USACM Chair cautions against underfunding cybersecurity research

USACM Chair Gene Spafford testified today at a House Armed Services Committee hearing as part of a cybersecurity panel on “Asymmetric and Unconventional Threats.” He was joined on the panel by David Grawrock (Intel) and Paul Kurtz (Cyber Security Industry Alliance). Spafford’s written testimony can be found here. In his oral comments, Spafford stressed several points:

  • The interconnectedness of systems today, meaning that a vulnerability or attack in one system can lead to problems for other systems;
  • The fuzzy line now between civilian and military infrastructure (e.g., many military bases rely on civilian power grids, civilian networks, etc.)
  • The danger in underfunding and shortening the horizon for cybersecurity research; and
  • The need for more well-trained cybersecurity professionals.

We’ll have more on this hearing in our forthcoming October newsletter. Meanwhile, Peter Harsha (CRA) has an excellent post about the hearing and some of the background.

Senate to Move Data Security Legislation

Update (10/25/05) — As promised below, click here to see an updated comparison of the four bills mentioned in the original post.

Last week we reported that the Senate Judiciary Committee — a major player in the effort to enact federal data security legislation — moved Senator Jeff Sessions’ (R-AL) legislation (S. 1326) intended to protect private electronic information. Today National Journal is reporting (subscription required) that key Senators will merge at least three bills into one and try to pass the package before the Senate leaves for Thanksgiving. Such an effort would require merging the products and priorities of three different committees — Judiciary, Senate Commerce, and Senate Banking — and then getting floor time.

The bills that would likely be merged are: Senator Arlen Specter’s legislation (S. 1332), Senator Sessions’ legislation, Senator Gordon Smith’s (R-WA) legislation (S. 1408) and Senator Richard Shelby’s (R-AL) legislation (S. 1461). (Here is a side-by-side comparing two of the bills. We will try to work up another side-by-side for the other bills.)

It is pretty hard to predict what parts will end up in the final bill. Our sense would be some new regulatory structure for all business modeled after the Gramm-Leach-Bliley Act, which partly governs the financial industry’s use of private data, with much of the specific detail left to the Federal Trade Commission to work out. It will probably also include some breach notification requirements and increased protection of information in government’s hands.

Any comprehensive regulatory bill will almost certainly contain provisions to preempt state law. Interestingly, the National Journal story notes that pressure to act isn’t coming from the public clamoring for protection of their private information, it is coming from the business community that fears 50 different state laws. In many ways this improves the chances for a new federal law, because while the onslaught of data breach stories has slowed, the pressure inside the Beltway for preemption of state laws from business groups isn’t likely to stop.

Senate committee approves privacy/data protection bill

Thursday the Senate Judiciary committee approved (by voice vote) Senator Jeff Sessions’ (R-AL) “Notification of Risk to Personal Data Act” (S. 1326). The bill calls for the creation of data protection programs, mandates security breach notifications, and provides for the preemption of similar state laws. It was one of a number of data protection bills before the committee.

Curiously, the committee did not act on Chairman Specter’s own “Personal Data Privacy and Security Act of 2005” (S. 1789), which we have discussed in this space before. The status of that bill remains unclear.

Little progress seen toward securing nation’s critical infrastructure

The House Homeland Security Committee yesterday heard testimony regarding the security of the nation’s supervisory control and data acquisition (SCADA) systems — the computer systems used to control such things as water flow through dams, the operation of power plants, and so on. The occassion was a joint hearing between the Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity and the Subcommittee on Emergency Preparedness, Science, and Technology. The news wasn’t very encouraging (from a related WaPo article):

Guarding the computer-based controls from terrorists gained attention after the attacks of Sept. 11, 2001.

“It’s four years later and we are no further down the line,” Rep. Bill Pascrell, D-N.J., said while questioning Andy Purdy Jr., acting director of the Homeland Security Department’s National Cyber Security Division. “We’re not prepared. You know it, I know it.”

Joining Purdy before the committee were Continue reading “Little progress seen toward securing nation’s critical infrastructure”

Little progress seen toward securing nation's critical infrastructure

The House Homeland Security Committee yesterday heard testimony regarding the security of the nation’s supervisory control and data acquisition (SCADA) systems — the computer systems used to control such things as water flow through dams, the operation of power plants, and so on. The occassion was a joint hearing between the Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity and the Subcommittee on Emergency Preparedness, Science, and Technology. The news wasn’t very encouraging (from a related WaPo article):

Guarding the computer-based controls from terrorists gained attention after the attacks of Sept. 11, 2001.

“It’s four years later and we are no further down the line,” Rep. Bill Pascrell, D-N.J., said while questioning Andy Purdy Jr., acting director of the Homeland Security Department’s National Cyber Security Division. “We’re not prepared. You know it, I know it.”

Joining Purdy before the committee were Continue reading “Little progress seen toward securing nation's critical infrastructure”

USACM and others criticize DOD export proposal

USACM and more than 100 other respondents recently filed comments with the Department of Defense criticizing its proposed changes to the Defense Federal Acquisition Regulation Supplement (DFARS). Among other things, the proposal mandates that all DOD contracts include a clause requiring contractors to

1. Create and maintain unique badges for foreign nationals and foreign persons employed by the entity;
2. Build segregated work areas for these persons; and,
3. Prevent these individuals from gaining any access to export-controlled technology without first obtaining a specific license, authorization or exemption, even if these individuals may be working under the longstanding fundamental research exemption.

USACM’s comments express its concern that the proposal, among other things, would place a costly new burden on research, discriminate against foreign researchers, and jeopardize the fundamental research exemption that has long promoted an open and fertile research environment. USACM is also worried that DOD, in issuing this proposal, has not given enough consideration to a similar advanced notice of proposed rulemaking issued recently by the Department of Commerce’s Bureau of Industry and Security. USACM and others were critical of this proposal, as well.

USACM’s full statement on the DOD proposal is available here.

Below, in no particular order, are some quotes from the comments of other groups interested in this issue:

Underlying the specific problems with the proposed rule, which our colleagues [at AAU] have analyzed in detail, is an outdated concept of national security: that we can protect ourselves by walling off the scientific enterprise from foreign intrusion. The Commission on Scientific Communication and National Security—a blue-ribbon commission of the Homeland Security Program of the Center for Strategic and International Studies, chaired by a former secretary of defense and the president of the California Institute of Technology—gets it right when it states, “In a world of globalized science and technology, security comes from windows, not walls.”
NAFSA: Association of International Educators

Open collaboration and the free exchange of ideas are fundamental to the culture of America’s research universities. It is through this culture of openness that U.S. research universities have not only thrived but also served as the fertile ground where innovative and cutting-edge ideas are brought to life. As written, the proposed rule would undermine the open and innovative atmosphere of our research laboratories.
American Association of Universities

DOD implementation of this requirement as proposed will adversely affect U.S. national security as universities will decline to perform critical research for DOD. The effect will be to discourage universities from conducting DOD-contracted fundamental research in order to avoid having to preclude the participation of foreign students and researchers in such research. U .S. science and engineering is critically dependent on the participation of foreign nationals. For example … [in] 2003 foreign nationals earned 38% of the science doctorates and 58.9 % of the engineering doctorates awarded by U.S. institutions.
Council on Government Relations

[The following] two bullets reflect the concerns expressed by the ONR S&T community:

* Harm the research base available to DoD by requiring researchers to assign graduate students, who are approximately 70% foreign, by citizenship rather than expertise. The research base would be further undermined by restriction of a prime motivation for conducting world class research which is world wide recognition. In fact, publishing is essential for advancement in an academic career; therefore, the best researchers would be driven away from DoD research, as would the best institutions.

* Badging requirement is more onerous in a university setting. The proposed requirement set forth at proposed DFARS Part 252.204-70XX (d)(1) is particularly chilling in a university research setting where the free and open exchange of information and ideas provides the synergy that moves the science forward. The majority of research performed within universities is accomplished by graduate students. These students learn at least as much from other students as they do from their professors. Graduate students isolated from their fellows by working on DoD research would be severely handicapped.
Office of Naval Research

The proposed rule requires that access control plans be created that include segregated work areas and unique badging requirements for foreign nationals and foreign persons who may have access to export-controlled information and technology. This requirement fails to take account of the broader mission and goals of institutions of higher learning. These institutions rely on academic freedom, scientific openness, and an unrestricted dialogue between teachers and students, as well as within student cohorts, to nurture the flow of innovative ideas that ultimately lead to the development of critical technologies.

Aside from the obvious issues of the additional costs associated with creating a segregated work environment, the badging requirement would appear to single out and perhaps stigmatize foreign students (even from allied nations).
American Association for the Advancement of Science (AAAS)

Spafford and Lazowska on cybersecurity R&D

There are a couple of interesting cybersecurity items currently worthy of your attention:

* USACM Chair Eugene Spafford makes comments on the Department of Defense’s approach to cybersecurity in a recent Federal Computer Week article:

[…] Spafford said incremental changes will not strengthen existing networks and a whole new approach [to DOD cybersecurity] is needed.

“Unfortunately, the government is not funding much research in cybersecurity and almost none in long-range research,” said Spafford, who is also executive director of Purdue’s Center for Education and Research in Information Assurance and Security […]

* Peter Harsha alerts us to former PITAC co-chair Ed Lazowska’s strong words about the administration’s handling of cybersecurity research and development in an interview with CIO Magazine:

[Worthen:] You feel strongly that the government’s treatment of cybersecurity R&D has been particularly neglectful.

[Lazowska:] PITAC found that the government is currently failing to fulfill this responsibility. (The word failing was edited out of our report, but it was the committee’s finding.)

Spafford and Lazowska on cybersecurity R&D

There are a couple of interesting cybersecurity items currently worthy of your attention:

* USACM Chair Eugene Spafford makes comments on the Department of Defense’s approach to cybersecurity in a recent Federal Computer Week article:

[…] Spafford said incremental changes will not strengthen existing networks and a whole new approach [to DOD cybersecurity] is needed.

“Unfortunately, the government is not funding much research in cybersecurity and almost none in long-range research,” said Spafford, who is also executive director of Purdue’s Center for Education and Research in Information Assurance and Security […]

* Peter Harsha alerts us to former PITAC co-chair Ed Lazowska’s strong words about the administration’s handling of cybersecurity research and development in an interview with CIO Magazine:

[Worthen:] You feel strongly that the government’s treatment of cybersecurity R&D has been particularly neglectful.

[Lazowska:] PITAC found that the government is currently failing to fulfill this responsibility. (The word failing was edited out of our report, but it was the committee’s finding.)

ACM Washington Update, Vol. 9.9 (September 30, 2005)

CONTENTS

[1] Newsletter Highlights
[2] Carter-Baker Commission Report a Mixed Bag
[3] Senate Judiciary Committee: Busy and in the Spotlight
[4] Secure Flight Working Group Against Live System Testing
[5] Cybercrime on the Rise
[6] Barbara Simons Presented with Lifetime Achievement Award
[7] Calling All Techies
[8] Events in October
[9] About USACM

[An archive of all previous editions of Washington Update is available here.]
Continue reading “ACM Washington Update, Vol. 9.9 (September 30, 2005)”