Kill-switch bill would add certification, licensing burdens

By Scot Petersen, Executive Editor 23 Apr 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

More on cybersecurity Cybersecurity's profile rising under Obama DHS should lose cybersecurity authority, experts say

That radical proposal makes up only a small portion of the bill, however. The rest covers areas that no one is talking about much: a raft of new federal security standards and certification and licensing requirements that could have major impacts on businesses and security professionals.

The bill, introduced April 1 by Sen. John D. Rockefeller IV (D-W. Va.) and Sen. Olympia Snowe (R-Maine), seeks to establish a Cybersecurity Advisory Panel, a "real-time cybersecurity dashboard" and regional cybersecurity centers that would oversee the "promotion and implementation of cybersecurity standards" as well as facilitate certifications and licensing of security professionals in the new standards.

Some experts contend that while the bill has some good ideas, many of them would be overkill and difficult to implement.

"This is one piece of legislation that has got more [required] reports in it pound for pound than any piece of legislation I've read in quite a long time," said Lynn McNulty, director of government affairs for (ISC)², a nonprofit security certification organization. "Congress is trying to galvanize the executive branch into some action."

The standards would be under the control of the National Institute of Standards and Technology (NIST), which already has established a number of technology and security standards, including the Federal Information Security Management Act (FISMA). NIST is under the Commerce Dept., and the Senate Commerce Committee is chaired by Rockefeller.

The bill is being debated as other branches of the government, in particular the National Security Agency and the Dept. of Homeland Security, are debating over who should run cybersecurity efforts in the U.S. But clearly President Barack Obama's administration and the 111th Congress are making sure there is more accountability around cybersecurity than the previous administration, experts say.

"Obama ... has effectively taken concrete steps such that if and when breaches occur, like the one recently found in the power grid, he will have a clear trail of action at least to show he has been taking steps to implement controls," said consultant Sarah Cortes of Inman Technology IT in Cambridge, Mass. "What is unique about this area of legislation is that technology and tools are changing and developing far more rapidly than the government is used to dealing with, and I believe a new method for dealing with it will evolve, a sort of legislative/business method for governing security areas that we have not as yet seen."

The potential for overlap between new and existing security standards concerns some authorities, who say that there are already adequate standards and practices spelled out by NIST. Those standards just need to be put to use and enforced.

"You already have FISMA. That mandates what government agencies must be doing," said regulatory expert Paul Reymann, CEO of ReymannGroup Inc., who was a co-author of Section 501 of the Gramm-Leach-Bliley Act data protection regulation. "Whether it comes from the Commerce Department or a presidential order, the capabilities are there [to enforce existing standards.] You don't use a hammer when you need a screwdriver."

This is one piece of legislation that has got more [required] reports in it pound for pound than any piece of legislation I've read in quite a long time. Lynn McNulty director of government affairs, (ISC)²

The bill stipulates that the Department of Commerce would put a licensing and certification program into place within one year of the bill's passage, which would make it unlawful for anyone who is not certified to perform cybersecurity services on what is deemed "critical infrastructure." What constitutes critical infrastructure is not defined in the bill and would be left up to the president or a designee.

"Licensing for doctors, for medical people, for attorneys in this country is done through the state government level, not at the federal level," McNulty said. "The government encourages people to get certified on their own volition. That's one thing, but it's another thing to talk about mandatory certification and a licensing agreement on top of that. It will be very difficult to implement in a timely matter and you're going to see a lot of push back on that from professional groups."

Reymann said the certification process would be pushed to the regional centers. He said he expects such centers would be made up of nonprofit entities, "which makes me nervous because they are on shoestring budgets. NIST, on the other hand, has a good reputation and has been on the forefront of putting out good standards, data security practices and certifications."

Many experts worry that new regulations will put additional financial and training burdens on smaller companies that already are straining under the weight of compliance regulations like the HIPAA, the Sarbanes-Oxley Act and PCI DSS. "Don't penalize people, especially SMBs," with more compliance, Reymann said.

Reymann said he does like the provision in the bill that would call for more security enforcement to be pushed out away from businesses and onto the broadband providers and ISPs as a means for mitigating the costs of complying with the security measures. "I'm a big advocate of better security at the perimeter, and we are starting to see Sprint and Verizon do that," he said.

Regardless of the fate of Bill 773, Reymann contends that compliance really shouldn't be the endgame of any cybersecurity laws; security should be. "The difference between security and compliance is that compliance does not guarantee security, but security done right can give you good compliance," he said.

As for the kill-switch provision, it's unlikely it will be passed as it is now written. "Shutting down the Internet [is] another way to say shutting down the economy," Reymann said. "Do we want to do that, and how do you start it back up again?"

Tags: Managing governance and compliance,  Managing compliance teams,  Regulatory compliance training,  HIPAA and other healthcare compliance requirements,  SOX and other public company compliance requirements,  PCI compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Managing governance and compliance Priorities for your sound regulatory compliance management policy Threat management for information systems relies on categorization HITECH FAQ: What is the impact of the HITECH Act on IT operations? Survey shows privacy policy success lies in collaboration with IT Record locator service a step to health information exchange U.S. CIO Vivek Kundra on Data.gov, OpenID and government transparency Nonprofits are working to maintain donor trust with PCI compliance Mass. data protection law requirements amended, deadline extended Security and privacy top IT agenda for Massachusetts CIO The Web of social media and compliance: Online privacy regulations Managing compliance teams Priorities for your sound regulatory compliance management policy HIPAA-covered entities' first step should be a quality assurance plan Survey shows privacy policy success lies in collaboration with IT HIPAA-covered entities, business associates confront HITECH rules Steps toward making information security as important as data security FAQ: What is the impact of e-discovery law on IT operations? A compliance officer, secure network aren't enough for real compliance Chapter excerpt: Decision-making processes and IT governance Is all the PCI DSS compliance whining and complaining justified? Anatomy of a hyperproductive compliance management team Regulatory compliance training Discovery of data breach under HITECH raises big compliance questions Online privacy: New rules for melding e-commerce and information Voices from RSA: CA's Dave Hansen on compliance strategy Midmarket regulatory compliance management: Don't let your guard down

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary IT controls  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary