Fortress America

Efforts to bolster information security are gaining momentum on Capitol Hill, where lawmakers are considering a host of bills aimed at improving security in the public and private sectors. Congress has taken up information security legislation in three major areas: research and development, information sharing about threats to the nation's critical infrastructure, including IT systems, and agency information security assessments and implementation. Congressional sources and IT industry executives said they are optimistic the bills will become law this year. "We have really been pushing for the federal government to take cybersecurity much more seriously," said Mario Correa, director of Internet and network security policy for Business Software Alliance, a trade group in Washington.The Cyber Security Research and Development Act, in particular, "show(s) Washington is getting more serious about cybersecurity," said Shannon Kellogg, vice president of information security programs for the Information Technology Association of America, Arlington, Va. The House and Senate versions of the act contain more than $800 million for cybersecurity research and about $300 million for education programs designed to increase the number of information security professionals. "The bill says that Congress is focused on making sure the United States continues to be the leading developer in cutting-edge security technologies," Correa said. The House version of the act, H.R. 3394, passed Feb. 7 by a vote of 400-12. Its companion Senate bill, S. 2182, was approved May 17 by the Commerce, Science and Transportation Committee with an additional provision that IT industry executives oppose. At issue is a provision that would require the National Institute of Standards and Technology to develop benchmark security standards. The bill directs NIST to establish "a baseline security configuration for specific computer hardware or software components, an operational procedure or practice or organizational structure," which industry executives said could impose a ceiling on technological innovation.Setting specific guidelines for configurations and specifications of hardware and software won't allow NIST to keep up with constantly changing technologies and cybersecurity threats, leaving federal systems vulnerable, Correa said. That view is not shared by some in the Senate. The bill would establish a floor for cybersecurity, not a ceiling, a Senate source said. "We have to address this problem, but I don't foresee any huge hurdles if we can get past that," the source said.Heidi Tringe, spokeswoman for the House Science Committee, whose chairman, Sherwood Boehlert, R-N.Y., sponsored the House bill, said the committee is working with Sen. Ron Wyden, D-Ore., sponsor of the Senate bill, "to work out any differences and ensure it becomes law.""We've had great support from industry and the academic community. It's very encouraging," Tringe said.Industry executives also support the Federal Information Security Management Act, H.R. 3844, which would permanently reauthorize the Government Information Security Reform Act of 2000 and beef it up by eliminating waivers to its requirements.GISRA requires agencies to assess the security of their IT systems and include risk assessments and security needs in budget requests. However, some said they're also concerned about a provision that requires NIST to develop security standards."GISRA has not been the success it should have been, probably because it didn't have the teeth that were needed. The [FISMA] bill makes optional exercises mandatory or a lot more urgent," Correa said.Peggy Weigle, chief executive officer of Sanctum Inc., a Santa Clara, Calif., Web application security company, said industry is concerned that by the time the government establishes standards, they will be out of date. But Weigle said she supports basic, government-set standards. "When government enacts a law that has ... repercussions, [agencies] start making things more secure. Congress certainly isn't going to be recommending certain products," she said.The legislation asks NIST to develop best practices standards, said Chip Nottingham, counsel for the House Government Reform subcommittee on technology and procurement policy. Its chairman, Rep. Tom Davis, R-Va., sponsored the bill. "Congress is ill-suited to the task of developing specific technical standards," said Nottingham, who agreed that any technical standards would be quickly obsolete. "Any time you're developing standards, you're going to have nervousness in the technology community because it means winners and losers in the marketplace," he said. "Our goal is to get the bill out and let the process run its course. We'd like to resist the temptation to add legislative language, because we'd probably get it wrong."Nottingham said he hopes the bill will move through House committee markup in the next few weeks, and that he believes it will have broad, bipartisan support in the Senate.Also top-of-mind in the IT industry is legislation that would improve the ability of companies to share information with government and each other about threats to the nation's critical infrastructure, which includes financial information systems, nuclear power plants and electric power grids. The House bill is H.R. 2435, the Cyber Security Information Act, which was first introduced by Davis two years ago. The Senate bill is S. 1456, the Critical Infrastructure Information Security Act."The key to cybersecurity is information sharing," Correa said. "Attacks and risks are constantly changing. For industry to respond effectively, we need to understand what our businesses are encountering."Some companies share information with each other through Information Sharing and Analysis Centers, established in 1998 through Presidential Decision Directive 63. But ISACs don't exist for every industry, said Liesyl Franz, director of global government affairs for Electronic Data Systems Corp. of Plano, Texas.The legislation would cover a broader spectrum of companies, Franz said. EDS participates in the information technology ISAC.However, some private-sector executives said they are reluctant to share information with each other because of antitrust concerns, and they are reluctant to share information with the government for fear that information released under a Freedom of Information Act request would make them the target of more cyberattacks."Companies are so leery about providing details of [cyber] break-ins because they are concerned about FOIA," Weigle said. "By removing that access, I think there is no question more companies will be proactive in reporting, and that will give organizations like the FBI more information to go out and get the bad guys."Proponents said the FOIA and antitrust exemptions are deliberately narrow. Legislators need to assure companies that antitrust litigation would not be pursued solely based on disclosures about emergency preparedness, Nottingham said.The Justice Department's answer to antitrust exemptions is usually " 'heck no,' and that's probably the right response," Nottingham said. "We want to make it very narrow. This is all about preventing attacks."Rep. F. James Sensenbrenner, R-Wis., chairman of the House Judiciary Committee, met with Davis May 23 and said he'd like to have a hearing on the antitrust exemption early this month, said staff members of the House Government Reform subcommittee on technology and procurement policy.IT industry executives said they are optimistic the legislation will pass this year."I know that the senators and the congressmen really are completely committed to these principles," Franz said. "I think they will do what they can to make it happen."