The US Congress is reviewing proposed legislation that gives the President the ability to disconnect any federal government or critical infrastructure cyber (for lack of a better word) system. The Cybersecurity Act, also known as Rockefeller/Snowe, begins ominously:

9 The Congress finds the following:
10 (1) America’s failure to protect cyberspace is
11 one of the most urgent national security problems
12 facing the country.

It then provides quotes from a number of sources that say technology underpins the economy and is significantly weaker than more conventional infrastructure. Here is number ten, for example:

1 (10) According to the National Journal, Mike
2 McConnell, the former Director of National Intel
3 ligence, told President Bush in May 2007 that if the
4 9/11 attackers had chosen computers instead of air
5 planes as their weapons and had waged a massive
6 assault on a U.S. bank, the economic consequences
7 would have been ‘‘an order of magnitude greater’’
8 than those cased by the physical attack on the
9 World Trade Center. Mike McConnell has subse
10 quently referred to cybersecurity as the ‘‘soft under
11 belly of this country.’’

Scary. But help is on the way. A Cybersecurity Advisory Panel is to be created that will represent everyone and advise the President. Paller must be crushed that this does not just say SANS will be given the task…

One of the more interesting tasks is a monitoring dashboard assigned to the Secretary of Commerce.

20 …implement
21 a system to provide dynamic, comprehensive, real
22 time cybersecurity status and vulnerability informa
23 tion of all Federal government information systems
24 and networks managed by the Department of Com
25 merce

In a similar vein, the Director of NIST is expected to build a dashboard to measure and illustrate the economics of cyber security.

21 These
22 metrics should measure risk reduction and the cost
23 of defense. The research shall include the develop
24 ment automated tools to assess vulnerability and
25 compliance.

I get where they were trying to go with all this, but it really rough around the edges. The enforcement section is practically empty and ideas like the vulnerability specification language that will “communicate vulnerability data to software users in real time” seem strangely out of place. Do we really need a vulnerability language in a federal act? Who wants secure domain name addressing system run out of a federal mandate?

Hard not to notice that there also is a provision for mandatory cybersecurity professional licensing. I think it is great that information security is getting a big focus in the stimulus and infrastructure projects but I find it hard to believe anyone will really support so much power being placed under the executive branch.

The big deal about this story is that the FAA was being held up as an example when it was breached.

The Federal Aviation Administration was doing such a good job at protecting data in its computer systems that the Office of Management and Budget chose it in January to be one of four agencies to guide other federal agencies in their cybersecurity efforts.

Just a month later, FAA officials had to admit that hackers breached one of the agency’s servers, stealing 48 files. Two of the files contained information on 45,000 current and former FAA employees, including sensitive information that could potentially make them vulnerable to identity theft.

Nothing too shocking there. We all know that nothing is perfect and that is why defense in depth is a necessary approach. The authors try to put this another way.

The security breach, although significant and potentially far reaching, is not necessarily a reflection on FAA’s security measures. Rather, it demonstrates the problems of securing federal computer systems and difficulty in evading every potential attack.

Why is it not a reflection? I say that it is, but it also demonstrates the problems of securing systems, as well as the problems of holding someone up as an example of secure practices. The OMB might have considered the FAA a leader, but a comment after the article highlights a different picture:

The Personally Identifiable Information (PII) should not have been archived (the data stolen was from 2006) without the SSNs being removed, it should have been encrypted, it should not have been on a Dev Server (it was being used for developing applications), it should have never been connected to a public network, and it should never have been released to anyone as a “test file”. All of these things were a violation of DOT orders, FAA orders, and federal law. The rules were in place to protect the data, but they were ignored/violated.

If the comment is accurate, the FAA made several clear mistakes that should have been caught internally, and the OMB was too lenient in their assessment of progress.

The Santa Cruz Sentinel reports that sabotage suspected in widespread phone outage in Santa Clara and Santa Cruz counties

Police are investigating whether sabotage to an underground fiber optic cable in south San Jose caused a widespread phone service outage in southern Santa Clara and Santa Cruz counties this morning that included disruption to 911 emergency phone service, according to law enforcement officials.

John Britton, a spokesman for AT&T, said it appears somebody opened a manhole in South San Jose, climbed down 8 to 10 feet and cut four or five fiber-optic cables.

San Benito county is also affected. Even cell phones are reported to be offline.