There are several cybersecurity policy issues on Capitol Hill that are worth keeping an eye on. Lawmakers in the Senate have introduced a measure that would call for trade restrictions against countries identified as hacker havens. Another proposal is meeting resistance from academics who worry about the effect of the bill’s mandatory certification programs for cyber security professionals.
As reported by The Hill newspaper, Senators Orrin Hatch (R-Utah) and Kirsten Gillibrand (D-NY) have introduced The International Cybercrime Reporting and Cooperation Act, a bill that would penalize foreign countries that fail to crack down on cyber criminals operating within their borders.
According to The Hill, the measure would:
“…charge the White House with the responsibility of identifying countries that pose cyber threats, which the president would have to present to Congress in an annual report. Those states would then have to develop plans of action to combat cybercrimes or risk cuts to their U.S. export dollars, foreign-direct investment funds and trade assistance grants, the lawmakers explained.”
This is a nice – if hard to measure and enforce – idea. I have often argued that it is remarkable that the United States includes measures to cut down on software piracy in its trade policies with other nations, and yet it does nothing to mandate more action on cybercrime. I applaud this effort, but if lawmakers are really serious about cracking down on places that appear overly tolerant of cybercrime activity, perhaps they should start by looking a little closer to home.
In other news, one of the world’s largest and oldest educational and scientific computing groups says it is “deeply troubled” by mandatory training provisions included in The Cybersecurity Act, a bill proposed by Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine). The bill is aimed at protecting critical U.S. network infrastructure against cybersecurity threats, but it includes language making it illegal for anyone to offer cybersecurity services to any federal agency or system without being certified and licensed as such under a program to be determined by the Commerce Department.
In a letter sent to the lawmakers this week, the U.S. Association for Computing Machinery and the Computing Research Association said the bill the measure emphasizes training in narrow techniques rather than an education in holistic systems design. The group charged that, as written, the bill would…
“…require a complex, untested, and mandatory certification regime for public and private employers almost immediately after a National Academies study is conducted to determine — and it has not yet been determined — whether such a program would even be feasible. It is premature to mandate the creation of a massive new certification program without the benefit of a careful, deliberate Academies study that examines both the feasibility and side effects of any such program.”
Gene Spafford, a professor of computer science at Purdue University and one of the signatories to the letter, said the certification requirements as spelled out in the bill would have far-reaching implications for the way colleges and universities teach security across the country.
“Microsoft has invested more than a billion dollars in producing much better security, look at how often they find flaws in their stuff. Google is know for hiring the brightest people and being very concerned about security, and look at what happened in China,” Spafford told Krebs on Security. “So, setting a regime to require that everybody be certified in something we don’t know how to do and is changing almost monthly is a dangerous approach. It’s not only costly, but it’s dangerous in the sense that you will have groups setting certification standards based on what they teach, not on what is likely good practice.”
Spafford said the requirements would undoubtedly be a boon to companies that offer training courses, but that his organization has seen no evidence that a group of people with any particular certification produce better computer code.
“Given that a lot of code in use right now is produced offshore, that’s where some of the international aspects come in,” he said. “So trying to require certifications, seems like a good idea on the surface, but we’ve discussed [this] in several ways for many years, and our conclusion is we’re just not ready yet.”
Alan Paller, director of research for the SANS Institute, an organization that offers security training and certification, compared the market for today’s software and network engineers to the early 1900s, before physicians had to be licensed.
“The country didn’t like fact that doctors could teach anything they wanted and that people had no idea what they were getting in a doctor,” Paller said. “In 1915, they set up national board of medical examiners that said schools can teach anything they want but graduates have to show they can practice these methods in medicine, and the states said if don’t have a medical degree you can’t practice medicine. It’s kind of the same situation with computers now: Most of the people who say they know security don’t have a clue. They don’t know the best practices, heck, they don’t even know what TCP is. Security experts need to have the skills it takes to harden systems and make them harder to break into, and to protect systems with monitoring and do system forensics, [Technicians need to] have to have the common basics, and then some specializations. It’s foolish for academics to claim that there is no standard, because that’s exactly what they said in medicine 100 years ago, and they killed a lot of people.”
Got strong opinions about these and/or other cybersecurity policy proceedings? Sound off in the comments below.
Updated, Mar. 25, 9:25 a.m. ET, to include comment from Paller.