Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cybersecurity Legislation Components

Published: 2012-02-05
Last Updated: 2012-02-05 02:43:14 UTC
by Tony Carothers (Version: 1)
2 comment(s)

As many of us have seen in the media recently, the United States and other world governments are deeply entrenched in discussions over proposed cybersecurity legislation.  There are many different flavors of legislation currently being discussed by governments across the globe, of which I don’t intend to cover here.  In the US it appears the government has finally started to address cybersecurity issues that have been discussed in this forum for years. One piece of the legislation currently being discussed is a proposal sponsored by Rep. Dan Lungren (R-Calif.) is House Resolution 3674 - the Promoting and Enhancing Cybersecurity and Information Sharing Enhancement Act of 2011 or PrECISE.  The thrust of the bill is “to amend the current Homeland Security Act of 2002" which will give additional authority to the US Government in the national cybersecurity effort.


I want to highlight some of the ideas being presented in this bill and how they are going to be a huge win for the cyber security community.  These are just a few of the items being discussed, but these will pay huge dividends in the security effort.

The coordination and sharing of information between the civilian and government agencies is one of the topics some of the bills being considered address, and is a critical component in the cybersecurity effort.  As it is written in PrECISE SEC. 2. Sec.226 (2) “foster the development, in conjunction with other governmental entities and the private sector, of essential information security technologies and capabilities for protecting Federal systems and critical infrastructure information systems, including comprehensive protective capabilities and other technological solutions”.  Organizations that have previously developed implementation strategies for information systems have a leg up on organizations that have not.  The Black Hat community has excelled at this type of sharing, and has been an excellent vehicle for their efforts.   They are not impeded by corporate policy, federal guidelines, or other governing regulations. 

The silos of information that exist in the enterprise today have also led to silos of security information.  The production, collection, and correlation of that information is often difficult because different vendor technologies, implemented at different stages, lead to disparate systems.  PrECISE SEC. 2, Sec 226 Para. (3) states the need to “acquire, integrate, and facilitate the adoption of new cybersecurity technologies and practices in a technologically and vendor-neutral manner to keep pace with emerging terrorist and other cybersecurity threats”.  There are many great minds and methods to approach this, and the solution will not be easy.  It is a critical solution that needs to be addressed.

User awareness and education is critical for every aspect of information security.  With the increase of reliance on technology throughout, the importance of user education increases accordingly.  PrECISE SEC. 2, Sec 226 Para.(6) states “develop and lead a nationwide awareness and outreach effort to educate the public about--
-(A) the importance of cybersecurity and cyber ethics;
-(B) ways to promote cybersecurity best practices at home and in the workplace; and
-(C) training opportunities to support the development of an effective national cybersecurity workforce and educational paths to cybersecurity professions” 

User education and awareness training, coupled with the information sharing efforts mentioned in Para. (2) will go a long way towards improving the overall security of the information and systems we use every day.
 

I am excited to see the governments taking cybersecurity seriously, and hope the politicians can produce something that is useable and applicable to the world today.  The implementation of some of the ideas discussed in this bill will be a huge undertaking, and needs to be done.As a society we have moved beyond the point where cybersecurity is merely desirable by the people who rely on technology.  it is a fundamental need, and in some instances, desperately.

Tony Carothers

tony d0t carothers at g_mail

Keywords: Policy
2 comment(s)
Diary Archives