After three years of haggling to produce bipartisan cybersecurity legislation that addresses the security of the nation’s critical infrastructure systems, the Senate finally got a bill this week that seemed destined to actually pass.
That is, until a hearing on Thursday to discuss the bill in which Sen. John McCain (R-Arizona) sideswiped lawmakers behind the proposed legislation and announced that he, and seven other Senate ranking members, were opposed to the bill and would be introducing a competing bill in two weeks to address failings they see in the legislation.
McCain and his colleagues oppose the current bill on the grounds that it would give the Department of Homeland Security regulatory authority over private businesses that own and operate critical infrastructure systems and that it doesn’t grant the National Security Agency, a branch of the Defense Department, any authority to monitor networks in real-time to thwart cyberattacks.
The bill neglects to give authority “to the only institutions currently capable of [protecting the homeland], U.S. Cybercommand and the National Security Agency (NSA),” McCain said in a written statement presented at the hearing. “According to [General Keith Alexander, the Commander of U.S. Cybercommand and the Director of the NSA] in order to stop a cyber attack you have to see it in real time, and you have to have those authorities…. This legislation does nothing to address this significant concern and I question why we have yet to have a serious discussion about who is best suited to protect our country from this threat we all agree is very real and growing.”
The current cybersecurity bill proposes to do what nothing else has succeeded in doing to date – that is, improve the security of critical infrastructure systems. It would do this by giving the government regulatory power over companies that operate such systems to force them to do due diligence.
Sen. Joe Lieberman (I-Conn.) introduced the legislation on Tuesday along with Sen. Susan Collins (R-Maine) and Sen. Jay Rockefeller (D-W.Va.).
The Cybersecurity Act of 2012 (.pdf) requires the government to assess which sectors of critical infrastructure pose the greatest immediate risk and gives the Department of Homeland Security regulatory authority over the private companies that control designated critical infrastructure systems — such as telecommunications networks and electric grids and any other network “whose disruption from a cyber attack would cause mass death, evacuation, or major damage to the economy, national security, or daily life.”
The bill keeps the authority for critical infrastructure security oversight in the hands of DHS, a civilian agency, as opposed to McCain’s preference for the NSA, which protects the military’s networks and the government’s classified networks.
But Homeland Security head Janet Napolitano testified in support of enhanced authority for DHS, noting that the government’s expanding efforts in this area include a 2013 budget request of a whopping $769 million for cybersecurity efforts – 74 percent higher than 2012′s budget request.
The legislation would require owners and operators of critical infrastructure to meet security standards established by the National Institute of Standards and Technology, the National Security Agency and other designated entities, or face unspecified civil penalties. Critical infrastructure entities would be allowed to determine how best to meet the standards based on the nature of their business sector, but they would be required to certify annually that they do meet them.
The bill would protect entities that adhere to the standards from being sued in civil court for punitive damages should they experience a cyber-attack, though the bill says nothing about protecting them from suits for actual damages.
Critical infrastructure owners and operators can “self-certify” that they are compliant or obtain an audit from a third-party, similar to the way that companies that process credit and debit card payments currently obtain third-party audits certifying that they adhere to standards set by the payment card industry.
This raises questions, however, about how effective such certifications will be for securing critical infrastructure.
Certifications in the payment card industry have been widely criticized as ineffective since third-party auditors that certify systems against a checklist of requirements are paid to do so and have an incentive to pass a system less they not be invited back to conduct subsequent assessments. A number of the most high-profile and expensive credit card data breaches have occurred at companies that were certified compliant at the time they were breached, highlighting the unreliability of such measurements.
Chris Wysopal, chief technology officer for computer security firm VeraCode, expressed doubts that the proposed legislation would improve security unless it included some tangible way to verify that the standards, as implemented by companies, are actually tested to ensure that they secure critical facilities.
“There has to be some reality-based testing of whether the stuff is actually effective,” Wysopal told Wired. “That’s what the U.S. government does when they want real assurance – they have a Red Team at the NSA test to see if what they’re doing is really working.”
He suggested the government might take a random sampling of critical infrastructure companies each year to conduct penetration tests to verify that the standards – and the ways that companies are implementing them – are doing what they’re meant to do.
Wysopal also says that for the standards to be effective they have to be re-assessed each year and altered to adapt to new threats.
“We’re dealing with a very evolving tech landscape and threat landscape,” he said. “Attackers change their attacks all the time, and anything that’s a standard has to be a totally living standard that people realize they will have to re-address each year.”