Thursday, May 19, 2011

Whitehouse has released a cybersecurity plan


The Whitehouse has release a cybersecurity plan. “White House Cybersecurity Plan: What You Need To Know” (http://www.huffingtonpost.com/2011/05/12/white-houses-cybersecurity-plan_n_861382.html). Perhaps the administration is finally waking up to the need.
According to the press release they say “Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life – have suffered repeated cyber intrusions, and cyber crime has increased dramatically over the last decade. The President has thus made cybersecurity an Administration priority. When the President released his Cyberspace Policy Review almost two years ago, he declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation.” The Administration has since taken significant steps to better protect America against cyber threats. As part of that work, it has become clear that our Nation cannot fully defend against these threats unless certain parts of cybersecurity law are updated.”
There are a couple of key elements to the proposed legislation:
Protecting the American People
  1. National Data Breach Reporting. Proposal to help businesses by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements. (I personally do not think we will have 1 national privacy policy anytime soon. States rights!!)
  2. Penalties for Computer Criminals. Clarifies the penalties for computer crimes, synchronizes them with other crimes, and sets mandatory minimums for cyber intrusions into critical infrastructure
Protecting our Nation’s Critical Infrastructure
  1. Voluntary Government Assistance to Industry, States, and Local Government. Proposal to enable DHS to quickly help a private-sector company, state, or local government in a breach
  2. Voluntary Information Sharing with Industry, States, and Local Government. Proposal to help entities share information. ( Sure ATT will share information with Sprint and Bank of America will share information with the government)
  3. Critical Infrastructure Cybersecurity Plans. Proposal to enable transparency to help market forces ensure that critical-infrastructure operators are accountable for their cybersecurity.(Thats way to vague)
Protecting Federal Government Computers and Networks
  1. Management. Update the Federal Information Security Management Act (FISMA) and formalize DHS’ current role in managing cybersecurity for the Federal Government’s civilian computers and networks. (They definitely need this now!).
  2. Personnel. Recruit and retain highly-qualified cybersecurity professionals. (With reduced funding for education, we will probably have to recruit from China)
  3. Intrusion Prevention Systems. Implement better IDS systems. (Imagine having to read all the log files from all the government agencies, need to outsource this effort)
  4. Data Centers. Embrace Cloud Computing. (if you use cloud computing, you will rely on Facebook for your security requirements?)
New Framework to Protect Individuals’ Privacy and Civil Liberties
The Administration does propose protecting civil liberties. Can the plan be any worse that everyone giving away all their information anyway on Facebook, Twitter, LinkedIn etc?

Gary Bahadur
www.kraasecurity.com