Internet "KILL switch"? - PeachParts Mercedes-Benz Forum

LUVMBDiesels · #1 04-28-2009, 04:52 PM

Do we really need this much legislation around the internet?

Kill-switch bill would add certification, licensing burdens

By Scot Petersen, Executive Editor
23 Apr 2009 | SearchCompliance.com

Proposed Senate Bill 773, also known as the Cybersecurity Act of 2009, has received quite a bit of attention for its Internet "kill switch" proposal, which would give the president the authority to shut down the Internet in the event of a massive cyber attack.
That radical proposal makes up only a small portion of the bill, however. The rest covers areas that no one is talking about much: a raft of new federal security standards and certification and licensing requirements that could have major impacts on businesses and security professionals.
The bill, introduced April 1 by Sen. John D. Rockefeller IV (D-W.Va.) and Sen. Olympia Snowe (R-Me.), seeks to establish a Cybersecurity Advisory Panel, a "real-time cybersecurity dashboard" and regional cybersecurity centers that would oversee the "promotion and implementation of cybersecurity standards" as well as facilitate certifications and licensing of security professionals in the new standards.
Some experts contend that while the bill has some good ideas, many of them would be overkill and difficult to implement.
"This is one piece of legislation that has got more [required] reports in it pound for pound than any piece of legislation I've read in quite a long time," said Lynn McNulty, director of government affairs for (ISC)², a nonprofit security certification organization. "Congress is trying to galvanize the executive branch into some action."
The standards would be under the control of the National Institute of Standards and Technology (NIST), which already has established a number of technology and security standards, including the Federal Information Security Management Act (FISMA). NIST is under the Commerce Dept., and the Senate Commerce Committee is chaired by Sen. Rockefeller.
The bill is being debated as other branches of the government, in particular the National Security Agency and the Dept. of Homeland Security, are debating over who should run cybersecurity efforts in the U.S. But clearly the Obama administration and the 111th Congress are making sure there is more accountability around cybersecurity than the previous administration, say experts.
"Obama ... has effectively taken concrete steps such that if and when breaches occur, like the one recently found in the power grid, he will have a clear trail of action at least to show he has been taking steps to implement controls," said consultant Sarah Cortes of Inman Technology IT, in Cambridge, Mass. "What is unique about this area of legislation is that technology and tools are changing and developing far more rapidly than the government is used to dealing with, and I believe a new method for dealing with it will evolve, a sort of legislative/business method for governing security areas that we have not as yet seen."
The potential for overlap between new and existing security standards concerns some authorities, who say that there are already adequate standards and practices spelled out by NIST. Those standards just need to be put to use and enforced.
"You already have FISMA. That mandates what government agencies must be doing," said regulatory expert Paul Reymann, of the ReymannGroup Inc., who was a co-author of Section 501 of the Gramm-Leach-Bliley Act Data Protection regulation. "Whether it comes from the Commerce Dept. or a presidential order, the capabilities are there [to enforce existing standards.] You don't use a hammer when you need a screwdriver."

"This is one piece of legislation that has got more [required] reports in it pound for pound than any piece of legislation I've read in quite a long time."
Lynn McNulty
Director of Government Affairs, (ISC)²

The bill stipulates that the Commerce Dept. would put a licensing and certification program into place within one year of the bill's passage, which would make it unlawful for anyone who is not certified to perform cybersecurity services on what is deemed "critical infrastructure." What constitutes critical infrastructure is not defined in the bill and would be left up to the president or a designee.
"Licensing for doctors, for medical people, for attorneys in this country is done through the state government level, not at the federal level," said McNulty. "The government encourages people to get certified on their own volition. That's one thing, but it's another thing to talk about mandatory certification and a licensing agreement on top of that. It will be very difficult to implement in a timely matter and you're going to see a lot of push back on that from professional groups."
Reymann said the certification process would be pushed to the regional centers, which he expects would be made up of nonprofit entities, "which makes me nervous because they are on shoestring budgets. NIST on the other hand has a good reputation and has been on the forefront of putting out good standards, data security practices and certifications," he said.
Many experts worry that new regulations will put additional financial and training burdens on smaller companies that already are straining under the weight of compliance regulations like HIPAA, SOX and PCI DSS. "Don't penalize people, especially SMBs," with more compliance, Reymann said.
Reymann does like the provision in the bill that would call for more security enforcement to be pushed out away from businesses and onto the broadband providers and ISPs as a means for mitigating the costs of complying with the security measures. "I'm a big advocate of better security at the perimeter, and we are starting to see Sprint and Verizon do that," he said.
Regardless of the fate of Bill 773, Reymann contends that compliance really shouldn't be the endgame of any cybersecurity laws; security should be. "The difference between security and compliance," he said, "is that compliance does not guarantee security, but security done right can give you good compliance."
As for the kill-switch provision, it's unlikely it will be passed as it is now written. "Shutting down the Internet [is] another way to say shutting down the economy," Reymann said. "Do we want to do that, and how do you start it back up again?"

Fulcrum525 · #2 04-28-2009, 05:27 PM

Imagine the Whitehouse janitors at night. "Hey guys you want to see something funny? Watch this!" -Off-......

iwrock · #3 04-28-2009, 05:35 PM

Thats a bad idea.....

LUVMBDiesels · #4 04-28-2009, 06:41 PM

Quote:

Originally Posted by Fulcrum525

Imagine the Whitehouse janitors at night. "Hey guys you want to see something funny? Watch this!" -Off-......

Oh man that is too much!

Off topic but funny...
I was working at a engineering firm that had a strange issue. Every night the servers would crash at 7:30. I could not figure it out until I waited by the computers one night. At exactly 7:30 the janitor came in , plugged the big floor waxing machine into the UPS and waxed the floor. When he turned the machine on, all the servers said 'good night' The UPS was a convenient outlet for him and he could not understand why he could not use it even after multiple attempts to ask him to stop. We had to plug something in to prevent him from using the outlet. I can see this happening at the Executive Residence (White House is SO last century isn't it?

)

Hatterasguy · #5 04-28-2009, 06:47 PM

Bad idea, bad government stay away.

Fulcrum525 · #6 04-28-2009, 06:53 PM

Quote:

Originally Posted by LUVMBDiesels

Oh man that is too much!

Off topic but funny...
I was working at a engineering firm that had a strange issue. Every night the servers would crash at 7:30. I could not figure it out until I waited by the computers one night. At exactly 7:30 the janitor came in , plugged the big floor waxing machine into the UPS and waxed the floor. When he turned the machine on, all the servers said 'good night' The UPS was a convenient outlet for him and he could not understand why he could not use it even after multiple attempts to ask him to stop. We had to plug something in to prevent him from using the outlet. I can see this happening at the Executive Residence (White House is SO last century isn't it?

)

At least he was consistent on his timing