one step forward, two steps back

A Republican bill was introduced in the House of Representatives this week (ref: similar to the cleverly-named but ill-conceived SECURE IT bill GOP Senators introduced last month. A major difference between this bill and the Lieberman-Collins bill (as well as the Langevin bill before that), is that SECURE IT would not give DHS the power to require that critical computer systems meet minimum security standards. That's idiotic, full stop.

Instead, this bill would encourage private sector and managers of critical infrastructure to willingly offer security information to the federal government... and the authors of the bill actually think this will work. What kind of fairly tale do they live in? Or maybe they're just well medicated -- either way, they're out of their minds.

I'd love to see a poll of Americans that ask whether or not they'd like some kind of minimum security standards to be put on things like our power grid, nuclear plants, and other industrial control systems that deliver such luxuries we take for granted, such as clean water, gasoline, electricity, natural gas, and easy communication over cell towers. Even better, how about regular checks to measure and verify they are meeting those MINIMUM SECURITY STANDARDS? Nah... who wants that. Let the private sector govern themselves when it comes to security. Just encourage them to share the fact that our critical infrastructure is woefully insecure.

Having worked in the IT and security industry for more than 2 decades perhaps has made me jaded; however, it certainly has made me aware of the threats and insecurities that exist in most IT systems and virtually all of our critical infrastructure.

We have technology that can be applied to help plug the massive holes that exist in our cybersecurity dike that is already creaky. Better yet, we have the ability to define baseline security standards and expect the keepers of our critical infrastructure to meet them. Finally, the technology is available to regularly measure and verify compliance to those security standards -- quickly, efficiently, and with very little cost to the US people (a lot less than what we have now with useless paper audits that require a lot of staff.) Why anyone that would introduce a bill that doesn't take advantage of these advances escapes me.

Self-governance in this area has failed us, is failing us, and the GOP bill introduced this week is nothing more than the same hands-off approach that eventually will bite us in the arse. Let's hear what some others have to say about cyber security:

  • According to the FBI, "We're not winning the war with hackers" (ref: 'We're not winning' war with hackers, FBI official says)
  • "There is a huge future threat and there is a considerable current threat [from cyber attacks],” Defense Secretary Robert Gates
  • "The next Pearl Harbor could very well be a cyber attack,” CIA Director Leon Panetta
  • Check out the March 2012 60 Minutes piece where Steve Kroft took a look at Stuxnet, the computer worm that attacked Iran’s nuclear program:

So tell me:

  1. You still comfortable with complete self-governance for our critical infrastructure?
  2. Would you like to see some kind of minimal security standard set for our IT industrial controls system for our energy grid, nuclear, water, and other core services?

On a final note, security can’t be opt-in. Everyone needs some kind of minimum standards and process guidelines, whether it’s critical infrastructure or software developers. Standards, Education, and regular Assessments will help drive any type of security program, so let’s be sure to include them.