The 2011 National Defense Authorization Act: Another Setback for Cybersecurity
September 24th, 2011
The U.S. House of Representatives recently passed H.R. 6523, the latest version of the 2011 National Defense Authorization Act, which will next go to the Senate. This act, which is passed every fiscal year, defines the Department of Defense’s budget and spending level. The previous version of this bill contained several cybersecurity-related provisions such as establishing a White House Office of Cyberspace with a cyberspace director who would require Senate confirmation, requiring government agencies to perform continuous monitoring within their IT environments, and requiring software acquisition processes that would help assure that purchased software is secure. These provisions (as well as one that would remove the “no ask, no tell” policy concerning gays in the military) were deleted from the final version of the bill that the House passed because opponents of the bill argued that these riders were irrelevant to the national defense.
Would an Office of Cyberspace and a director confirmed by the Senate make a difference for the military? I honestly doubt it. Top-level military brass appear to make decisions based on their military experience and instincts more than on “voices in the wilderness” (such as some new cyberspace security director) telling them what they should do. The generals and admirals who call the shots in the military have my utmost respect, but they appear to have fallen prey to the same misconception that top-level management in the civilian world has, namely that information security is some kind of abstract entity, and that security-related incidents are neither really all that tangible and costly. Besides, they say, “some really bad cybersecurity incident could never happen to me.” (Perhaps the ugly Wikileaks fiasco is forcing some of the top-brass to re-think their viewpoints.) But I am also confident that having any person within the government with a title that includes any word such as “cybersecurity” spells doom for that person. Face it, of all the individuals who took on the role of national security czar over the years, Richard Clarke has made the biggest positive impact. His title was “National Security Advisor,” not “National Cybersecurity Advisor” or something similar. The former title provides much more leverage–national security is something in which almost everyone is seriously concerned. The same cannot be said for cybersecurity, at least currently.
Another provision, the requirement to continuously monitor the IT arena, would have had a huge positive impact upon cybersecurity in government circles, including the defense arena. The myriad of cybersecurity threats that seem to constantly surface in the government and defense arena dictate a much stronger operational security effort than is currently occurring. And, contrary to what the opponents of this provision had said, if government agencies and departments would boost their level of security, there would be fewer incidents that would start in these agencies and departments’ networks and then spread to military networks.
Would requiring processes designed to assure that security software is purchased within government circles have helped cybersecurity within the government? The answer is “of course,” but there is a catch. The Klinger-Cohen Act was passed for the same basic reason. Honestly, has Klinger-Cohen significantly improved the security of software that the government buys? A few individuals might think so, but I suspect that the majority would be skeptical. Little truly secure software is available for purchase. If it is difficult to find secure software, statutes designed to force agencies and departments to purchase this kind of software will have little impact.
So once again, despite the fact that every day enemies of the US find ways to steal critical information from U.S. government and military computing systems, a setback for cybersecurity has occurred. And it is noteworthy that Congress has not passed any significant cybersecurity legislation in the last two years. The proverbial patient is bleeding badly while the doctors are standing around and focusing their attention elsewhere.
–Gene Schultz, Ph.D., CISSP, CISM, GSLC
– – – – – – – – – – – – – – – – –
Dr. Eugene Schultz is the CTO at Emagined Security, an information security consulting practice based in San Carlos, California. He is the author/co-author of five books, and has also written over 120 published papers. Gene has been the editor-in-chief of two journals and is currently on the editorial board of three journals. He is also a SANS instructor, member of the SANS NewsBites editorial board, co-author of the 2005 and 2006 CISM preparation materials, and is on the technical advisory board of three companies. Gene has previously managed an information security practice as well as a national incident response team. He has also been professor of computer science at several universities and is retired from the University of California. He has received the NASA Technical Excellence Award, the Department of Energy Excellence Award, the ISACA John Kuyers Best Speaker/Best Conference Contributor Award, the Vanguard Conference Top Gun Award (for best presenter) twice, the Vanguard Chairman’s Award, and the National Information Systems Security Conference Best Paper Award. A Distinguished Fellow of the Information Systems Security Association (ISSA), Gene has also been named to the ISSA Hall of Fame and has received ISSA’s Professional Achievement and Honor Roll Awards. He is currently a member of the accreditation board of the Institute of Information Security Professionals (IISP). Dr. Schultz has provided expert testimony before committees within the U.S. Senate and House of Representatives on various security-related issues, and has served as an expert witness in legal cases.