The US President’s Proposal for Cyber Security Information Sharing Legislation

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!

Yesterday’s blog entry talked about the US President’s call for legislation to enable more sharing between Private industry and the Government of certain Cybersecurity events.

Today’s entry will analyze the proposal and attempt to clarify some of the language.  The original text below is taken from the Whitehouse.gov website.

 

CYBERSECURITY INFORMATION SHARING LEGISLATION

Sec. 101. Purpose.

This section states that the purpose of the legislation is to codify mechanisms for enabling cybersecurity information sharing between private and government entities, as well as among private entities, to better protect information systems and more effectively respond to cybersecurity incidents.

Comment: There are actually two different targets here:  The first, to allow Private industry to government sharing (more on this later); the second to allow sharing among Private Industry – including trade associations, competitors, and others.

 

Sec. 102. Definitions.

This section sets forth relevant definitions, including “cyber threat,” “Federal entity,” “malicious cyber command and control,” “malicious reconnaissance,” “operational control,” “technical control,” and “technical vulnerability,” among others.

The proposal defines “cyber threat indicator” as “information—

 A) that is necessary to indicate, describe or identify —

  1. malicious reconnaissance, including communications that reasonably appear to be transmitted for the purpose of gathering technical information related to a cyber threat;
  2. a method of defeating a technical or operational control;
  3. a technical vulnerability;
  4. a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system inadvertently to enable the defeat of a technical control or an operational control;
  5. malicious cyber command and control;
  6. any combination of (1)-(5).

B) from which reasonable efforts have been made to remove information that can be used to identify specific persons reasonably believed to be unrelated to the cyber threat ”

Comment: This is the standard ‘definitions’ section that most bills nowadays must have.  However, please note the following:

  1. Included is ‘malicious reconnaissance’.  This is a term of the Art used to imply discretion as far as guessing the ‘intent’ of the network traffic.  In my experience, this could be a ‘slippery slope’, especially when used together with the word ‘government’ in the same bill.
  2. The second point, ‘defeating…a control’ is a major ‘slippery slope’.  Would people who root Android be reported?  What about people who download movies from YouTube?   I believe that this clause has to be substantially honed.
  3. Point number 4 I also find worrisome.   The word ‘inadvertently’ together with the concepts below would create a whole lot of notifications about people who ‘inadvertently’ allowed the defeat of controls, and still get reported to the US Government.  Not a good place to be.

 

More on my analysis of the Proposed Legislation tomorrow.

 

US President Obama calls for stronger Cyber Security laws

Today, US President Obama called for stronger Cyber Security laws.   It is interesting to note that theme used today emphasizes an action I called for in my paper (and later blog entry) ‘A Strategy To Secure The Federal Cyberspace‘ …  back in 2009.

The call by the President stated:

…Yet, there are core challenges that remain in our work to strengthen America’s cybersecurity:

The problem is that government and the private sector are still not always working as closely together as we should. Sometimes it’s still too hard for government to share threat information with companies. Sometimes it’s still too hard for companies to share information about cyber threats with the government. There are legal issues involved and liability issues. Sometimes, companies are reluctant to reveal their vulnerabilities or admit publicly that they have been hacked. At the same time, the American people have a legitimate interest in making sure that government is not potentially abusing information that it’s received from the private sector.

In my original work, I stated in the opening paragraphs

…that the leadership to form and coordinate the right combination of public and private partnership and a sense of common mission are essential to the task.

In fact, much of my call focused on the specific nature that such common mission must take:

One point that I would like to make clear: Government- Private sector cooperation will have to be a two-way street. The government must lead and contribute, and the private sector must respond in kind. ..

Today, for various reasons which include Privacy concerns, potential Liabilities, the rights of Discovery, and even the US anti-collusion laws hamper the possibilities of functional and efficient Government-Private Sector collaboration.   This is exactly the reason why Congress must act to shield certain types of action and protect the participants.

In 2009 I recommended the cooperation as one of the three major Tenets of my paper.   I further broke it down into two specific action items, the second of which, Task 7, is today’s call from the President:

Task 6: Create an Official advisory board of industry and government luminaries to advise the Chief Information Security Officer in his or her duties.

and

Task 7: Recommend legislative changes, where needed, to allow utilization of public capabilities to test and enhance defenses of sensitive industries.

 

I think we may be on the right track :)