March 24, 2010

There are several cybersecurity policy issues on Capitol Hill that are worth keeping an eye on. Lawmakers in the Senate have introduced a measure that would call for trade restrictions against countries identified as hacker havens. Another proposal is meeting resistance from academics who worry about the effect of the bill’s mandatory certification programs for cyber security professionals.

As reported by The Hill newspaper, Senators Orrin Hatch (R-Utah) and Kirsten Gillibrand (D-NY) have introduced The International Cybercrime Reporting and Cooperation Act, a bill that would penalize foreign countries that fail to crack down on cyber criminals operating within their borders.

According to The Hill, the measure would:

“…charge the White House with the responsibility of identifying countries that pose cyber threats, which the president would have to present to Congress in an annual report. Those states would then have to develop plans of action to combat cybercrimes or risk cuts to their U.S. export dollars, foreign-direct investment funds and trade assistance grants, the lawmakers explained.”

More here.

This is a nice – if hard to measure and enforce – idea. I have often argued that it is remarkable that the United States includes measures to cut down on software piracy in its trade policies with other nations, and yet it does nothing to mandate more action on cybercrime. I applaud this effort, but if lawmakers are really serious about cracking down on places that appear overly tolerant of cybercrime activity, perhaps they should start by looking a little closer to home.

In other news, one of the world’s largest and oldest educational and scientific computing groups says it is “deeply troubled” by mandatory training provisions included in The Cybersecurity Act, a bill proposed by Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine). The bill is aimed at protecting critical U.S. network infrastructure against cybersecurity threats, but it includes language making it illegal for anyone to offer cybersecurity services to any federal agency or system without being certified and licensed as such under a program to be determined by the Commerce Department.

In a letter sent to the lawmakers this week, the U.S. Association for Computing Machinery and the Computing Research Association said the bill the measure emphasizes training in narrow techniques rather than an education in holistic systems design. The group charged that, as written, the bill would…

“…require a complex, untested, and mandatory certification regime for public and private employers almost immediately after a National Academies study is conducted to determine — and it has not yet been determined — whether such a program would even be feasible. It is premature to mandate the creation of a massive new certification program without the benefit of a careful, deliberate Academies study that examines both the feasibility and side effects of any such program.”

Gene Spafford, a professor of computer science at Purdue University and one of the signatories to the letter, said the certification requirements as spelled out in the bill would have far-reaching implications for the way colleges and universities teach security across the country.

“Microsoft has invested more than a billion dollars in producing much better security, look at how often they find flaws in their stuff. Google is know for hiring the brightest people and being very concerned about security, and look at what happened in China,” Spafford told Krebs on Security. “So, setting a regime to require that everybody be certified in something we don’t know how to do and is changing almost monthly is a dangerous approach. It’s not only costly, but it’s dangerous in the sense that you will have groups setting certification standards based on what they teach, not on what is likely good practice.”

Spafford said the requirements would undoubtedly be a boon to companies that offer training courses, but that his organization has seen no evidence that a group of people with any particular certification produce better computer code.

“Given that a lot of code in use right now is produced offshore, that’s where some of the international aspects come in,” he said. “So trying to require certifications, seems like a good idea on the surface, but we’ve discussed [this] in several ways for many years, and our conclusion is we’re just not ready yet.”

Alan Paller, director of research for the SANS Institute, an organization that offers security training and certification, compared the market for today’s software and network engineers to the early 1900s, before physicians had to be licensed.

“The country didn’t like fact that doctors could teach anything they wanted and that people had no idea what they were getting in a doctor,” Paller said. “In 1915, they set up national board of medical examiners that said schools can teach anything they want but graduates have to show they can practice these methods in medicine, and the states said if don’t have a medical degree you can’t practice medicine. It’s kind of the same situation with computers now: Most of the people who say they know security don’t have a clue. They don’t know the best practices, heck, they don’t even know what TCP is. Security experts need to have the skills it takes to harden systems and make them harder to break into, and to protect systems with monitoring and do system forensics, [Technicians need to] have to have the common basics, and then some specializations. It’s foolish for academics to claim that there is no standard, because that’s exactly what they said in medicine 100 years ago, and they killed a lot of people.”

Got strong opinions about these and/or other cybersecurity policy proceedings? Sound off in the comments below.

Updated, Mar. 25, 9:25 a.m. ET, to include comment from Paller.


21 thoughts on “Cybersecurity Policy Roundup

  1. Tim Benton

    Yikes! Senators and congressmen telling the rest of us how to secure the Internet. Not a good plan. Someone needs to have a bit of CS101 for these folks.

    As pointed out in this fine article, the security landscape on the Internet changes often. Almost hourly. Last time I checked there were an average of 290+ new malware threats on the Internet each and every day. I think there must be a better way. Please don’t legislate Internet security.

    1. BrianKrebs Post author

      Hi Mason. Do you have a direct link to the amended version you’re referring to? Thanks.

      1. Mason

        direct link (not sure they want it published since registration is required)
        http://www.govinfosecurity.com/external/commerce-senate-gov-public.pdf

        Section 101 is the new certification requirements for people providing services to the federal government and “critical infrastructure information systems”

        As another commenter already discussed, it is not far removed from the concept of the DOD 8570 program.

        The original bill required a licensing scheme set up under the department of commerce. That appears to be gone now.

  2. Kelly Kane

    Hey Brian –

    Great article explaining what’s going on in cybersecurity policy this week. It’ll be interesting to see what gets passed and what the ramifications will be for countries that fail to crack down on cybercrime as well as organizations that don’t follow through on the certification process.

    Thanks for boiling it all down!

    Kelly

  3. JR Fezziwig

    To Senator Hatch: how does one threaten one’s biggest creditor?

  4. Ray

    Requiring training and certification or licensing will do a lot to improving the credibility and professionalism of the field. Right now everyone is an expert if they say they are. You have to start somewhere.

    I’d also argue the bit about Microsoft. Yes they still have problems but they have hundreds of disparate products in production and thousands in use. Even when they have to release a dozen patches in one month, they are still doing a good job overall.

    Compare them to Oracle, who is solely a database and related products vendor. Percentage-wise they have a whole lot more patches.

    And Linux isn’t any better. Red Hat releases a continuous stream of patches and they outnumber Microsoft by far. It’s not unusal to log into the Red Hat Network and find my servers are a dozen patches behind when they were fully updated last week.

    1. AnonymousMike

      I would have to disagree that requiring training and certification or licensing will do a lot to improving the credibility and professionalism of the field. A certification in general certifies nothing other than you can study and pass a test. Requiring a certification instantly opens the door to those training companies who will “guarantee” you pass the test or your money back. From personal experience I’ve met people with every certification in the book, and zero ability to execute the things they “know” in practice. But I will grant you that there are plenty of equally useless people claiming and working as “experts”.

      If the gov really wants to improve the credibility of cyber security professionals they should develop an educational system for security professionals. I would even go so far as to say provide top of the line cyber security education for free, but require a five year commitment to a government entity. Something similar to the concept of you got to bootcamp, receive training to make you as capable as possible for your job responsibilities, then spend a number of years protecting the institution that provided that education. If you vetted your candidates well, provided an excellent educational opportunity, and secured work position in your field of choice on graduation. I would venture the government would have a substantial number of highly competent cyber security professionals eager to expand on their education base, and have a secured job. Through say a two year training course, you could easily identify the failures and come away with the needed staff to secure government infrastructure. No cert needed.

  5. CyberNorris

    Brian,

    In 1998 an individual fresh out of Big-Ten university with CompSci B.S. and M.S. was hired by my employer. I handed him a network cable and told him to plug his computer into the hub. He replied, “What’s a hub?”

    If a CompSci graduate can’t pass a basic information security certification exam with very little study, that education is lacking.

    Any US Government network that contains national security data already requires an ongoing certification and accreditation process… DIACAP for DOD networks and NIACAP for other National Security networks… to help ensure that network can secure that data. It only makes sense to require the individuals who work on and maintain those networks to have at least a measurable knowledge of the basics of information security.

    Take a look at DoD 8570, which requires DOD employees and contractors who conduct Information Assurance functions hold an approved certification appropriate for their job function.

    NSA worked with ISC(2) to create the Information Systems Security Engineering Professional (ISSEP) certification that specifically met their requirements. This certification was certainly not created based on what any school teaches.

    NSA and DHS have designated certain schools as National Centers of Academic Excellence. These schools have curriculums which teach and research in the areas of information assurance. While the specific curriculums do focus on a certain educational standard, these schools still have to be accredited. Their students are not just attending an extended certification boot camp.

    The base structure for the individual certification part that this legislation would require is already in place.

    However I don’t believe businesses providing service should have to be licensed. There are plenty of small contract worker placement companies which might not be able to meet the licensing requirement, but would still be able to provide qualified and certified individuals to fill contract jobs.

    1. Jason Cowling

      I attend one of those schools on the SFS program (Scholarship for Service). The gov pays for my Masters (Information Security, Public Policy, & Mgmt) and I go to work for them for 2 years after graduation…. wanted to mention this because the program is extended quite a bit in the new legislation from Senators Rockefeller and Snowe. Also, I can attest that our program is in no way a certification course!

    2. infosec_pro

      @ CyberNorris, I’m a little confused by your first two paragraphs. The second para could be construed as saying that a certification like a degree demonstrates broad knowledge, and your first para shows otherwise.

      Both the certification and the degree show only that the holder passed the test or the course, nothing more.

      The proposed requirement puts it backward. Requiring certification presumes that certification will resolve the problem underlying poor performance. Why not simply hold people accountable for performance?

  6. BattleChicken

    I always find it frightening when technologically illiterate people draft up legislation based on the reports of ‘experts’ (some of which aren’t, some of which are); A lot always seems to get lost in the translation, and they come up with some scary-bad policies.

  7. Jim

    If this vocation is no more effective than the can spam farce. We have a waste of funds and no firm control. I smell political smoke.

  8. Jared Pfost

    BK, Thanks again for the research. I’m going to use that donate button!
    I agree 100% with Spafford. While I support certain agencies requiring specific experience, requiring an army of Fed-CISSPs will be a waste of resources. Test-based certs won’t resolve the problem of people claiming they’re experts. It only makes it easier for inexperienced hiring managers to make the wrong decision. Security expertise is gained through experience.
    If the Fed wants to improve security, they should use their buying power to mandate resilient systems and add teeth to their measurement mandates.

  9. Keith

    There is plenty of need for both well-trained staff and well-educated staff. Not everyone needs a post-graduate engineering degree and years of experience to be a valuable resource. For those, training and certification are useful to prove that you have the essential knowledge needed to do the job. The engineers and scientists are going to be needed to guide the activities of the doers – not necessarily as managers but technical leaders.

  10. Gannon

    I don’t see why Computer Security could not be a personal license as is Customs Brokerage. This system has been in place since the Constitution was adopted.

    Unfortunately, this model is at odds with the hierarchy of the multi-national Corporations. It makes the license holder valuable above their “natural” place in the food chain. And some people don’t get that “Free Trade” has nothing to do with service fees for importation. The test is hard (on people). Nationwide, 1200 something people took the exam, 6.7% passed last October. However, it is not a burden on Business. Nobody cares where the Enron accountants went to school.

  11. DavePDX

    In other InfoSec policy news, Washington State just became the 3rd state to reference PCI in state law (but a little bit differently than the Nevada model), and also now requires businesses who have breaches of card data to pay for the card issuers in the state to re-issue cards (e.g., Heartland would have paid card issuers to re-issue cards that were compromised).

    http://www.infolawgroup.com/2010/03/articles/payment-card-breach-laws/faq-on-washington-states-pci-law/index.html

  12. Coho

    I pitched a vendor certification to Howard Schmidt in Febraury 2009 hoping that ISC2 would hope at certifying vendors who provide security services. The biggest incentive has been the steady roll of information security vendors who push their services using untrained staff. As long as someone knows how to run one of the automated scanners then apparently they are pen tester.

    Beyond security vendors requiring certification, we need to look at the root cause. Developers. I’m I downing developers? No but there should be some type of security coding certification for them. Likewise perhaps part of the bill should required companies that want to do business with the federal government to employ developers who are certified secure code developers.

    Regarding the comment from Gene Spafford. It seems a bit idealic. Sure Google hires bright people but where politics abound the brightest person’s ability to secure an environment will fail. The Google hack occurred because of a lack of defense in depth. If Google were to tell the entire tale, chances are they had the ability to stop the compromise but likely some of the countermeasures where not tuned appropriately. Why would be the next question. Likely in-house politics.

    People need to get real and stop dancing around why some security breaches occur. Look at the structure of an company and see where security is place. If its inside of IT then its going to take a beating. Does it need to take top priority. Not necessarily but it does need to be given a reasonable seat at the table rather than relegated to last place.

  13. Department of defense(DoD 8570)

    CISSP – Information Security Training -Department of defense 8570,DoD 8570,8570,Dod 8570-a,Dodd 8570 CISSP Certification – CISSP Training – Security Training- Logical Security – Shon Harris,Two new reports–from the Center forStrategic and International Studies (CSIS), and from the consulting firm Booz Allen and the non-profit Partnership for Public Service
    (PPS)–highlightserious shortfalls among the federal government’s cyber security work force.

Comments are closed.