Legislation being introduced Tuesday in the U.S. Senate would make sweeping changes in how cybersecurity is handled at the federal level, creating a chief information security officer (CISO) position in the White House that reports directly to the president.
The Information and Communications Enhancement (ICE) Act being introduced by Sen. Thomas Carper (D-Del.), places a federal "cyber office" directly below the president. The National Office for Cyberspace would coordinate cybersecurity response between the Department of Homeland Security, the Department of Defense (DoD), the National Security Agency and the private sector.
The realignment introduced in the ICE bill will follow comments made by Melissa Hathaway, President Barack Obama's acting senior director for cyberspace, calling for the centralization of cybersecurity authority directly under the White House. She stated efforts to defend citizens and networks against cyberattacks are a "fundamental responsibility of our government" during her keynote address last week at RSA Conference 2009 in San Francisco. The ICE Act would also be introduced under the pall created by the data breach of the DoD's $300 billion dollar Joint Strike Fighter program and the U.S. Air Force's air traffic control system.
Under the new legislation, the Federal Information Security Management Act (FISMA) of 2002 would be revisited and reformed. Currently, cybersecurity rule belongs to no one person or agency. More than a dozen federal agencies have claimed responsibility for cybersecurity and respond independently to threats and vulnerabilities. Meanwhile, civilian agencies operate independently of federal agencies.
In addition to enhancing coordination of the various agencies and other stakeholders involved in cybersecurity at the federal level, the bill would link budgetary decisions specifically to strategic policy, said Erik Hopkins, a staff member with the Senate Committee on Homeland Security and Governmental Affairs, in a presentation at RSA. A Senate hearing on the proposal is scheduled for 10 a.m. Tuesday.
Compliance with FISMA would also be changed, directly correlating it with security tools to measure progress, said Alan Paller, director of research at The SANS Institute, a Bethesda, Md.-based nonprofit cybersecurity research group. Instead of offering high grades for compliance under a FISMA checklist, gap analysis and vulnerability assessments would be used to measure the effectiveness of agency cybersecurity preparation.
FISMA measured the wrong things. FISMA needs a fundamental change to enable prioritization of resources so that costs can be controlled and Web application security can go from 'missing' to 'covered.'
Alan Paller, director of research, The SANS Institute
"FISMA measured the wrong things," Paller said in a panel session last week at RSA. "FISMA needs a fundamental change to enable prioritization of resources so that costs can be controlled and Web application security can go from 'missing' to 'covered.'"
The new FISMA requirements call for government agencies and DoD contractors to comply with a set of prioritized controls that reflect their ability to detect and stop cyberattacks. The Rockefeller-Snowe cybersecurity bill introduced recently contains far-reaching requirements that would cover security infrastructure. Called the kill-switch bill, it would add certification and licensing burdens to agencies and companies alike. The wide-reaching legislation would also give the president the authority to shut down the Internet in the event of a massive cyberattack. The missing ingredient provided by the ICE Act, in Paller's view, is coverage of Internet service providers.
"What we need is granularity," Paller said. "No one wants to turn off all industries."
Under the ICE Act, agencies and all entities that have critical infrastructure that must be secured from cyberattacks will be measured under the "20 Critical Controls" or the Consensus Audit Guidelines outlined by the Commission on Cybersecurity for the 44th Presidency. Decisions to secure infrastructure and agencies will be made based on risk assessments, aligning compliance with regulation with actual security preparedness, Paller said. Under the ICE Act, compliance with FISMA would now be directly correlated with security. Instead of offering high grades for compliance under a FISMA checklist, gap analysis and vulnerability assessments would be used to measure the effectiveness of agency cybersecurity preparation.
Let us know what you think about the story; email firstname.lastname@example.org.