time.  If we are currently in cyberwar, who would you pick; the Secretary of Commerce or the Secretary of Defense? Which would be the most appropriate for providing assistance for creating these regional security centers? I doubt they will be building new structures for dedicated regional cyber arsenals. As stated in the legislation the funding will go to a verity of places. I think it is likely this funding will be supplemental to those which already receive some  amount of government funding. Its no wonder the Secretary of Commerce is involved and not the Secretary of Defense. This is going to be a business venture with money going to regional offices of current contractors, or perhaps some quid pro quo with the landlords of major sections of the internet.

Do not misunderstand me and think that I feel some sort of military control is in order for the internet, or that we would be better off with the Department of Defense as opposed to the Secretary of Commerce.  Remember that around 70% of the DoD’s intelligence budget goes to the same people that will be involved in carrying out the National Cybersecurity Strategy.  The intelligence agencies are at the front pushing for this standardization of critical systems. The connection is may not be apparent on the surface, what we are seeing is the transition from traditional military operations into the modern ones. The outsourced military intelligence, acting as private contractors, will be working with the Secretary of Commerce on the National Cybersecurity Strategy, and developing and implementing new standards.



If the purpose is to enhance cybersecurity in small and medium businesses, one way to affect mass adoption would be to offer coupons or vouchers similar to those seen with the digital television boxes. In other words pay people to participate. It does not seem reasonable for a cyber-cop to be stationed physically as a human guardian in each business. Instead there could be a something such as a separate firewall machine, some sort of defensive portal to the wild wild web. In addition or conjunction with intermediary hardware and software, and even locally on the individual machines. On the interface side there could be some sort of password system that would give positive identification of the user, to prevent unauthorized access. However it remains this is a federal and corporate effort. The solutions provided, and the necessary requirements made mandatory, would simply force small businesses to comply with the standards and buy into the program.  The cybersecurity centers will act as a middle man in the process. Small businesses will need to contact their local centers and sign up for the Cybersecurity Program and verify compliance with the new standards. The most likely route will be mandatory compliance standards.

(1) the transfer of cybersecurity standards,
processes, technology, and techniques developed at the National
Institute of Standards and Technology to Centers and, through them, to
small- and medium-sized companies throughout the United States;


The NIST will be in charge of the standards, processes, technology, and techniques. These accepted techniques will be handed out to the small and medium businesses. This technology transfer process is essential to this plan. The participation of the industry, universities, state governments, and other federal agencies and the NIST itself, is written in to the legislation. The same entities represented by the members of the panel will be supplying technology and techniques to the NIST. These solutions would be marketed to the small and medium sized businesses. The NIST is controlled by the Secretary of Commerce, who brokers the deal between the private sector and the government.  Standards might be important when constructing a new system, but they do not inherently imply security. Threats are constantly evolving, and the national defense strategy should be flexible enough to adapt. I would agree that some standards could be applied in the creation of defensive systems, but would only protect against known attacks. One of the downsides of system wide standards, is the additional budget requirements necessary to research, plan, and implement them. This funding could be much more efficiently utilized by simply beefing up existing programs, modernizing hardware, and increasing staff.

Schneier on Security: Obama’s Cybersecurity Speech

Centralizing security responsibilities has the downside of making security more brittle by instituting a single approach and a uniformity of thinking. Unless the new coordinator distributes responsibility, cybersecurity won’t improve.

(c) ACTIVITIES- The Centers shall–

    (1) disseminate cybersecurity technologies, standard, and
    processes based on research by the Institute for the purpose of
    demonstrations and technology transfer;
    (2) actively transfer and disseminate cybersecurity
    strategies, best practices, standards, and technologies to protect
    against and mitigate the risk of cyber attacks to a wide range of
    companies and enterprises, particularly small- and medium-sized
    businesses; and
    (3) make loans, on a selective, short-term basis, of
    items of advanced cybersecurity countermeasures to small businesses
    with less than 100 employees.


The centers will act as a hub for the small and medium businesses to contact and receive whatever product which has been produced by NIST, whether this is information, software, hardware, technicians etc. This would be a process to actively defend not just small businesses, but companies, and enterprise would receive assistance as well. There are a number of computer security related conferences whose goal is to actively transfer and disseminate cybersecurity strategies, best practices, standards, and technologies to protect against and mitigate the risk of cyber attacks.
What would happen to the security conferences under this bill? Would the best talks be captured into the federal system, and what would be the requirements to have access to this information?


I note an unusual level of generosity for the government to make loans, on a selective, short-term basis, of items of advanced cybersecurity countermeasures. What exactly is an “advanced cyber security countermeasure“? Why would a small business be under a level of attack that the government would need to step in to control something the business’ Internet Service Provider should be prepared to handle?

(c) Duration and Amount of Support; Program Descriptions; Applications; Merit Review; Evaluations of Assistance-

    (1) FINANCIAL SUPPORT- The Secretary may provide financial support, not to exceed 50 percent of its annual operating and maintenance costs, to any Center for a period not to exceed 6 years (except as provided in paragraph (5)(D)).
    (2) PROGRAM DESCRIPTION- Within 90 days after the date of enactment of this Act, the Secretary shall publish in the Federal Register a draft description of a program for establishing Centers and, after a 30-day comment period, shall publish a final description of the program. The description shall include–
    (A) a description of the program;
    (B) procedures to be followed by applicants;
    (C) criteria for determining qualified applicants;
    (D) criteria, including those described in paragraph (4), for choosing recipients of financial assistance under this section from among the qualified applicants; and
    (E) maximum support levels expected to be available to Centers under the program in the fourth through sixth years of assistance under this section.


The Secretary of Sales Commerce will appropriate funding from the Office of Management and Budget to fund up to 50% of the approved Regional Cybersecurity Centers.  I suppose to many people this is the most important section, such as businesses looking to see if they can get a piece of the pie. It seems that even though the pie gets bigger each year, it is very rarely cut into more slices.  This whole section seems to be designed to project the illusion of a free market.
The draft description of this program will be publicly published and receive comments for 30 days until the final draft is issued. The Secretary of Commerce will describe the program and how it should be run. The Secretary will define the qualifications for the members of the centers. .

(3) APPLICATIONS; SUPPORT COMMITMENT- Any nonprofit institution, or consortia of nonprofit institutions, may submit to the Secretary an application for financial support under this section, in accordance with the procedures established by the Secretary. In order to receive assistance under this section, an applicant shall provide adequate assurances that it will contribute 50 percent or more of the proposed Center’s annual operating and maintenance costs for the first 3 years and an increasing share for each of the next 3 years.

(4) AWARD CRITERIA- Awards shall be made on a competitive, merit-based review. In making a decision whether to approve an application and provide financial support under this section, the Secretary shall consider, at a minimum–


Non profit institutions my apply for financial aide. The govt will provide up to 50 percent of the initial funding and slightly less every year after. Funding and in-kind from other sources means donations for private individual sources and other entities not directly contracted for the project. In addition the the evaluation of the panel every 2 years, the centers will receive a third year evaluation. this evaluation of the centers will require the formation of another panel. These private experts which are not allowed to be connected with the center or federal official. After the sixth year the center will under go evaluation to receive additional funding.

(6) PATENT RIGHTS TO INVENTIONS-

(6) PATENT RIGHTS TO INVENTIONS- The provisions of chapter 18 of title 35, United States Code, shall (to the extent not inconsistent with this section) apply to the promotion of technology from research by Centers under this section except for contracts for such specific technology extension or transfer services as may be specified by statute or by the President, or the President’s designee.

Anything new that comes out of this will protected by patents, unless the President or the Cyber Coordinator decide they are not. A way to protect the intellectual property developed after the Act has been instituted. The centers might develop new ‘Advanced Cybersecurity Protection Devices‘. The Secretary of Commerce will sell this new technology back to the Office of Management and Budget while the NIST will be integrating the new technology into its standards. Making it a mandatory requirement that will profit the people they are partnered with.

SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE.

(1) CYBERSECURITY METRICS RESEARCH- The Director of the National Institute of Standards and Technology shall establish a research program to develop cybersecurity metrics and benchmarks that can assess the economic impact of cybersecurity. These metrics should measure risk reduction and the cost of defense. The research shall include the development automated tools to assess vulnerability and compliance.

This is, after all, the thing that the NIST does best.  When its time to measure something, you are going to need something to measure it with. The economic impact of cybersecurity is again the main concern. They are concerned with the economic impact of a major cyber attack on the United States.  There are already a number of tools which exist to check for existing vulnerability in systems. In theory if the network being examined is in compliance with the set standards, there would be no vulnerabilities found. Both the tool and the system inspected would be up-to-date with the standards. I’d imagine they would like a tool that would check various networks within the cybersecurity program to see if they have complied with the standards in accordance with their contract. In other words, the businesses that sign up with the cybersecurity program could possibly be required to allow audits performed to ensure compliance. I know systems like this are already in use. Where a business is forced to purchase specific equipment and software in order to comply with a contract.  The business owner also has no choice in support and maintenance, being required to use the preselected service. This service has complete remote access to the business owners network.  In addition to updating and patching systems, they also monitor the daily activity of the business.

(2) SECURITY CONTROLS- The Institute shall establish standards for continuously measuring the effectiveness of a prioritized set of security controls that are known to block or mitigate known attacks.

The government would want to continuously monitor known effective defenses.  I imagine this to be something similar to inspecting a dam or nuclear power plant for faults. Things built in accordance to standards should be inspected to ensure they have remained in compliance.  An electronic monitoring system could be instituted to verify compliance with the standards.

(3) SOFTWARE SECURITY- The Institute shall establish standards for measuring the software security using a prioritized list of software weaknesses known to lead to exploited and exploitable vulnerabilities. The Institute will also establish a separate set of such standards for measuring security in embedded software such as that found in industrial control systems.

SANS Institute – CWE/SANS TOP 25 Most Dangerous Programming Errors

National Security Agency’s Information Assurance Directorate
“The publication of a list of programming errors that enable cyber espionage and cyber crime is an important first step in managing the vulnerability of our networks and technology. There needs to be a move away from reacting to thousands of individual vulnerabilities, and to focus instead on a relatively small number of software flaws that allow vulnerabilities to occur, each with a general root cause. Such a list allows the targeting of improvements in software development practices, tools, and requirements to manage these problems earlier in the life cycle, where they can be solved on a large scale and cost-effectively.”
-Tony Sager, National Security Agency’s Information Assurance Directorate

Better security though programming.

Its a noble enough thought, and a good idea to teach secure coding practices to programmers.  If you’re interested theres an internet radio production on this subject, specifically regarding the SANS 25 and how some of these ideas are ineffective. Check out ‘SANS things that won’t work‘.

(4) SOFTWARE CONFIGURATION SPECIFICATION LANGUAGE- The Institute shall,
establish standard computer-readable language for completely specifying
the configuration of software on computer systems widely used in the
Federal Government, by government contractors and grantees, and in
private sector owned critical infrastructure information systems and
networks.

The government wants their own programming language. Does this have any chance of offering security benefits? Attackers would simply learn the new language, and use the associated development frameworks to write language specific exploits.  Rather than using existing languages and being aware of existing problems, they would develop a new language with none of its flaws yet exposed.  What happens if they develop the language, implement it across the board, and then find out sometime later there is some critical design error that could collapse national security if exploited? If they did develop a multi-platform language, the underlying operating system could still be targeted. So I suppose the next step will be the development of a proprietary, closed source operating system. Something deisgned specifically for the government, and scaleable down to the small businesses for use in the cybersecurity program.


(5) STANDARD SOFTWARE CONFIGURATION- The Institute shall establish
standard configurations consisting of security settings for operating
system software and software utilities widely used in the Federal
Government, by government contractors and grantees, and in private
sector owned critical infrastructure information systems and networks.


Insecure standard configurations are a security issue.

Isn’t this something government and the NIST already does? There is already a ton of standards, and best practices out there.  So this is sort of a ‘we’re going to keep doing the same thing, and pay ourselves more for it’ kind of deal. Eventually if they throw enough money at a problem it will go away. Right?

(6) VULNERABILITY SPECIFICATION LANGUAGE- The Institute shall establish
standard computer-readable language for specifying vulnerabilities in
software to enable software vendors to communicate vulnerability data
to software users in real time.


Is this ANOTHER new language?  Again, creating a new language would be useless.  Something about the wording of this one just doesnt work for me.  language in software to enable vendors to communicate – Software is in the language, not the other way around, perhaps they were implying vendor protocols in the software?

(7) National compliance standards for all software-

    (A) PROTOCOL- The Institute shall establish a standard
    testing and accreditation protocol for software built by or for the
    Federal Government, its contractors, and grantees, and private sector
    owned critical infrastructure information systems and networks. to
    ensure that it–
    (i) meets the software security standards of paragraph (2); and
    (ii) does not require or cause any changes to be made in the standard configurations described in paragraph (4).

The software that you run on your systems would have to be certified by the government if you are to participate in the cybersecurity program.  This means that third-party applications and extensions would also need to be certified.  Every piece of code that is stored or processed by your computer systems would need prior approval from the NIST.  Again this bill would make it quite possible for there to be some sort of monitoring system to verify the programs, likely with the ability to cripple or block unknown and untrusted applications. From a security aspect this sounds like a wet dream. Realistically it sounds like a potential nightmare. I envision something along the lines of a federal ‘app store’. Similar to the one used with popular portable media devices. The only applications available, would be ones that are pre-approved to run on the device. A special account would be required to have access to these applications. To aquire an account there may be some sort of certification or identification process involved.

    (B) COMPLIANCE- The Institute shall develop a process or procedure to verify that–
    (i) software development organizations comply
    with the protocol established under subparagraph (A) during the
    software development process; and
    (ii) testing results showing evidence of
    adequate testing and defect reduction are provided to the Federal
    Government prior to deployment of software.

In addition to the proprietary language, and accompanying development enviroment, the trusted applications would only be allowed to run on systems that comply with the NIST standards.  It sounds like they have it all figured out.  Just give the government control over all of our computers.

(b) CRITERIA FOR STANDARDS- Notwithstanding any other provision of law
(including any Executive Order), rule, regulation, or guideline, in
establishing standards under this section, the Institute shall
disregard the designation of an information system or network as a
national security system or on the basis of presence of classified or
confidential information, and shall establish standards based on risk
profiles.


With this Act, the NIST will have the power to evaluate all systems and issue them a new security designation. This will be based on their standards and evaluation of systems. If they plan on evaluating every system, what will protect us from possible abuse by the NIST? I suppose we should just take their word of honor. Right? Theoretically there would be nothing stopping them from sucking up all this formerly classified information and making it more vulnerable then it was before they began. Not to mention the added risks involved with performing these audits, such as ensuring the security clearance of the auditors.

(c) INTERNATIONAL STANDARDS- The Director, through the Institute and in
coordination with appropriate Federal agencies, shall be responsible
for United States representation in all international standards
development related to cybersecurity, and shall develop and implement a
strategy to optimize the United States position with respect to
international cybersecurity standards.

Getting the world to accept anything as a standard sounds like an enormous pain. Just look at the metric system. It’s has been adopted in every part of the world except for two or three countries.  It just so happens that the one of the worlds superpowers has not chosen to adopt this system.  If the United States is unwilling to adopt a more simple system of measurement, then who are they to expect the world to follow along with thier strict cybersecurity guidelines?

    (d) COMPLIANCE ENFORCEMENT- The Director shall–
    (1) enforce compliance with the standards developed by
    the Institute under this section by software manufacturers,
    distributors, and vendors; and
    (2) shall require each Federal agency, and each
    operator of an information system or network designated by the
    President as a critical infrastructure information system or network,
    periodically to demonstrate compliance with the standards established
    under this section.


Anyone who is part of the cybersecurity program will be bound to mandatory compliance with the NIST standards. Security solutions that have not been approved by the Institute might not be allowed.  The President will have the power to declare any system or network as part of the nations critical infrastructure. This could include internet backbone systems, and Internet Service Providers.  For the time being the average citizen would not necessarily need to comply with the standards, but any systems they might access outside of thier local network could be under such guidelines. I won’t speculate much on what this means for the average internet user aside from the obvious passing along of the overall cost of compliance in the way of new fees and taxes.

to be continued

 

Leave a Comment





Twitter links powered by Tweet This v1.8, a WordPress plugin for Twitter.

Get Adobe Flash player