Guest editorial by Matthew Olney (Sourcefire)
So, you’re at the bar and across the room you see this incredible [insert whatever floats your boat here]. You spend an inappropriate amount of your time watching this person and your mind starts to fill in the details that the dark environment masks. Then they turn around walk towards the bar and (finally!) walk into enough light that you can see what they look like. Your first thought…”KILL IT WITH FIRE!”
This is a lot how I felt as I read through the “Protecting Cyberspace as a National Asset Act of 2010” (pdf), a 199-page piece of legislation introduced by Senator Lieberman (I-CT) along with Senator Susan Collins (R-ME) and Senator Thomas Carper (D-DE). It’s worth noting, in reviewing the legislation that Susan Collins and Joe Lieberman are the ranking members of the Senate Committee on Homeland Security and Governmental Affairs for their respective parties (with Joe Lieberman counting as a Democrat for the purposes of committees). This is an impressive, expansive and ambitious piece of legislation, completely reworking the Federal government’s management of cyber security issues. There are a lot of things in the bill that I think are necessary. Of course, as you’ve probably seen by this point, there are a couple of issues that, erm, have “opportunity for improvement."
First up is the creation of the Office of Cyberspace Policy within the Office of the President. There is little in our world today that is as poorly managed, rapidly changing and outright dangerous as “cyberspace”. Having an apparatus at the level of the White House that manages these issues from a strategic point of view is important. It is this office that would be tasked with creating a “national strategy to increase the security and resiliency of cyberspace”. It is also the first place (page 9) you notice the incredible breadth of changes in the bill.
The Director of Cyberspace Policy is tasked with, to paraphrase, overseeing all policies and activities of the Federal Government across “all instruments of national power” to ensure the security and resiliency of cyberspace. The act specifically cites diplomatic, economic, military, intelligence, law enforcement and homeland security activities and also calls for the management of “offensive activities, defensive activities and other policies and activities necessary to ensure effective capabilities to operate in cyberspace”. So while it is organized for “Protecting Cyberspace," the options available to ensure cyberspace is available is…well everything, including utilizing the NSA and Cyber Commands offensive capabilities to keep the peace. This office operates at the highest executive level, and the capability of every tool available, even offensive ones, needs to be understood.
Next, the National Center for Cybersecurity and Communications. This is where a lot of the good work of this bill, in my opinion happens. The most important one is called out specifically as a duty of the Director of the NCCC: “sharing and integrating classified and unclassified information, including information relating to threats, vulnerabilities, traffic, trends, incidents and other anomalous activities.” This determination to improve Government/Private sector communication comes into play again in the section defining the responsibilities of the US CERT. The information isn’t limited to domestic sources either, with the bill specifically calling for the Secretary of Defense, the Director of National Intelligence, the Secretary of State and the Attorney General to develop “information sharing pilot programs with international partners of the United States.”
The communication thing is critically important. This game is hard enough without having as much information as possible to base your defensive posture on. One of the common complaints from the private sector (who run 80% of the “Critical Infrastructure” of the U.S.) is the difficulty in getting actionable informationout of the Government. The recently released “High-Impact, Low-Frequency Event Risk to the North American Bulk Power System” report from the North American Electric Reliability Corporation calls out several times that “focus should be given to improving the timely dissemination of information concerning impending threats and specific vulnerabilities” going on to say that "more effort is needed to appropriately de-classify information needed by the private sector”.
From the perspective of incident response, there is another important new service provided by the DHS. "The DHS will, at the request of critical infrastructure operators and provided the DHS has sufficient resources, to both assist the operator in complying with mandatory security and emergency measures" (yes, we’ll get to this…) as well as, through the US CERT “respond to assistance requests from…owners or operators of the national information infrastructure to…isolate, mitigate or remediate incidents”.
Now…you might have noticed that CERT is doing a lot of useful things from a central point for information to a cyber-guardian-angel ready to assist the most important components of the national information infrastructure in defending themselves from attack. But there are some strings that come with this. Those entities deemed to be “covered critical infrastructure” are required to report any cyber security issue that might indicate an actual or potential cyber vulnerability or exploitation of a cyber vulnerability. And the DHS gets to decide the procedures to enable that reporting. So if you’re a critical infrastructure operator…you are starting to get a little uncomfortable here, no matter how many disclaimers about the protection of information are placed into the bill.
Then you look at Section 248: “Cyber Vulnerabilities to Covered Critical Infrastructure”. Between this and Section 250: “Enforcement” the DHS is granted near unlimited authority to deliver requirements to critical infrastructure providers on handling security threats. In short, DHS can deliver a mandate that a certain security issue be addressed, and a set of mitigations to be used. Now, in an exceptionally rare, well thought out approach to this mandate (and a shout out to Richard Clarke and the open-ended mandate crowd), the bill allows for the DHS to accept alternate mitigations provided by the operator if the DHS determines they are adequate. These requirements, as you can guess by the name of section 250 come with a “civil penalty” if providers fail to address these issues.
My inner Libertarian gets pretty spooked when it comes to this kind of thing. But, to refer back to NERC’s HILF document, market forces seem to dictate doing the exact wrong thing when it comes to security:
“The increased use of IP networks for Supervisory Control and Data Acquisition (SCADA) and other operational control systems, in particular, creates potential vulnerabilities. Executives with SCADA/ICS responsibilities reported high levels of connections of those systems to IP networks including the Internet—even as they acknowledged that such connections create security issues.” --(pg31, NERC HILF, Cyber Vulnerability)
Since NERC hasn’t been able to fix this, and the Department of Energy and Federal Energy Regulatory Commission apparently are unable to deliver the regulations necessary to fix it, maybe this is the only way to address these issues. When you declare that an electric grid is a system “so vital to the United States that the incapacity or destruction of such…would have a debilitating impact on security, national economic security….” maybe you should keep the damn thing off the Internet. (I'm going to say this more than once, just so you know). It seems so obvious to every security professional I talk to and to NERC itself. Clearly they won’t self regulate here, so maybe this is the answer. (Note that I understand that this act targets “National Critical Information Infrastructure”, but the market and privacy concerns in the information infrastructure are 10 times worse, yet we haven't even addressed the "easy" (for some value of easy) case).
Then, finally we get to the section that drives everyone nuts (you know, the kill-it-with-fire part). Section 249: National Cyber Emergencies. In short, the DHS has the authority, when the President declares a Cyber Emergency to “develop and coordinate emergency measures or actions necessary to preserve the reliableoperation and mitigate or remediate the consequences”. What this means is that in a “Cyber Emergency”, the DHS can do anything it feels necessary to the critical infrastructure systems of the U.S. and can mobilize the entirety of the Federal Government, provided the DHS does not “supersede the authority of the Secretary of Defense, the Attorney General or the Director of National Intelligence in responding to a national cyber emergency”.
Yeah, this is a good time to panic. I think we’ve amply demonstrated over the last decade that even when a President is restricted by law his actions can be…aggressive, and this essentially hands over to the executive branch the complete control of the nations critical infrastructure. It doesn’t matter that there are hoops to jump through, the authority and the broad power that this bill allows for is simply unacceptable. Further, we’ve absolutely avoided holding any high-level political figure accountable for his or her actions (did you just say Scooter Libby? Stop it…) as they relate to violations on the restriction of powers. We just don’t do it.
Also, I've never had a great deal of respect for anyone that comes to me in a panic about some issue when they've failed to do the things already in their power to address it themselves. There is already regulatory power already vested in a number of Government entities, and they have failed to exercise that power (DOE, I'm looking at you) to mandate even the most basic of security practices (like not putting our power grid on the Internet). The list of "Critical Infrastructure" that relies on the Internet is simply unforgivable. If its critical, get the damn thing off the Espionage Super-Highway. What I'm saying here, is don't come to me saying you need broad, unmitigated power to manage a situation because it is so horrible when you have failed utterly to mitigate and reduce the chance that that situation will actually come to fruition.
This clause is glass-house based rock throwing. When the Federal Government demonstrates that it can protect itself from cyber attack, when you can stop the terabytes of data flooding from Government and defense contractors, when they show that this issue is so important that they are willing to deliver regulation NOW to these critically important organizations, when you've done everything you can to ensure that this power will never need to be used...then, and only then is it appropriate to discuss this. Earn it, Senator Lieberman, show me that the Federal Government is willing to do more than just panic after the fact. (Hello 9/11, Katrina, BP).
All this and I didn’t even get to the part where the Director has “sole, unreviewable discretion” to decide how to address problem and deficiencies related to security issues in “national information infrastructure” or any infrastructures that is “owned, operated, controlled or licensed for use by, or on behalf of, the [DoD] or intelligence community”. Look….using terms like “sole, unreviewable discretion” just isn’t conducive to a trusting relationship between the public sector and the DHS. We’re already mad at you about the whole shoe thing anyways.
So here’s the deal, Sen. Lieberman. You’re on the right track here, concentrate on the following:
- Ensuring open communications channels between the private sector and the Federal Government.
- Ensure an aggressive declassification (within the limits of law and protecting sources, etc…) of threat information so that the private sector can be notified so they can modify their defensive posture.
- Build a coordination center that targets not just Federal to Private sector communication, but communications within an industry vertical with the ability to bring in both offensive and defensive experts to assist in mitigations.
- Provide an avenue for technical assistance to critical infrastructure organizations so that even organizations without a mature security posture can react in an agile manner to threats.
- If market forces don’t move critical infrastructure operators to do right, then fix it.
- Prove that you are willing to take the steps necessary to prevent incidents of this magnitude prior to them happening.
- Let’s revisit the “Incredible Cosmic Power” approach to incident response. Even if it is scaled back to providing a list of recommended actions backed by an automatic exemption from civil liability if organizations act on them.But we cannot simply hand over the infrastructure to the Federal government.
Good luck, Joe. Unfortunately, you’re going to need it.
* Matthew Olney is a research Engineer in the Sourcefire Vulnerability Research Team.