Summer R & R
By user701213 on Sep 08, 2009
Many of us take summer vacations to indulge in some R&R. Usually, we mean "rest and relaxation" by the abbreviation. R&R can also mean "reading and reruns" for those of us of the couch potato persuasion. I've done a lot of reading this summer (more on that below) and on those evenings when I can't concentrate on a demanding book, I sack out in front of the couch and watch reruns (e.g., NCIS and Law and Order. I find I am much better at figuring out whodunnit if I already know who did it. Less mental effort, too.).
There are other summer reruns materializing in Washington, in particular a revamped version of S. 773, the Cybersecurity Act of 2009 (aka the Snowe-Rockefeller Bill, after Senators Olympia Snowe (R-Maine) and Jay Rockefeller (D-WV)). First, the disclaimers: I've written a column for Oracle Magazine on this topic so I am stealing material from myself (otherwise known as "repurposing content"). Second, I always assume that members of Congress and their staff have the best of intentions when they draft a piece of legislation. So, no evil motives are assigned to them by me nor should be imputed. This disclaimer will be especially important when I explain why the Snowe-Rockefeller rerun is, despite good intentions, not an improvement from its original version.
I've reviewed a number of bills in my years working in cybersecurity and I have seen plenty that have become laws that best fit into the "what were they thinking?" category. I therefore offer a modest proposal: members of Congress should observe just four ironclad rules when drafting cybersecurity legislation, rules that would result in better, clearer and less ambiguous legislation, which is less subject to random interpretation and/or legal challenges (e.g., on Constitutional grounds). Here they are:
1) Set limits; don't overreach. Before writing a law, determine the problem(s) the bill is trying to solve, whether legislation will actually solve the problem(s), at what cost and with what "unintended consequences." Also, determine whether there is another remedy equally or more effective at less cost and/or reach.
2) Do no harm. The legislative remedy shouldn't kill the problem by maiming the patient.
3) Use precise language. Vague language will be misinterpreted or - worse - lead to people spending a lot of money without knowing if they are "there." In the case of cybersecurity, vague language means lawyers are more likely to be making the security decisions for companies. Worst of all are the "no auditor left behind" security bills for the amount of work they create and expenditure they require without materially improving security.
4) Uphold our current laws and values (e.g., the Constitution).
With that in mind, here are my thoughts on the Snowe-Rockefeller rerun.
First, the draft bill calls for certification of cybersecurity professionals; however, the term "cybersecurity professionals" is not defined. What, precisely does that term cover?
Someone who is a CISO? A CSO?
Someone who is a security architect?
Someone who applies patches, some of which are security patches?
Someone who configures any product (after all, some settings are security settings)?
Someone who installs AV software on mom and pop's home computer (gee, that could include their 9-year-old son Chad, the computer whiz)?
Someone who administers firewalls?
Someone who does forensic analysis?
What about software developers - after all, if their code is flawed, it may lead to security vulnerabilities that bypass security settings?
Does it mean security researchers? What about actual hackers? (It would be an interesting consequence of this bill if, in the future, someone isn't convicted for hacking (computer trespass) but is fined because (s)he does not have a CISHP (Certified Information Security Hacking Professional) certification.)
If you cannot tell based on the information in a bill to whom it applies and what "compliance" means, the likely beneficiaries are auditors, who were already given a industry boost courtesy of the Sarbanes Oxley Act, the gold standard of the "No Auditor Left Behind" bills I mentioned and the slayer of the US IPO market. More to the point, for all the money organizations could spend getting cybersecurity professional certifications for the people who don't do anything more in security than send out the "don't forget to change your password!" notices every 90 days, they could do more that actually improves security with the same funds. Getting certifications for people who don't need them crowds our more useful activity and thus could do actual harm. The lack of a clear definition in the draft bill alone runs afoul of my ironclad rules 1, 2 and 3 (and 4, as I will show later).
There is another problem with this provision: the potential for windfall profits by some (on top of not necessarily making the problem space better and possibly making it worse). Aside from product certifications (e.g., "so-and-so is a certified professional in administering product FOO"), which vendors administer, I believe that many "cyber-certification " bodies that exist now are for profit (meaning, such a bill is a mandate to spend money). The problem is made worse if the entities are effectively granted monopoly power over certifications.
To wit, a small aside here to bash ISC(2), or more correctly, a single individual within ISC(2). I and most of my team have received the new Certified Secure Software Lifecycle Professional (CSSLP) certification. I have to say, I didn't think it was that hard to get nor do you really have to demonstrate much actual expertise in development practice. The hard part of "secure software lifecycle" is doing it, not writing about it, taking exams about it, or the like. The next thing I know, I am getting a cold call from someone who I can only construe to be a sales rep for ISC(2) telling me why everybody in Oracle should take their CSSLP training classes and get the certification.
My response was what I outlined above: I did not see the value for the money. The hard part is doing secure development, not getting a CSSLP certification and anyway, for the amount of money we'd spend to do massive CSSLP training (and by the way, we actually do secure development so I don't see the need for ISC(2) training on top of what we already do in practice or the training we provide to developers), we could do more valuable things towards, oh, actually improving Oracle product security. I'd rather improve product security than line ISC(2)'s pockets. Customers would prefer I do that, too.
In response, I received what I can only construe as a "policy threat," which was Slimy Sales Guy saying that the Defense Department was going to start requiring CSSLPs as a condition of procurement so I needed to talk to him. (Gee, I bet ISC(2)'s lobbyists were busy.) My response was "hey, good to know, because that sounds like you've been handed a monopoly by DoD, which is inherently anticompetitive - who in the IT industry made you the arbiters of what constitutes 'secure development skill?'" I also said that I would work to oppose that provision - if it exists - on public policy grounds. ISC(2)'s certification wasn't broadly enough arrived at (full disclosure: I was asked about the utility of such a certification before ISC(2) developed it and I said I did not see the need for it). More to the point, you could get a CSSLP and still work for an organization that does not (technical, secure development terminology follows) give a rat's behind about actually building secure software so who the bleep cares?
I shouldn't single ISC(2) out in the sense that a lot of entities want to get legislation passed that allows them to get government-mandated money by, say, requiring someone to get their certification, or buy their product, or use their services.* If Slimy Sales Guy does not speak for ISC(2), my apologies to them, but I did not appreciate Oracle being "shaken down" as thanks for my team being an early adopter of CSSLP.
Back to the Snowe-Rockefeller rerun: it's bad enough that one out of every five people in the US has a licensing or certification requirement for his job** but if we are going to add one more requirement and license cybersecurity professionals, then at least figure out who "cybersecurity professionals" are, why we need to do that, how we will do it and constrain the problem.
The bill compounds the vague definition of "cybersecurity professional" by requiring that "3 years after the date of enactment of this Act, it shall be unlawful for an individual who is not certified under the program to represent himself or herself as a cybersecurity professional." Why does the federal government want to directly regulate cybersecurity professionals to a degree that arguably exceeds medical licensing, professional engineers' licensing, architects' licensing and so forth? Even in professions that have licensing requirements, there are state-by-state requirements that differ (e.g., California has more stringent licensing for structural engineers because there is a requirement for seismic design in CA that other, less earthquake-prone states do not have). Also, such a hands-on role for the federal government raises real constitutional concerns. Where in the Constitution is the Federal government authority as the licensing and regulatory body for all cybersecurity? (See ironclad rule number 4.)
The draft bill also would allow the president to exert control over "critical infrastructure information systems and networks" in the event of a "national emergency" - including private networks - without defining what either of those things are, which would leave the discretion to the executive branch. I read this to mean the President would be able (in an "emergency") to exert authority over private networks based on whatever criteria he/she wants to use to declare them "critical." *** If "critical infrastructure information systems and networks" are so critical, why can't we define what they are before legislating them? Are those networks pertaining to:
Manufacturing? (What kind of manufacturing - someone's toy making control systems or are we talking about heavy industry?)
I have concerns - because I am a student of history - about giving anyone too much power in what we think is a good cause and watching that power turned against us. Vague terms combined with explicit presidential authority over these ill-defined terms can be a dangerous legislative formula.
There is also a provision that requires "...real time cybersecurity status and vulnerability information of all Federal Government information systems and networks managed by the Department of Commerce, including an inventory of such, vulnerabilities of such systems and networks, and corrective action plans for those vulnerabilities..." Of course, it makes sense for any owner of a network to know what's on their network and its state of "mission readiness," which in this context could include the state of its security configuration and whether security patches have been applied. However - and I made the same comment on the first draft bill - "vulnerabilities" is not defined and there is almost no such thing as "real time vulnerability information" if "vulnerability" includes defects in software that are not publicly known and for which no workaround or patch exists. Most vendors do not provide real time vulnerability information because there is nothing that increases the risk to customers like telling them of a vulnerability with no fix (or other threat mitigation) available.
"Everybody knows what we mean" is not good enough if cybersecurity is truly a national security problem, which it clearly is. At a minimum, for purposes of this bill, "vulnerability" should be explicitly defined as either a configuration weakness or a defect in software that has been publicly disclosed and for which a patch or other remediation exists. Otherwise, someone will construe this draft bill to require vendors to notify customers about security problems with no solutions as soon as they find the problems - real time, no less. Uh, no, not going to happen.
We do not need legislation or regulation for the sake of regulation, especially when it is not clear what and who is being "regulated" and what "compliance" means and at what cost. And, most importantly, I need to be convinced that the cost of regulation - the all in cost - is worth a clear benefit and that benefit could not be derived in a better or more economical or less draconian way. Most importantly, I want this bill - or any bill - to uphold our values and specifically the values enumerated in the Constitution. Good motives are not enough to create good public policy. I truly hope the next remake of Snowe-Rockefeller is worthy of its intentions, and advances our nation's cybersecurity posture.
* Here's mine: I would like a bill passed called the Hawaiian Language Preservation Act. As part of that act, I'd like to require musicians to (in addition to paying authors of works their royalties if the work is performed in public) obtain a certification that they pronounce the lyrics of the song correctly. You won't be able to perform in public (or at least, sing Hawaiian music) unless you have a Correct Hawaiian Lyrics Pronunciation (CHLP) certification. This is a bigger problem than you would think, according to my 'ukulele teacher, Saichi (who insists we pronounce the language correctly as we sing and "good on him"). Because I am a straight up gal, I won't even be greedy - I'll just require CHLP certification for anyone publicly performing any of the Rev. Dennis Kamakahi's songs (he's written about 400 or so songs, as far as I can tell he has never written a bad song, they are very popular and often played). Now, everybody will have to come to me to get a piece of paper that asserts they can pronounce "hāwanawana" correctly (it shows up in the second verse of Koke'e). See how easy that was? I figure I can use the proceeds of my CHLP certification program to buy a house in Honolulu (and improve everyone's Hawaiian pronunciation, too).
** Source: The Dirty Dozen, more about which below.
*** A colleague who reviewed this blog entry for me raised some even scarier concerns I thought were spot-on. Consider that some elements of our country have been at "heightened alert status" since 9/11/01 (e.g., air transportation). Some networks (e.g., DoD) are being probed daily so it's conceivable that a similar "heightened alert status" for cyber could be put in place in some sectors and left "on." Would the government be able to search any records, at any time, in a sector once a (semi-permanent) cyberalert exists? It's sometimes happened that a company that works with a law enforcement entity after a cyberincident is asked for "everything": logs, machines, access to people. Perhaps an experienced person knows how to ask for the minimum information needed to investigate an incident, but the law can't require that an "experienced, reasonable person with judgment" would be the enforcement mechanism. No company wants to face having to hand over all their data, their servers and their people because of an "alert." What would the government really accomplish if every company in that sector flooded them with records? Also, would companies receive some immunity or could data obtained under an "alert" be used for another purpose by the government?
Books of the Month
I have not blogged in awhile so I am overloading the following section. I have been doing a lot of summer reading and it is hard to recommend just one book:
Huckleberry Finn by Mark Twain
Ernest Hemingway declared that "All modern American literature comes from one book by Mark Twain called Huckleberry Finn." It is a classic, and that is all the more reason to read it if you haven't already and reread it if you haven't read it in awhile. It's ineffably sad and short-sighted that a lot of schools either don't have a copy or don't teach this book anymore due to the prevalence of the "n word" in the text. That is political correctness run amok, especially since Twain was an expert satirist and the most heroic character in the book is the runaway slave, Jim. If you think Twain condones slavery, you didn't read the book closely enough: no, not at all.
On Wings of Trust: The Quest of Pilot Carole Leigh by Maynard D. Poland
I am particularly partial to this book because it is about a friend of mine. No, she's more than that, she is a great friend of long standing (we were Navy buddies) and she was a pioneer - a P3 pilot in the Navy and then a commercial airline pilot. Carole is one of the highest integrity people I know and that shines throughout the book, never more so than in her dealing with scary emergencies in-flight - and in her not turning a blind eye when something Is Not Right. The highest compliment I could pay someone is that I would trust her with my life, and I would trust Carole with mine. It's a great (true) story about a great person.
A Moveable Feast: The Restored Edition by Ernest Hemingway
A Moveable Feast has been in print for some time (and is one of my favorite books by Hemingway), but this is a new version: since the book was published posthumously and there was no "definitive manuscript," it is hard in some sections to know what Hemingway intended to write. The expanded version gives in some cases an entirely differently flavor: Hemingway comes across as much less - literary criticism term - "snotty" towards F. Scott Fitzgerald in this version. The book gives a real flavor both of Paris and the Lost Generation's place in it in the 1920s.
Baking Cakes in Kigali by Gaile Parkin
People who like the gentle humor of the No. 1 Ladies' Detective Agency will like this. People in Kigali come to Angel, an expert cake baker, to order cakes and as they do, they tell their stories. The book does not spare the real challenges faced in Rwanda - the devastation wrought by AIDS, for example, and yet it's a lovely, redemptive story.
The Blue Notebook by James Levine
This is the story of a young Indian girl sold into child prostitution despite which, her spirit prevails. It is a disturbing and tragic book - and yet, extremely moving, all the more so when you realize that the author is donating the US proceeds of the book to the Center for Missing and Exploited children. A wonderful read.
The Dirty Dozen: How Twelve Supreme Court Cases Radically Expanded Government and Eroded Freedom by Robert A. Levy and William Mellor
This book analyzes the twelve worst decisions by the US Supreme Court and how they have affected our freedoms. You will need Maalox or a stiff gin and tonic after reading it. The concept of limited government envisioned by our founding fathers is not what we have now, and this book explains why. The erosion of freedom/expansion of government began for the most part under Franklin Roosevelt but there are some recent cases highlighted such as Kelo vs. New London, that upheld government abuse of eminent domain. At the time the book went to print DC vs. Heller (an important 2nd amendment case) had not been decided but it is mentioned in the book. I finished the book four days ago and I am still aghast at what I learned.
The Art of Racing in the Rain - by Garth Stein
I picked this up because someone recommended it to me and I was going to spend the day on planes and in the airport. After I opened it, I could not put it down, and when I finished it, I felt I had read something wondrous. The book is about the travails in a family, told from the dog's point of view. It sounds too strange to work, but it does work, and the character Enzo (the dog) is unforgettable. He puke kapu (a sacred book).