New Bill Would Put DHS In Charge of 'Critical' Private Networks 193
GovTechGuy writes "A new bill unveiled Wednesday by House Homeland Security chairman Bennie Thompson (D-Miss.) would give the Department of Homeland Security the authority to enforce federal cybersecurity standards on private sector companies deemed critical to national security. The Homeland Security Cyber and Physical Infrastructure Protection Act of 2010 authorizes DHS to establish and enforce risk and performance-based cybersecurity standards on federal agencies and private sector companies considered part of the country's critical infrastructure. Such firms include utilities, communications providers and financial institutions."
It feels like (Score:5, Informative)
a deaf man telling others how to sing [informationweek.com]. Maybe they should get their act together before giving lessons...
Re:What is the determination? (Score:5, Informative)
Re:Competence (Score:1, Informative)
as i just started working for the dhs as a contractor looking from the outside in, and i couldn't agree with you more.....
"Enforce Standards" != "In Charge Of" (Score:3, Informative)
DHS has been given authority to ensure critical networks are up to federal security standards. Apart from the discussion of if this will be useful, this does not, in any way, put them "In Charge" of the networks.
Re:Not necessarily monoculture (Score:5, Informative)
I have been involved in government IT security for many years now as an employee of a government contractor often hired to perform various parts of the government security process. One of the biggest problems with the government security "standards" and "processes" in place now is that there is practically no cost feedback to the controls. The policies all say that the cost of the controls should be commensurate with the value of the system being protected, but many of the security "approvers" demand gold-plated security, and are often opposed to signing off on anything less. (Hey - you can't be held responsible for a security problem in a system you approved if you simply never approve any systems.) There are numerous government systems operating either "unauthorized" or under "temporary waivers" (for years and years) because the security folks wouldn't sign off the controls.
These problems are with the government policing the government. I can't imagine it would be any different when they are enforcing the standards on commercial companies. Although private enterprises can and do go underboard with security, government monitors are almost certain to go overboard. I have some (but limited) experience reviewing IT security for commercial entities (financial services firms, oil and gas firms, pharmaceuticals) and they often "get" most of what needs to be done... with a few lapses (like connecting SCADA networks to the regular corporate network, which is also connected to the Internet).
If the approach is to have a few *simple* rules (like networks over which critical infrastructure communicates must be isolated from corporate networks that are attached to the Internet), then I think some government oversight wouldn't be bad. But if the approach is to require private enterprise to demonstrate compliance with full-blown government IT security C&A with the government doing the certification, I would predict drastic increases in costs, without necessarily dramatically increasing actual security.
DHS not NSA... umm NO (Score:2, Informative)
I worked in the security industry for many years and we had contracts with a number of government departments, major ISPs, and enterprise businesses. Our talks with the DHS ended when they suggested making a Windows-based version of our Linux-based network security server. The conversation went something like this:
Us: "Sure we could do it, but it would cost more, be slower, and have poorer performance because we wouldn't be able to modify the OS directly to support what we need. You'd need a significant number more machines to do the same task, each machine would cost more, and the project would be delayed at least a year while we developed it and went through the security certification process again. Additionally, the security would be weaker and these should be high security systems as they have access to all the traffic running through your network and are already managing the traffic."
DHS Security Guy: "I think that's the way we want to go."
Us: "Do you mind if we ask why?"
DHS Security Guy: "I don't like managing non-Windows systems."
Maybe things have changed over there in the last few years but... dear god! They were some of the most incompetent Microsoft loving fuckwits ever. We had a contract with Microsoft at the time and they were cool with our Linux based solution and were even considering installing custom Linux systems of their own design to supplement the limitations of their Juniper routers with regard to network traffic management and security.
Follow the money (Score:3, Informative)
How would this benefit Rep. Thompson's campaign & PAC funding? "Defense Electronics" firms are the #3 contributor to his campaign & leadership PAC for 2009-2010. "Computers/Internet" were #3 for the 2008 campaign.
http://www.opensecrets.org/politicians/summary.php?cid=N00003288 [opensecrets.org]
Re:What's the alternative (Score:3, Informative)
Not to straw man your other arguments, but the FAA has managed to keep people alive at an unprecedented rate. Considering the aviation disasters that befall less regulated nations on a regular basis (and even other transportation methods in our own nation,) I would have to politely decline the notion that the FAA is overstepping it's bounds. As someone who has put on a lot of miles in the air, I prefer to take my planes well regulated and safe, as opposed to innovative and in a crater.
Re:Not necessarily monoculture (Score:2, Informative)
But if the approach is to require private enterprise to demonstrate compliance with full-blown government IT security C&A with the government doing the certification
The government C&A approach should be enough for anyone in the know to run screaming from this. It basically amounts to a massive enumeration and mapping of the entire network, performed on an unrealistic schedule by people who don't necessarily know what they are looking for, then the autogeneration of mountains of paperwork based on the mapping, followed by a signature by a CEO type that basically says he is criminally liable for any security breaches henceforth. When we did this process my work site several years back, we actually wheeled in three carts carrying 6 file boxes each filled with the paperwork that the certifying authority was being asked to sign. The worst part? Aside from verifying that all systems were patched to approved levels, I can't say what kind of security that process guaranteed.
Now imagine the private sector doing this for a government authority. IRS anyone?