Monday, February 1, 2010

Reader Comment – 1-31-10 CIAS Info

D3 continued the conversation about responsibility for cyber security with a new comment. D3 wrote (in part): “Fundamentally, I agree with your response. However, I should point out to you that there are several initiatives that fall into the category of helping "State and local governments...protect their own computer systems against cyber attack." One that comes to mind is the Center for Infrastructure Assurance and Security (CIAS) [link added], a non-profit based at the University of Texas at San Antonio.” D3’s comment provided additional details about CIAS, for whom he works. If you are interested in cyber protection efforts for non-control system applications at State or local levels, please read the remainder of D3’s comments. I am also providing a link to a listing of some of their training courses. I was pretty sure that there would be programs out there that would address this issue and I am sure that they could use additional funding to expand their programs to allow for further work on cyber security issues for State and local government entities. I certainly think that this is valuable work, if perhaps not what I specifically follow on this blog. Federal Responsibility Of course, the main point that I was trying to make in the original post was that State and local governments need help in protecting their own systems, not to be made responsible for protecting the cyber systems of their residents. Individual system protection is the responsibility of the owner of the system. What the Federal government should be responsible for is the protection of the network that is used extensively in this country, the Internet. A certain amount of that concern should be focused on providing individual users with information on how to protect their systems so that their machines are resistant to being hijacked to form botnet weapons that can be used to attack the larger infrastructure that we call the Internet. The bulk of the defense of the internet should be focused on strengthening the infrastructure of the Internet and responding to attacks. Because there are a large number of non-governmental entities in this country that are critical to the smooth operation of our society (labeled Critical Infrastructure and Key Resources – CIKR under the National Infrastructure Protection Plan) the Federal Government has a responsibility to ensure that these entities meet minimum standards for their individual security, including cyber security. This is a key part of the underlying mission of strengthening the Internet. Those two areas should be the focus of the Federal government’s action in the cyber security realm, protect the Internet and ensure that CIKR are adequately protecting themselves (and of course protect the computer systems that the government itself uses). Trying to push either responsibility off on the States, which is what HR 4507 appears to do, is not reasonable because they lack the funds, personnel, expertise and legal authority to accept that mission.

2 comments:

D3 said...

Interesting. Thanks for the linkback, btw.

I think you're right in that the Federal Government has a responsibility to "educate the masses" about safe online habits. What I envision is a national ad campaign (perhaps funded by the Federal Government and produced by the National Ad Council) in much the same vein as the "crash test dummies" or "brain on drugs" commercials of the past. In other words, figure out a way to instruct through simple messaging rather than complicated technical jargon.

Furthermore, if we're going to keep the responsibility for "national protection" at the Federal level, then we must define the borders of the Internet. Do we say that, if the web site URL is hosted within the United States that the Federal Government assumes responsibility for protection? Similarly, if the URL is hosted on a foreign server, does the United States Government assume no responsibility? I think these are logical questions if we expect a body like the U.S. Government to protect users of the Internet.

I think that, at the most basic level, we are responsible for what we do on the Internet. The Government has little control (ultimately) on our surfing habits. I don't want to go too far down the rabbit hole on this issue, but I believe you have some great points.

We do rely on a "large number of non-governmental entities" for our day-to-day Internet services. The Federal Government could presume some sort of "control" in the form of basic standards, but what can the Government do in cases of noncompliance? Can the Government step in and shut down AT&T or Verizon if their networks are deemed "insecure?" (I know that the so-called "Cyber Security Bill" currently winding through Capitol Hill is headed that direction...)

Great discussion!

PJCoyle said...

My response to D3's comment can be found at: http://chemical-facility-security-news.blogspot.com/2010/02/reader-comment-02-01-10-cyber-sec-resp.html

 
/* Use this with templates/template-twocol.html */