Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

Is the Bush Administration Getting Serious About Information Security?

by Shannon Kellogg on 11/16/2007
Topics: Government Policy | Software Security | Strategy

Of course, protecting government systems is just one part of what needs to be done to improve our nation's cyber security posture. With the vast majority of critical infrastructure systems — from power plants to financial institutions and telecommunications providers — located in the private sector, steps will also need to be taken to enhance the information security of those systems, organizations and networks.

A new national blue-ribbon commission has been established to take on the task of identifying a strategy and set of recommendations for the next Administration to move ahead in securing cyberspace. The Commission on Cyber Security for the 44th Presidency is scheduled to complete its work by December 2008 and is being convened by the Center for Strategic and International Studies, a nonpartisan, nonprofit research center organization headquartered in Washington, D.C.

As the Commission does its work, the U.S. Congress continues to do its own in relation to improving our national cyber defenses and on critical infrastructure protection, with many oversight hearings on cyber security by the House Homeland Security Committee. I credit the House Homeland Security Committee and its Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology in particular for raising awareness and pushing for more focus and prioritization on these issues during the 110th Congress. I also think that DHS Assistant Secretary for Cybersecurity and Communications, Greg Garcia, has done a solid job during his first year as the Administration's "cyber czar" by focusing more attention on the issue within DHS. Specifically, he has helped increase national awareness, improving coordination with private industry and is beginning to position the U.S. CERT and the National Cyber Security Division to play an enhanced (and desperately needed) role in protecting federal networks. For more on Garcia's first year, see Brian Robinson's recent article in Federal Computer Week.

It's important to note also that while all the above activity (that is more focused on critical infrastructure protection and securing government systems) has been occurring, cyber-crime and identity theft are also receiving more attention. The President's Identity Theft Task Force issued a Strategic Plan for Combating Identity Theft earlier this year — and the U.S. Congress is considering several legislative measures to implement some of the Strategic Plan's recommendations that focus on cyber-crime. If you didn't see it, there was an excellent series by Ryan Blitstein this past week in the San Jose Mercury News about the complexities surrounding cyber-crime, both in terms of the threats, the difficulties of finding the actual perpetrators, as well as the effective prosecution and penalization of the criminals once they are caught. What is striking to me though, in terms of Congressional in-action, is that we have not yet seen a cyber-crime bill (of the several versions that are being considered) enacted yet. With the billions of dollars in economic losses annually that the Mercury News series covers in detail, why can't the Congress find a way to move some of the legislation that is aimed at the actual criminals? This week, the U.S. Senate approved S. 2168, the Identity Theft Enforcement and Restitution Act of 2007, which is a welcome development; the House should also move a similar bill this year. In addition, the House and Senate should pass a national data security bill that would establish federal standards for safeguarding sensitive information and for notifying consumers should a breach occur — the President's Strategic Plan also recommended that course of action.

Let me know what you think.

Comments
Still much to be done!

You make an excellent point about the (urgent) need for a national data breach notification law. Watching the British government's response to their own breach-calamity last week, it is surprising that the string of data breaches here (which started in earnest back in 2003, with AOL) has somehow yet to galvanize Congress into concerted action. Maybe if it was our children who were affected - as was the case in the UK - we would feel collectively less apathetic.

I would suggest that the answer to the question you pose in the heading is a straightforward "no"! We are still looking at a troubling picture of, as you put it, Congressional inaction. If we consider progress to be nothing more than task-force recommendations and oversight hearings (read: no actual action yet), then we may be in more trouble than we think. The creation of a cyber-security think-tank for the 44th President is all well and good, but why are we waiting for President McCain or President Clinton II when the problem is here and now?

- Fizz
Not even close--here's a letter you may borrow to your Reps

The Feb. 2008 Economic Report of the President states that both: 2002 CIPSEA and FISMA Acts are effectively being implemented in regard to Data Protection. This contradicts the January GAO report: see GAO-08-343. I am concerned about how the rush to push Data Sharing to Improve Statistics in Chapter 8 would further degenerate the already improper handling of our Personal Identification Information.

Please do all you can to see the following legislation gets signed into law during this 110th Congressional Session. It is embarrassing that we need to have legislation to ensure our Government Protects our Dat--but it must be done.

1) H.R. 4791. This Federal Agency Data Protection Act further amends 44 U.S.C. and satisfies most of the identified flaws by expert critics that remain in the 2002 CIPSEA and FISMA Acts. Though, I think the definition of Personally Identified Information needs to be the same as U.S.C. Title 18 1028(a)(7). See GAO historical specifics on the breaches in GAO-08-496T.

2) S 495. This Personal Data Privacy and Security Act covers Government Agencies as well as Commercial entities, most importantly the Dataminers with reasonable responsibility and accountability measures.

Why do I bring these issues up? It dovetails as the crux of the real concerns about the coveted American Community Survey (ACS). There is a growing non-partisan groundswell of discontent that a simple Web-search will uncover. I know this is a vital organ for Federal Funding, but the Bureau's approach with this tool is wrong on so many levels, it will no doubt affect the upcoming 2010 Decennial Census. See: GAO 08-259T.

- Luci

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication