Bill would toughen security requirements over current law

Sen. Tom Carper's Information and Communications Enhancement Act was praised as an improvement over current FISMA regulations. Ed Andrieski/AP

A bill introduced in the Senate on Tuesday would strengthen the requirements in a much maligned security law, asking agencies to actively monitor and fix security holes in computer systems and requiring the White House to provide tougher enforcement.

The bill, the 2009 U.S. Information and Communications Enhancement Act, also would require the Commerce Department to establish standards for securing all government information systems, including those used by the Defense Department and intelligence agencies to support national security.

Security professionals and researchers widely praised the bill, introduced by Sen. Tom Carper, D-Del., as an improvement over the 2002 Federal Information Security Management Act. The ICE bill replaces the 2008 Federal Information Security Management Act , a rewrite of the 2002 law that the Senate never voted on. That bill, introduced by Carper in September 2008, required agencies to appoint a chief information security officer , who would be responsible for monitoring, detecting and responding to cybersecurity threats.

"The new bill is a huge improvement over current FISMA legislation because it shifts [the priority] from report writing to measuring actual security," said Alan Paller, director of research at the SANS Institute.

Paller, appearing before the Senate Homeland Security and Governmental Affairs Committee on Tuesday, called the federal government's cybersecurity defenses "childlike," and the work accomplished under FISMA "embarrassing."

"This is really an important bill that would make FISMA useful again," said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. "Right now, there is no correlation between an agency's FISMA score and its network security. An 'A' on the score card doesn't mean you're safe. This bill would change that."

The bill calls for the administration to establish a National Office for Cyberspace within the Executive Office of the President to coordinate efforts for an "assured, reliable, secure and survivable global information and communications infrastructure."

The president would appoint the office's director, who would create a national cyberspace strategy and regularly check if agencies are compliant with security policies and guidelines. The director also would review and evaluate agency information security programs to ensure agencies monitor, detect, analyze and respond to known vulnerabilities and patch systems for weaknesses. Chief information security officers would play a bigger role in enforcing policies.

The Commerce secretary would establish specific standards for securing information systems, based on guidelines developed by the National Institute of Standards and Technology. The bill would require contractors that sell products and services to the federal government to comply with the security standards, as would the intelligence community and military.

This latter requirement is a change from the current process of allowing Defense and the National Security Agency to manage information security for sensitive information systems that support national security efforts.

"The Commerce Department is supposed to develop standards for national security systems? That will go over real well with the Defense Department," said Gregory Garcia, who served as assistant secretary of cybersecurity and telecommunications at the Homeland Security Department during the Bush administration and now runs the information security consulting firm Garcia Strategies.

He also questioned the bill limiting DHS' role to only incident response and defense capabilities provided by the U.S. Computer Emergency Readiness Team.

"I see no clear definition of who has ultimate jurisdiction authority," he said, adding that in Congress, wrangling among committees over who will form information security policy creates a Wild West scenario that ill provide little progress.

"We're beginning to see members wanting to take leadership in cybersecurity now that they've awakened to the threats we face -- and that's good," Garcia said. "But if Congress is to get involved, then House and Senate leadership need to bring the major committees together, consider the appropriate role for Congress, de-conflict among committee jurisdictions and present a coherent omnibus legislative strategy to commensurate with the White House effort. Congress can complement or they can complicate."

Two other Senate bills on cybersecurity were introduced this month.

But Paller raised the possibility that the law did not set stricter rules for cybersecurity. "There is a lot of extra language in the new bill that could be misused by people who are trying to protect the current, failed NIST-based evaluations," he said.

Much of NIST's recommendations for information security includes certifying and accrediting systems, a practice that includes listing the sensitivity of information stored on systems, finding the vulnerabilities that could allow a hacker access and applying security controls. Paller and other security professionals argue that the approach is little more than a paper-pushing exercise and doesn't secure systems from known threats.

"Some of those people think that they have added enough words like 'risk-based' to sufficiently weaken the bill -- enough to make it impotent. The ultimate value of this law will be measured by how well the White House can ensure that focus is on measuring the right things. Most CIOs do not have enough money to pay for both the FISMA reports and the important security improvements."

Gautham Nagesh contributed to this article.