Proposed Legislation to Assure Cyber Security

Secretary of Defense, Leon Panetta, the Director of the FBI, Robert Mueller and the Director of National Intelligence, James Clapper have each said that their top priorities now include cyber operations, that cyber threats are now the number one danger to the USA and that cyber threats pose a critical danger to national and economic security.

To deal with these dangers a proposed Senate bill, the Cyber Security Act of 2012, has been now launched. This Act was half a decade in the making. It was triggered by the urgency of rapidly rising cyber incidents, defined as any information-based corruption that could cause disruption of operations of the US economy. The purpose of the Act is to “…to enhance the security and resiliency of the cyber and communications infrastructure of the United States.” It concentrates cyber security oversight and control under the Secretary of Homeland Security (SoHS).

The proposed Act excludes national security systems operated by the Department of Defense and by any element of the intelligence community. The largest share of cyber-related Federal funds is thus eliminated. The Act also excludes commercial services that already provide cyber security protection and does not permit any Federal employee to regulate commercial information security products. Through exemptions SoHs may not require implementation of cyber protective measures even though universal Internet connectivity could use unprotected networks as a conduit for cyber infection. The Act has therefore limited applicability.

The proposed Act does not enhance security. It is like asking some from a ship’s crew to discuss what to do while the ship’s hull is filling with water.

The SoHS must consult with every operator who makes use of the US critical infrastructure. That includes everyone, because the entire economy now depends on the Internet. It calls for consultations with the Critical Infrastructure Partnership Advisory Council as well as with hundreds of existing Information Sharing Organizations. The SoHS must also set up coordination with the intelligence community, the Department of Defense, the National Security Agency, Department of Commerce, sector-specific agencies and with numerous of Federal agencies, including State and local governments, that have responsibility for dealing with cyber security measures. The Secretary of Homeland Security was given a coordination task that is well beyond the scope of anything previously attempted.

Within ninety days, the SoHS will assess all cyber security threats as well as vulnerabilities and risks. The Secretary will estimate the probability of catastrophic incidents to determine which sectors pose the greatest immediate danger. The purpose of the assessment will be to guide the allocation of Federal resources though how fund will be distributed has not been explained. Because almost every citizen now operates in the cyber space, the scope of this responsibility is greater than that of the Secretary of Defense.

The ninety-day assessment is not executable. It presumes the availability of a catalogue about the extent to which over half a billion of computers in the US are already corrupted. For example this would identify which of the over ten million “bots” are infected by software that can seize control of desktops, laptops, smart phones and servers to propagate malware, such as denial-of-service attacks or spyware that steals secure data files. A complete catalogue would also include the risks that are already in place within the operations of thousands of Information Systems Providers (ISPs).

SoHS would have to assess the risks and the vulnerabilities of 17,000+ networks, each with hundred thousands of uncontrollable points of access to the Internet. Over 4,000 commercial ISPs operate these networks, except that each is administering their own security procedures, which are not open to public inspection. Ultimately that would determine which one of these networks would be fixed to meet certifiable security requirements. Who would develop such standards is not spelled out in the Act. How the SoHS would acquire the capacity to evaluate the extent of vulnerabilities is not explained. Since all networks are interconnected through the Internet, it is not clear how anybody’s infections can be contained. What resources would be available to do an enormous new task is not known except that owners of the infrastructure will provide, annually, a report whether security measures have been effectively implemented.

The Act does not put into place new institutions or methods for at least one year. It does not include a budgeting process. Authority is centralized in the office of the SoHS while the direct accountability for managing the underlying security infrastructure is left to thousands of loosely defined groups but without a hint of a Congressional blue print how to proceed with the enforcement of cyber security. Each owner of a cyber networks can select and implement whatever cyber security measures are best suited.

For instance, the legislation addresses jurisdictional issues, such as the authority of the Department of Homeland Security. It creates the National Center for Cyber Security and Communications without a detailed charter. It delegates the responsibility to ten thousands of privately managed commercial networks or to hundreds of networks operated by government agencies. There is nothing in the legislation that defines the means for countering and then arresting cyber threats.

The Act amends the existing Federal Information Security Management Act (FISMA) to require each agency to develop an information technology acquisition strategy while permitting DHS to streamline reporting requirements and to reduce paperwork. How that can be done was left for DHS to work out except that the key issue – implementation – is not covered. For instance, the Act provides for DHS to operate consolidated intrusion detection, prevention, or other protective capabilities and to use countermeasures for the purpose of protecting agency information systems. How such costly facilities can be budgeted and set up, as a government service was not spelled out.

The ACT encourages agencies make informed decisions when purchasing IT products and services by soliciting best security practices in placing federal cyber contracts. However, it leaves to everyone develop cyber security technologies to fit their local conditions.

The Act calls for developing risk-based performance requirements, looking first to existing standards and to commercial best practices. If a sector is sufficiently secure, no new performance requirements are required. Each owner of a commercial cyber system would determine how to best meet the requirements and then to verify it. An owner could also choose to self-certify compliance with own criteria, though current regulators such as the Securities and Exchange Commission can offer their own security regulations as well as perform cyber oversight. Such provisions essentially de-fang efforts to put into place national cyber security solutions.

The problem with the proposed cyber security Act is found in its disregard of the sources of cyber flaws, which originate from the fundamental insecurity of the Internet through which all mal-ware propagates. The insecurity of the Internet is pervasive. It cannot be remedied by leaving the application of protective measures only in the hands of individual industry sectors or separate government agencies to be applied only whenever the Secretary of DHS finds an imminent danger to life or the economy.

The Internet is riddled with a capacity that makes it possible to manipulate the corruption of software by skilled perpetrators. The flaws in the Internet are persistent and cumulative and not temporary. The list of cyber flaws contains ten thousands of entries and apply equally to financial, manufacturing, utility or defense networks. This list changes every minute as attackers modify their software. For instance, network routers that pass on all traffic from one computer to another are vulnerable to promiscuous mode corruption; to router table attacks; to shortest path compromises; to border gateway flaws and to border gateway poisoning to name just a few named faults.

Network switches, that distribute all traffic, are vulnerable to known corruptions such as flooding attacks; address resolution spoofing; “Man-in-the-Middle” misrouting; denial of service; switch hijacking; spanning tree misdirection; forcing external root election and to VLAN hopping.
The Internet directories, which are set up in domain name servers, can be undermined by address starvation; attacks using rogue servers; bogus default gateways; malicious records; spoofing; flooding attacks; faulty responses to a server; buffer overflow attacks and denial of service attacks.
The entire global Internet is also a host to a vast population of malicious viruses, worms and Trojans. There are over 100 million such software scripts already residing on the Internet. Over three million new ones are added every month.

So far the individual cyber operators have defended against cyber infection with anti-virus software, firewalls and counter-intrusion appliances. The cost of such defenses runs in tens of billions because every operator must protect a network with stand-alone investments. If the objective of setting up cyber defenses is national in scope, this cannot be accomplished by dividing the defense in ways that follow existing patterns. The scope of the US national defenses in the cyber space must first start with dealing with the generic characteristics of the Internet. Only after suppressing global Internet flaws is it possible to deal with local protective measures. The hygiene of hospitals exists under the protective umbrella of the Center for Disease Control and Food and Drug Administration.

The pattern of defenses should follow many of the precedents, which have been already put in place by the health and food regulatory environment. Internet cannot be allowed to let infection propagate until there is a government-defined level of shared safety. The operators of cyber networks must first comply with national standards that can be validated through certification and audit by trusted commercial firms before sector operators can enhance their security needs.
 
The National Institute of Science and Technology in the Department of Commerce or in an institution specifically created in DHS are the organizations for developing and then guiding the required testing and certification. In the same way as Congress saw fit to fund the Centers for Disease Control, so should the Cyber Security Act include the creation of a central organization for identifying and tracking cyber threats. Congress has also organized the U.S. Food and Drug Administration with the mission of protecting health. A similar institution within DHS should have the capacity to evaluate and then to test networks that deliver secure services.

The proposed cyber security legislation creates excessively complex regulations that cannot be implemented. Making sure that cyber communications takes place only via government certified networks would simplify defenses. It will place emphasis on securing the generic Internet before proceeding with securing of dedicated uses.