×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Highlights from proposed cybersecurity bill

visible.frylock (965768) writes | about 5 years ago

User Journal 2

This entry is in response to recent story about the tentative Cybersecurity Act of 2009 (PDF). Rather than having it buried below all the comments, I thought I'd just put it here.

This entry is in response to recent story about the tentative Cybersecurity Act of 2009 (PDF). Rather than having it buried below all the comments, I thought I'd just put it here.

There really is quite a bit in this, related to both freedom as well as more practical security aspects. It includes security standards, exploit defenition languages, security professional licensing, DNSSEC, IANA, government software acquisition, and of course the President's shutdown authority which everyone has been commenting about. You should really read the bill for yourself.

NIST and security responsibilities (pg 17) In section 6, NIST is given responsibility to develop security metrics, measuring the risk from a "prioritized list of software weaknesses known to lead to exploited and exploitable vulnerabilities" (including embedded, or so they say). Section 6 goes on:

(4) SOFTWARE CONFIGURATION SPECIFICATION LANGUAGE
The Institute shall, establish standard
computer-readable language for completely speci-
fying the configuration of software on computer sys-
tems widely used in the Federal government, by gov-
ernment contractors and grantees, and in private
sector owned critical infrastructure information sys-
tems and networks.
(5) STANDARD SOFTWARE CONFIGURATION
The Institute shall establish standard configurations
consisting of security settings for operating system
software and software utilities widely used in the
Federal government, by government contractors and
grantees, and in private sector owned critical infra-
structure information systems and networks.
(6) VULNERABILITY SPECIFICATION LANGUAGE
The Institute shall establish standard com-
puter-readable language for specifying vulnerabilities
in software to enable software vendors to commu-
nicate vulnerability data to software users in real
time.
(7) NATIONAL COMPLIANCE STANDARDS FOR ALL SOFTWARE
(A) Protocol.?The Institute shall establish
a standard testing and accreditation protocol
for software built by or for the Federal govern-
ment, its contractors, and grantees, and private
sector owned critical infrastructure information
systems and networks [......]

Licensing for security professionals contracting to the federal government (pg 21)

SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS.
(a) IN GENERAL
Within 1 year after the date of
enactment of this Act, the Secretary of Commerce shall
develop or coordinate and integrate a national licensing,
certification, and periodic recertification program for cy-
bersecurity professionals.
(b) MANDATORY LICENSING
Beginning 3 years
after the date of enactment of this Act, it shall be unlawful
for any individual to engage in business in the United
States, or to be employed in the United States, as a pro-
vider of cybersecurity services to any Federal agency or
an information system or network designated by the Presi-
dent, or the President?s designee, as a critical infrastruc-
ture information system or network, who is not licensed
and certified under the program.

IANA (pg 22)

SEC. 8. REVIEW OF NTIA DOMAIN NAME CONTRACTS.
(a) IN GENERAL
No action by the Assistant Sec-
retary of Commerce for Communications and Information
after the date of enactment of this Act with respect to
the renewal or modification of a contract related to the
operation of the Internet Assigned Numbers Authority,
shall be final until the Advisory Panel?
(1) has reviewed the action;
(2) considered the commercial and national se-
curity implications of the action; and
(3) approved the action.
[......]

DNSSEC (pg 23)

SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM.
(a) IN GENERAL
Within 3 years after the date of
enactment of this Act, the Assistant Secretary of Com-
merce for Communications and Information shall develop
a strategy to implement a secure domain name addressing
system.
[......]

PUBLIC-PRIVATE CLEARINGHOUSE (pg 39)

SEC. 14. PUBLIC-PRIVATE CLEARINGHOUSE.
(a) DESIGNATION
The Department of Commerce
shall serve as the clearinghouse of cybersecurity threat
and vulnerability information to Federal government and
private sector owned critical infrastructure information
systems and networks.
(b) FUNCTIONS
The Secretary of Commerce
(1) shall have access to all relevant data con-
cerning such networks without regard to any provi-
sion of law, regulation, rule, or policy restricting
such access;
[....]

President's authority (pg 43)

SEC. 18. CYBERSECURITY RESPONSIBILITIES AND AUTHORITY.
The President
(1) within 1 year after the date of enactment
of this Act, shall develop and implement a com-
prehensive national cybersecurity strategy, which
shall include

[....]

(2) may declare a cybersecurity emergency and
order the limitation or shutdown of Internet traffic
to and from any compromised Federal government
or United States critical infrastructure information
system or network;
[....]

(Non) Definition of critical infrastructure network (pg 50)

(3) FEDERAL GOVERNMENT AND UNITED STATES CRITICAL INFRASTRUCTURE INFORMATION SYSTEMS AND NETWORKS
The term Federal gov-
ernment and United States critical infrastructure in-
formation systems and networks includes
(A) Federal Government information sys-
tems and networks; and
(B) State, local, and nongovernmental in-
formation systems and networks in the United
States designated by the President as critical
infrastructure information systems and net-
works.

FEDERAL SECURE PRODUCTS AND SERVICES ACQUISITIONS BOARD (pg 49)

SEC. 22. FEDERAL SECURE PRODUCTS AND SERVICES ACQUISITIONS BOARD.
(a) ESTABLISHMENT
There is established a Secure
Products and Services Acquisitions Board. The Board
shall be responsible for cybersecurity review and approval
of high value products and services acquisition and, in co-
ordination with the National Institute of Standards and
Technology, for the establishment of appropriate stand-
ards for the validation of software to be acquired by the
Federal government.
[.....]

2 comments

a fancy way... (1)

zogger (617870) | about 5 years ago | (#27454497)

..of saying all networks.

What do you think is the most onerous in all of this?

Re:a fancy way... (1)

visible.frylock (965768) | about 5 years ago | (#27454935)

Hard to tell. It depends on what, if anything, gets passed. The "state of emergency" part is definitely the obvious one.

2) may declare a cybersecurity emergency and
order the limitation or shutdown of Internet traffic ....

Shutdown OR LIMIT? Limit as in selective filtering?

2009: We want to filter to enhance our nation's e-security and stop illegal file sharing.

2010: We're filtering to prevent cyber-bullying, cyber-stalking, and to stop the flow of child pornography.

2011: We're filtering to foil the plans of terrorists* who hate us for our freedom. Did we mention we have evidence linking profits from piracy to known terrorists?

2012: Filtering? Of course we are! The Dept. of Commerce has always filtered the internet, ever since it was created in 1991. The filtering and surveillance program is an integral part of preserving e-law-and-order in our homeland. Frankly, we can't see why everyone's so upset about this.

But the non-obvious one to keep an eye on might be the "Clearinghouse" part. Will that eventually mean that someone from the executive branch can just walk in to your ISP and walk back out with whatever he wants? Without going to the trouble of splicing the fiber? This is termed a "Public-private clearinghouse". In my experience, when you hear about public-private partnerships, that means run away fast in the opposite direction.

* Something related to that line of thinking. You've probably seen the video circulating of Rahm Emanuel talking about prohibiting people on the no-fly list from buying firearms. Because, in his words, "If you're on that no-fly list, then you're not a part of the American family, and you don't have that right."

Since when did America become a family? Let's reserve that for Germany, Israel, and Japan, tyvm.

But if a known evil doer (no doubt a member of a shadowy terrorist cell, plotting to subvert our nation from within and turn us into a caliphate, and dress the Olsen twins in burkas) actually tried to buy a gun, wouldn't the fact that he was denied be an instant tipoff to him and his organization? You know, the exact opposite of professional counter-terrorism work?

Funny, almost as if the no-fly list and the idea of gun control based on the list have nothing at all to do with real terrorism. But that couldn't be right, surely the chief of staff wouldn't lie, would he? How do dead simple things like this just fly right over peoples' heads?

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...