Monday, February 1, 2010
Reader Comment – 1-31-10 CIAS Info
D3 continued the conversation about responsibility for cyber security with a new comment. D3 wrote (in part): “Fundamentally, I agree with your response. However, I should point out to you that there are several initiatives that fall into the category of helping "State and local governments...protect their own computer systems against cyber attack." One that comes to mind is the Center for Infrastructure Assurance and Security (CIAS) [link added], a non-profit based at the University of Texas at San Antonio.” D3’s comment provided additional details about CIAS, for whom he works. If you are interested in cyber protection efforts for non-control system applications at State or local levels, please read the remainder of D3’s comments. I am also providing a link to a listing of some of their training courses. I was pretty sure that there would be programs out there that would address this issue and I am sure that they could use additional funding to expand their programs to allow for further work on cyber security issues for State and local government entities. I certainly think that this is valuable work, if perhaps not what I specifically follow on this blog. Federal Responsibility Of course, the main point that I was trying to make in the original post was that State and local governments need help in protecting their own systems, not to be made responsible for protecting the cyber systems of their residents. Individual system protection is the responsibility of the owner of the system. What the Federal government should be responsible for is the protection of the network that is used extensively in this country, the Internet. A certain amount of that concern should be focused on providing individual users with information on how to protect their systems so that their machines are resistant to being hijacked to form botnet weapons that can be used to attack the larger infrastructure that we call the Internet. The bulk of the defense of the internet should be focused on strengthening the infrastructure of the Internet and responding to attacks. Because there are a large number of non-governmental entities in this country that are critical to the smooth operation of our society (labeled Critical Infrastructure and Key Resources – CIKR under the National Infrastructure Protection Plan) the Federal Government has a responsibility to ensure that these entities meet minimum standards for their individual security, including cyber security. This is a key part of the underlying mission of strengthening the Internet. Those two areas should be the focus of the Federal government’s action in the cyber security realm, protect the Internet and ensure that CIKR are adequately protecting themselves (and of course protect the computer systems that the government itself uses). Trying to push either responsibility off on the States, which is what HR 4507 appears to do, is not reasonable because they lack the funds, personnel, expertise and legal authority to accept that mission.