Earlier this month, the Wall Street Journal reported that Gen. Keith Alexander, head of the new US Cyber Command, was backing talks with Russia “over a proposal to limit military attacks in cyberspace, representing a significant shift in US policy.”
And just last week, the Associated Press reported that President Obama sat down with Russian President Dmitry Medvedev, claiming to have “succeeded in resetting the relationship between the former Cold War adversaries that had dipped to a dangerous low in recent years.”
But today, as news continues to trickle in on the FBI’s Sunday investigation and arrest of [now 11] Russian spies living in Yonkers, Boston and northern Virginia, it appears that the US may need to reexamine its relationship with the ‘Bear’ in the room.
According to the New York Times, living in the States for more than a decade, the deemed “espionage ring” was collecting information on the CIA, US intelligence, nuclear weapons, US ties to Iran and, all the while, recruiting new members into its group.
There are “five critical flaws” in the Lieberman-Collins-Carper cybersecurity legislation. That’s according to Jeffrey Carr, who, in an article in Forbes today, said the bill, which passed in the Senate Homeland Security and Governmental Affairs Committee last week, should have us “very concerned.”
According to Carr, a cyber intelligence consultant for the US government, the bill: puts the power grid in the private sectors’ hands, leaving it vulnerable to an attack; provides the President with cyber authority after an attack occurs, in lieu of being proactive; provides specific power to the US-CERT, which was recently criticized for its lack of
manpower and authority; enables energy companies to report, on their own time, if/when they have been attacked, further delaying government response and repair; and fails to examine all potential sources, internally and internationally, capable of attacking the US.
The solution? Another cybersecurity bill…
Though it may not be the right answer, Republican Senators Kit Bond and Orrin Hatch have introduced new legislation, the National Cyber Infrastructure Protection Act of 2010.
In a letter to the editor this morning in the Washington Post, Philip Reitinger, deputy undersecretary for national protection and programs at the Department of Homeland Security, pointed out that “Cybersecurity has come a long way since September 11.”
Reitinger’s comments come as rebuttal to DHS Inspector General Richard Skinner’s announcement last week that the Department was experiencing shortfalls in the cybersecurity office, the US-CERT.
While Reitinger may be right that the US has made cybersecurity strides over the past nine years, it seems cybersecurity has also picked up momentum over the past few days.
According to The Hill, the Senate Committee on Homeland Security and Governmental Affairs yesterday moved to approve Sens. Lieberman, Collins and Carper’s comprehensive cybersecurity bill, The Protecting Cyberspace as a National Asset Act. That is, after the much debated “kill switch” portion of the bill was amended “to limit the president’s authority in the event of a cyber emergency.”
Information Week is reporting this afternoon that Senate Majority Leader Harry Reid announced the chamber’s plan to combine several cybersecurity measures currently floating around the floor.
According to the article, Eric Hopkins, federal financial management subcommittee staffer of the Senate Homeland Security and Government Affairs Committee, suggested, “By working together, we can put something together that will be solid and hopefully won’t require too much debate.”
The Information Week article goes on to acknowledge that the Senate homeland security committee bill co-sponsored by Sens. Lieberman, Collins and Carper, as well as the Senate commerce committee bill of Sens. Rockefeller and Snowe are “the two most prominent and comprehensive bills currently circulating.”
Meanwhile, cybersecurity continues to pick up steam, with the Washington Post reporting that the White House Office of Science and Technology announced its plan to sponsor major federal cybersecurity research. According to Dawn Meyerriecks, deputy director of national intelligence for acquisition and technology, “The government’s about to spend multiple billions of dollars.”
Over the past few weeks, we’ve been closely following new cybersecurity legislation introduced by Sens. Lieberman, Collins and Carper, a 197-page bill that, among other things, would provide the President with the emergency authority to shut down the nation’s Internet connectivity in the event of a major cyber attack on the United States.
Deemed an Internet “kill switch,” the bill’s suggested presidential power has made its way into the limelight as government types, tech execs, privacy wonks and the media alike are all debating the idea of a cyber shutdown and whether or not some sort of ‘blockading button’ could actually exist to carry out the kill.
CNET reports that “Industry and civil liberties groups have worried about the ability to shut down parts of the Internet and raised concerns about ‘the potential for absolute power.’”
According to the Huffington Post, other groups, such as the leading technology trade association, TechAmerica, are also criticizing the bill, warning of the possible power trip and “expressing reservations about the ‘unintended consequences’ that would result from the legislation’s regulatory approach.”
Meanwhile, an article in Time magazine reports that “Other countries are also decrying the bill, fearing the impact on their own security if the US were to shut down essential parts of the Internet.”
Keeping other countries in mind, let’s rewind to July 4, 2009. Independence Day in the United States…
North Korea’s leader, Kim Jong-il, had just appointed his Number Three Son, Kim Jong-un to be his successor. And – in what is believed to be the country’s attempt to prove to the world that Jong-un’s power paraelleled his father’s – North Korea launched a series of Distributed Denial of Service (DDOS) cyber attacks on US and South Korean government and corporate websites.
Yesterday Cybersecurity News reported that DHS Inspector General Richard Skinner was expected to announce the US Computer Emergency Readiness Team (US-CERT), the Department’s cybersecurity unit, lacks the authority and manpower needed to protect the nation from cyber attacks.
Skinner’s announcement appears to have struck a nerve… at least in the media. This morning, headlines include: The Associated Press – “US lacks staff, power to protect networks.” CNN – “US vulnerable to cyber threats, experts warn.” The Hill – “Inspector General: DHS lacks authority, staff to protect federal networks.” Network World – “DHS has dropped the ball on network security.” Information Week – “Inspector General criticizes cybersecurity efforts.” And a Cybersecurity News personal favorite, from Wired’s Danger Room – “DHS geek squad: No power, no plan, lots of vacancies.”
And while the DHS staggers to find a solution to cybersecurity woes, it appears the Senate may already have one. A press release yesterday from the Senate Homeland Security and Government Affairs Committee reported: “House leaders announce support for Lieberman, Collins, Carper cybersecurity bill.”
According to the release, House Homeland Security Committee, Intelligence Subcommittee Chair Rep. Jane Harman (D-CA) and the Committee’s Ranking Member, Peter King (R-NY) will introduce the Senate cybersecurity legislation into the House by the end of the week.
Also covering the bill’s growing support, the National Journal said Rep. Harman believes “urgency is needed to address major gaps in the government’s efforts to protect federal IT systems and those that run critical private infrastructure, such as electrical grids and telecommunications systems.”
Meanwhile, an article in Politico this morning points out that several key points remain in the debate for ideal cyber legislation. One being that – Sens. Rockefeller (D-WV) and Snowe (R-ME) introduced a cybersecurity bill earlier this year, which unlike the Lieberman-Collins-Carper legislation, does not require Congressional approval for the President to make a decision in the event of an attack. The two bills are also divided on the link between private and public sector roles, as well as the idea of the President reigning supreme with an Internet “kill switch.”
The National Journal is reporting this morning that DHS Inspector General Richard Skinner will testify before Congress today to warn that a key government cybersecurity unit – The US Computer Emergency Readiness Team (US-CERT) – lacks the authority and expertise needed to protect federal information technology networks.
Skinner is scheduled to announce his findings at a hearing before the House Homeland Security Committee today, just one day after the Senate Homeland Security and Governmental Affairs Committee held a hearing for Sens. Lieberman, Collins and Carper’s cybersecurity legislation. Aware of Skinner’s report, the Senate trio used the findings to leverage support for their new bill, which calls for a complete overhaul of the government’s current handlings of our nation’s cybersecurity.
According to the National Journal, Philip Reitinger, DHS deputy undersecretary, said “The department is deploying a technology system called ‘Einstein’ to federal agencies to help detect and stop electronic attacks.” But Inspector General Skinner is prepared to note that several agency network upgrades are needed before Einstein can effectively be deployed.
Bottom line, Skinner plans to testify: “The US-CERT does not have the appropriate enforcement authority to ensure that agencies comply with mitigation guidance concerning threats and vulnerabilities.”