The Cybersecurity Act of 2009 [opencongress.org] was introduced April 1, 2009, by Senator John Rockefeller (D-WV). The act is:
A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.
One of the more talked about provisions of this bill is the granting of authority to the POTUS to "declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network." Perhaps that will be another blog post, but the provision currently bothering me is the one in Section 7 [opencongress.org] of the bill. That section directs the Secretary of Commerce to establish a "national licensing, certification, and periodic recertification program for cybersecurity professionals" and that, after 3 years, makes it "unlawful for any individual to engage in business...as a provider of cybersecurity services...who is not licensed and certified under the program." The provision only applies to professionals providing services to Federal agencies, their networks, or a network deemed as "critical infrastructure" by the POTUS.
Why does this bother me? Well, to start off with, licensing and certification sure sound like there will be some exchange of money involved, just as private certifications like CISSP, CCNA, MCSE, etc., require you to fork over some cash to take the test and/or maintain membership. If the Federal Government steps in and does the same thing either
- the Feds are getting a de facto tax from cyber security professionals; or
- if an already existing certification is chosen, that certification body essentially gets public welfare.
In the latter case, whoever spends the most money lobbying the Congress Critters (probably) wins.
This sounds like some unnecessary meddling to me. Yes, the Feds need some well-trained cyber geeks to shore up their defenses. A lot of the cyber security professionals that are already in the government are incompetent--I've taken various educational courses and met them, and also worked around some of them--but the way to fix that problem is to make it possible for the Feds to fire people. Right now, if you get in to the Federal government, you're employed for life unless you do something extremely stupid and illegal.
But even the NSF Scholarship for Service (AKA CyberCorps) program (which this act evidently re-authorizes) won't help. First of all, you can't train enough cyber security professionals fast enough to make a difference. More importantly, the lack of people is not the real issue. The real issue is the politics, red-tape, and managerial incompetence that restricts the competent CSPs that are already in the Federal government from securing their networks.
To defend a network, you have to be able to react quickly. To defend a network that has little or no existing defense in place, you have to be able to rapidly re-configure the network with up-to-date tools and hardware. It takes entirely too long to get approval for purchasing those devices, and entirely too long to get approval to deploy them. Then some manager can't understand that some things are going to break and take a while to fix, and pretty soon you have a half-deployed three year-old "security is in the blinky thingy" device that can't keep up with the volume of traffic transiting the new OC-128 the Undersecretary for Porn Surfing demanded be put in place.
I just don't see this going well. Someone's going to get very rich, another 1500 jobs are going to be added to the federal government to oversee this program, more tax money is going to be wasted, CSPs are still going to be frustrated in their attempts to repair Federal networks, and the Internet is still going to be a DANGEROUS PLACE with unfriendlies from all points south of our border and across the oceans trying to steal our information.