Sunday, January 31, 2010

Reader Comment – 01-29-10 Cyber Response

A reader, D3, posted a response to my recent blog about the introduction of HR 4507. D3 wrote: “Why should it surprise you to learn that the Federal Government realizes that cyber security is "everyone's responsibility?" Assuming the Federal Government is the sole entity responsible for security in "cyberspace" is a lot like saying the fire department is the only entity qualified to respond to fire emergencies...just a thought--not an attack.” In the broader sense, D3 is certainly correct; everyone is responsible on some level for cyber security. If every computer user properly protected their own computers we would not have the wide spread ‘botnets’ that are being used in so many cyber attacks. If every organization properly trained their users and adequately monitored their own networks they would be much less susceptible to cyber attacks. If every equipment manufacturer and software developer adequately tested and evaluated the risks to their products, it would be much harder for cyber criminals to affect successful cyber attacks. If the wording of HR 4507 indicated that the consortium was designed to help State and local governments to protect their own computer systems against cyber attack, then I would be much more supportive of the measure. However, it seems to me that the intent of the bill is to enroll these State and local governments in the more general protection of the ‘Internet’. Those governments simply have no authority to affect cyber practices beyond their own internal systems. If Congressman Rodriguez (D, TX) was intending to ensure that the appropriate cyber security education was being developed and spread down to the State and local level so that they could protect their own systems, I think that it should have been more explicit. The current language does not appear to me to support that interpretation. A further suggestion; State and local governments are not the only entities that need outside assistance in the field of cyber protection and education. There are a very large number of users that do not have the internal resources to ensure that their organization is making the proper efforts to protect their systems from cyber attacks. The consortium could also be used to develop procedures and training for small businesses and non-profit organizations. If HR 4507 were expanded to cover this type of organization than the intent to help systems protect themselves this intention would be clearer.


D3 said...

Fundamentally, I agree with your response. However, I should point out to you that there are several initiatives that fall into the category of helping "State and local governments...protect their own computer systems against cyber attack." One that comes to mind is the Center for Infrastructure Assurance and Security (CIAS), a non-profit based at the University of Texas at San Antonio.

(Full disclosure: I am an employee of the CIAS.)

The mission of the CIAS is to help states and local communities work to protect their cyber infrastructure. The Center has developed the Community Cyber Security Maturity Model, which takes a comprehensive view of cyber security from an organizational, community, state and Federal approach. The Model shows that all four "players" have a role in strengthening the nation's cyber security posture.

One component of the Model is conduct of cyber security exercises at both community and state levels. The initial phase of exercise delivery focuses on awareness and is therefore tailored for leadership within communities and states, both governmental and non-governmental (i.e., private sector).

If you're interested, check out the CIAS website at


PJCoyle said...

For my response to D3's comments see:

/* Use this with templates/template-twocol.html */