Posted on Wed, Sep 23, 2009 @ 01:29 PM
Cybersecurity Act 2009 - Review Part 1
This entry is one in a series of blog postings regarding a review of legislation currently before the US Congress. It should be noted that according to several sources there is a re-write of the bill, however, as of this writing that version is not posted in either the Library of Congress nor the Government Printing Office websites.
The title of this post (actually a tagline)--from the movie Highlander--seems very appropriate in regards to a section in the Cyber Security Act of 2009 (S.773 Sen. Rockefeller; Sen. Snowe; and Sen. Nelson).
Section 7(a) of this Act states that the the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification and periodic recertification program for cybersecurity professionals. Part (b) of this section further states "...it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President's designee, as a critical infrastructure information system or network, who is not licensed and certified under the program."
I will not go into whether or not the Government can devise a comprehensive, effective and, in general, adequate security certification program. I am sure there will be plenty of discussions/posts/etc. on that topic if this Act comes to pass.
As I read Part (b), several thoughts come to mind. What is going to happen to the existing certification bodies such as ISC, SANS or any other non-vendor specific certification entity? Are those certs going to fade away or become less-significant? Will the government recognize these certs and potentially institutem some sort of grandfather clause? What will be the impact of this "required" certification on training organizations? Initially every vendor, consulting and professional services organization will have to send their staff to be certified but, eventually, there probably won't be a need for so many training entities or staff. I don't think these certs will go away as there are many industries and organizations that don't work with the US government but it remains to be seen as to the significance these certs now carry.
My next thought was in regards to vendors who offer implementations of their products. According to the Act the engineers with these companies will need to be certified as well as and maintain the cert. This may be more than some organizations want to go through just to offer implementation services. Sure consulting or professional services organizations may benefit from the outsourcing, but what if the on-site consultant needs advanced engineering support from the vendor? There will be a hit to the multitude of organizations and people who will now have to put up the time, money and possibly other resources in order to get their staff "approved" for government work--even if they outsource--to handle such a crisis.
Then I thought...one certification for everyone? Even most security professionals will agree that would be difficult, if not impossible, to establish. A debate that has been around for years is which is better: CISSP or SANS GIAC? Most security practitioners would agree that each has its own place as they are distinctive in their focus. The CISSP is generally looked upon as more managerial in nature while the GIAC certs are more technical. Not a criticism--just stating that the nature of each is different. Trying to imagine a one-stop certification boggles the mind, if nothing else, from the amount of material that would need to be studied. Unless there are different levels/tracks of government certification (which potentially is its own nightmare) this will be very difficult to implement.
If you step back and think of the scope this section of the Act implies, it is enormous and the resource impact to thousands of organizations is tremendous. While I certainly applaud the perceived intention of this section, I can't see there only being one certification that fits everyone and provides the best service to the government.
Posted on Thu, Jul 23, 2009 @ 01:38 PM
"Back in the day" (a phrase that amuses me due to its generality yet allusion to specificity--but I digress) when you needed to order office supplies you had to visit the supply room. When you needed additional raw materials you had to submit a materials request form. Need the latest sales figures? Call the sales department. In order to perform a risk assessment of these "systems" the security practitioner rarely had to travel outside the corporate walls. And this was fine for the aforementioned "general/specific" time in history.
We do things a bit differently in the 21st century. Many organizations have agreements with suppliers, distributors, data collection agencies, etc. so that identified follow up action is available from your company Intranet or is accomplished behind the scenes. For example, many grocery stores have electronic connections with their suppliers, distributors and shipping partners throughout the supply chain. This allows for a more efficient process of ordering and receiving items as they are sold to consumers. Need office supplies? Go to your Intranet, click on office supply request, punch in an authorization code and select your items. They will be included in the next delivery date--you can even check the status of an order.
Now suppose you have been given the task of performing a risk assessment of your inventory process. If you were to only look at the systems within your corporate walls (as you did in the "old" days) a significant amount of risks could go unidentified. Looking at it abstractly, your corporate walls are merely one tree in the forest of your inventory process and you can not learn about the forest from one entity. You need to be able to examine the whole forest, perhaps one tree at a time (a lengthy process but my point is made) but from one end to the next.
When looking at the entire forest (inventory process in this case) some questions that should come to mind include: How are your partners performing security on their end? Are they sharing authentication credentials among their employees? Do they practice configuration control? What happens to the data they receive from you? It is very difficult, if not impossible, to gather this information from only looking internally at your systems (one tree in this example). Perform a risk assessment (or audit, scan, etc.) against the entire system and not just one piece. More expensive? Probably. Take longer? Typically. Systems in the forest not under your control? Most definitely.
But all of these issues can be addressed through budgetary, timeline and contractual agreements. Money and time issues are fairly easy to understand while the more difficult part will be working with partners. Maybe you can share the costs. After all, a risk assessment can only help their security posture--and possibly marketing--not to mention strengthen the relationship.
My point being, however the details are worked out, performing an assessment, audit, etc. against one part of your system can lead to a false sense of security and thus disaster. Security functions such as these should take into account the whole forest and not just a few trees.