Legislation a good first step to cybersecurity leadership

A year can make a big difference in technology – and in politics. A year ago, the federal government was failing badly at establishing a leadership position in cybersecurity. Interim cybersecurity czar Melissa Hathaway had resigned amid delays to appoint a full-time federal director. The politicians were thinking about anything but the defense of our nation's computing infrastructure. And the attacks kept rolling in.
Fortunately, things for the good guys have improved. We've got a veteran in Howard Schmidt firmly established in the federal cybersecurity leadership role. And, more importantly, the legislators are working hard to give him and other security leaders within the government enough authority, tools and cash to actually make a difference in the fight for digital ground.
I've long been an advocate of establishing cybersecurity laws that have teeth and authority to prevent and deter attacks to our infrastructure. I believe that the drafts that we're seeing of Sen. Joe Lieberman's Protecting Cyberspace as a National Asset Act of 2010 are a good first effort from legislators in order to do that.

The law provides guidance and authority to establish a cabinet level position in cybersecurity with authority, staff and budget to carry out important security initiatives. And it also provides considerable prescriptive guidance in the way the government deals with known infected computers that are perpetuating attacks against national infrastructure.

I especially find the first point extremely refreshing. The fact that at the executive level we are going to provide accountability for both success and failure of different federal agencies in regard to whether or not they achieve security is encouraging. The bill is quite specific – when agencies don't achieve security requirements, their leaders are subject to loss of bonuses and loss of incentive pay.
What I also find particularly interesting about this bill is that it prescribes a modality of federal operations I've never seen before. If a federal agency is incapable of achieving its security requirements, it could go back to the executive-level leader and request more money, allowing out-of-band requests for funds necessary to handle critical security requirements.
Also encouraging, particularly for security researchers on the hunt for vulnerabilities, is the fact that it offers a way for commercial and government agency employees to report any kind of security flaws to the national cybersecurity office without any personal risk. This whistleblower clause could go a long way toward speeding up the cycle of disclosure.
What could really jeopardize this bill, however, is the question of liability. I am a firm believer in the principles behind the hotly debated "kill switch" authority that this potential law would grant the executive branch. I think it is very important to have the ability to kill attacks at their source.
However, the bill is currently fuzzy about liability and culpability concerns when things go wrong after an infected machine is killed. The horror story that I believe the drafters of the legislation are facing is that today, most medical instruments are PCs with embedded operating systems and connectivity to the internet for monitoring and health care administrative purposes. If one of these devices is compromised, but is still depended upon to keep patients alive, and the government gives someone the authority to switch off that machine at the peril of a patient, we're going to have problems. It is something that the politicians are justifiably frightened about.
Unfortunately, at the moment, the current version of the bill transfers liability to the person who kills the machine if the machine has some other purpose. Not only is this true in the case of protecting life and limb, but also in protecting business interests. If a business person is running a restaurant depending on a certain machine to transact all of his business and that machine just so happens to be infected and subsequently killed, that person has the right to sue for loss of business.
This is going to put a serious damper on the execution of the kill switch powers as they were meant to be carried out. While there certainly needs to be some level of caution in the bill in regards to these two scenarios, I believe the liability and culpability aspects of this bill are still crude. I'm not quite sure what the answer is, but I do believe that the lawsuit lawyers around the country are licking their chops in anticipation of the bill in its current incarnation being passed into law. In order to keep their litigious urges at bay, we need to think carefully about how these issues are written up within the bill.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.