Reader Comment – 01-29-10 Cyber Response

A reader, D3, posted a response to my recent blog about the introduction of HR 4507. D3 wrote: “Why should it surprise you to learn that the Federal Government realizes that cyber security is "everyone's responsibility?" Assuming the Federal Government is the sole entity responsible for security in "cyberspace" is a lot like saying the fire department is the only entity qualified to respond to fire emergencies...just a thought--not an attack.” In the broader sense, D3 is certainly correct; everyone is responsible on some level for cyber security. If every computer user properly protected their own computers we would not have the wide spread ‘botnets’ that are being used in so many cyber attacks. If every organization properly trained their users and adequately monitored their own networks they would be much less susceptible to cyber attacks. If every equipment manufacturer and software developer adequately tested and evaluated the risks to their products, it would be much harder for cyber criminals to affect successful cyber attacks. If the wording of HR 4507 indicated that the consortium was designed to help State and local governments to protect their own computer systems against cyber attack, then I would be much more supportive of the measure. However, it seems to me that the intent of the bill is to enroll these State and local governments in the more general protection of the ‘Internet’. Those governments simply have no authority to affect cyber practices beyond their own internal systems. If Congressman Rodriguez (D, TX) was intending to ensure that the appropriate cyber security education was being developed and spread down to the State and local level so that they could protect their own systems, I think that it should have been more explicit. The current language does not appear to me to support that interpretation. A further suggestion; State and local governments are not the only entities that need outside assistance in the field of cyber protection and education. There are a very large number of users that do not have the internal resources to ensure that their organization is making the proper efforts to protect their systems from cyber attacks. The consortium could also be used to develop procedures and training for small businesses and non-profit organizations. If HR 4507 were expanded to cover this type of organization than the intent to help systems protect themselves this intention would be clearer.

HR 4507 Introduced

On Tuesday, Congress Rodriguez (D, TX) introduced HR 4507, the Cyber Security Domestic Preparedness Act. The legislation would authorize the Secretary of DHS to establish the Cyber Security Domestic Preparedness Consortium which would train and assist State and local authorities prepare for and respond to cyber security attacks. The Act would also authorize the establishment of the Cyber Security Training Center where such training would take place. The Consortium would consist of “consist of academic, nonprofit and government partners that develop, update, and deliver cyber security training in support of homeland security” {§226(c)}. In addition to training, the Consortium would provide technical support to State and local authorities “in support of cyber security preparedness and response” {§226(b)(3)}as well as conducting simulation exercises to aid in developing techniques “to defend from and respond to cyber attacks” {§226(b)(4)}. The bill does not include a definition of ‘cyber attacks’, nor does it provide a description of the types of attacks for which the Consortium would provide training support. One would assume that attacks against industrial control systems would be included in ‘cyber attacks’ although there is already an organization within DHS that already conducts that type of training, the Control Systems Security Program (CSSP) under the DHS-CERT. The difference would be that the CSSP training is directed at private industry where industrial control systems reside, rather than at State and local authorities. It does strike me as unusual that this bill seems to intend to pass responsibility for preventing and responding to cyber attacks down to the State and local level. It seems to me that this should certainly fall under Federal responsibility under both the Commerce and Common Defense clauses of the Constitution.