The Rockefeller-Snowe Cybersecurity Act represents an important milestone in advancing U.S. policy along a number of important lines.
The American public and worldwide cyber-security community should take note of an important bill that was introduced before the U.S. Senate this week as federal legislators continue to refine their efforts to create meaningful policies that can affect real change in the nation’s cybersecurity standing. The revised version of the Rockefeller-Snowe Cybersecurity Act represents the synthesis of a number of important ideas that have been proposed in different formats for a number of years, but in this bill they are arguably presented in the most accurate and mature terms yet from the standpoint of aligning government attention and resources with the aspects of electronic risk that are most exposed and critical in today’s environment.
In addition to validating that oversight of U.S. cybersecurity policy should be elevated to a cabinet-level position, a strategy at the heart of the series of recommendations to the Obama Administration made by the CSIS Commission that I had the honor of serving on, the Rockefeller-Snowe Cybersecurity Act creates the necessary resources and capacity for building a true federal cybersecurity workforce to provide central management and help address the challenge of improving cross-agency information sharing. Without the dedicated staffing and mandate of a full-time team of specialists who are allowed to focus every ounce of their energy on the most critical elements of addressing our cybersecurity challenges, will we remain mired down in our current environment where people operate largely in fiefdoms and the power of collective intelligence is not effectively applied to the initiatives that we need to support.
Another crucial piece of the proposed legislation is that it further links (in Section 201) management of government IT security programs with oversight of the electronic controls resident within our national critical infrastructure. As the American public has begun to recognize, driven largely by newspaper reporting, these issues are already intrinsically linked and so therefore must also be the strategies that dictate their cybersecurity policies. The systemic risk associated with the exposure of our critical infrastructure to electronic attack is real and it is imperative that this issue is advanced rapidly. Among the other important policies specifically laid out in the bill (in Section 206) is the requirement for cybersecurity leadership from each U.S. government agency to participate in and provide assessments that scope threats and identify vulnerabilities withing their organizations. This process of proactive security and risk management is the express reason why I came to work for Core Security and remain engaged in this sector today. As noted in the Consensus Audit Guidelines, our government needs to embrace cyber-security processes that are tacitly proactive and can “inform defense” of actual attacks that have compromised systems, or those that could transpire to do so. In yet another key recommendation, the Rockefeller-Snowe Cybersecurity Act (in Section 207) empowers the President to focus new attention on the issue of promoting international norms for cybersecurity. This is one of the other endemic issues that must be addressed if we are to make any real progress, for as long as there are havens around the globe where cyber-criminals can do business without any fear of retribution from law enforcement – and in some cases operate with the implicit support of their local governments – any achievements we record as a nation will be challenged by the uncertain global environment. There is a need for additional work in this area, and Sen. Gillibrand of New York is another leader forwarding important policy-making to this end, but the Rockefeller-Snowe bill can serve as an important starting point in addressing the global enforcement problem. And in another vitally important arena, the bill (in Section 209) dictates that the private sector is given increased access to classified data amassed by government agencies about emerging electronic threats and attacks that ultimately imperial their operations and affect the stability of our economy.
As experts including former White House Cybersecurity Advisor Melissa Hathaway and Cisco CSO John Stewart (both members of Core Security’s newly launched Advisory Board) recently advocated on a panel at the RSA Security Conference, the government must incent the private sector to cooperate and contribute to our joint information sharing efforts by offering these organizations tactical data that they can use to improve their own footing. There are many important cybersecurity bills and laws currently under review at every level of the U.S. legislative ecosystem, but if approved, the Rockefeller-Snowe Cybersecurity Act could serve as a truly effective tool on the highest levels of our government to empower all of our efforts. -Tom Kellermann, Vice President of Security Awareness .