A couple of very interesting and positive events occurred over the past few months that give many IT security professionals new hope.
In September 2008, Sen. Tom Carper introduced the bipartisan Federal Information Security Management Act (FISMA) and said, "We are targeted every day; not just by kids and pranksters out to see if they can get into our databases and personnel information ... but we are targeted every day by criminal elements."
Then on April 1, 2009, Sens. Jay Rockefeller and Olympia Snowe introduced the Cybersecurity Act to address America's vulnerability to cyber-attacks and cyber-crime that could disrupt or disable the nation's critical infrastructure.
Rockefeller stated, "We must protect our critical infrastructure at all costs .... It's an understatement to say that cyber-security is one of the most important issues we face: the increasingly connected nature of our lives only amplifies the vulnerability to cyber attacks and we must act now."
Snowe added: "America's vulnerability to massive cyber-crime, global cyber-espionage and cyber-attacks has emerged as one of the most urgent national security problems facing our country today."
FISMA requires all federal agencies to appoint a chief information security officer (CISO) and establishes a council to help federal CISOs develop best practices and performance measures. It also requires the U.S. Office of Management and Budget to promote cyber-security regulations governing contracts and the U.S. Department of Homeland Security (DHS) to deliver annual reports on operations and testing of federal government networks.
While FISMA isn't exhaustive, it fills an important gap by requiring that CISOs "possess the necessary qualifications" and "have the budget, resources and authority" to essentially run a good security program. Is it perfect? No. Does it do everything? No. But it's a good step, and for state and local governments, it's a good compass heading.
The Cybersecurity Act isn't faultless either but may be the most complete of federal cyber-security legislation. It has 23 sections of things an organization should look for to build a great security program, like a "Findings Section" that, proving they at least listened to the experts, summarizes many reports, assessments and testimony from the past couple of years. It even requires the National Institute of Standards and Technology to "establish measurable and auditable cyber-security standards."
Everybody say "Amen!" There are a few questionable things, but most striking is that the bill gives most of the responsibility to the secretary of commerce. This is a significant departure from all of the rumors about the National Security Agency, DHS and White House running cyber-security.
What does this legislative activity indicate? There's apprehension, anxiety and maybe some fear in the federal government that has led it to do something significant, and quickly. Recent articles in The Wall Street Journal and The New York Times highlight the latest string of threats and attacks that have galvanized Congress and the White House to act.
If the Constitution is America's mission statement, then establishing justice, insuring domestic tranquility, providing for the common defense, promoting the general welfare and securing the blessings of liberty are increasingly threatened by the lack of a coherent national cyber-security strategy. This deficiency requires action and hopefully the government is finally stepping up to the cyber-plate. We can discuss and even disagree with the content of this legislation, but my excitement comes from the simple fact that people are paying attention.
Author's Note: The views expressed are solely mine and nothing stated in or implied from the article should or may be attributed to the state of California or any of its agencies or employees.
