The Cybersecurity Act proposes to give the President capabilities to “shut down the Internet”. While this got a lot of public attention (and outrage), the more significant part of the Act is the effort to create a “minimum bar” for security in a broad range of industries, including the Federal Government and “critical infrastructure” such as telecommunications, energy, financial services, transportation and healthcare. Such new security standard could have even greater consequences than the already widely adopted Payment Credit Card Industry Data Security Standard. This blog examines what the Cybersecurity standard could look like and what it would mean for American business.

The Cybersecurity Act would require the National Institute of Standards and Technology to develop cybersecurity standards for government, contractors and operators of the systems that control the nation's critical infrastructure. A newly created acquisitions board would certify that products the federal government purchased meet security standards, and regional cybersecurity centers would be set up to support small- and medium-size businesses complying with the standards.

From the draft act:

SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE.

(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the National Institute of Standards and Technology shall establish measurable and auditable cybersecurity standards for all Federal Government, government contractor, or grantee critical infrastructure information systems and networks in the following areas:

…

(2) SECURITY CONTROLS- The Institute shall establish standards for continuously measuring the effectiveness of a prioritized set of security controls that are known to block or mitigate known attacks.

…

Other areas for research and standards development by NIST include security metrics, software security and software configuration.

"The market has failed by definition and thus public policy is necessitated," said Tom Kellermann, vice president of security awareness at Core Security Technologies and former senior data risk management specialist for the World Bank treasury security team. "Hopefully, the private sector will comprehend that legislation like this creates long-term comparative advantage for American industry and subsequent technological sustainability."

A complementary bill is also circulating: the ICE (Information and Communications Enhancement) Act (print here) replaces the 2008 Federal Information Security Management Act, a rewrite of the 2002 law that the Senate never voted on. Presumably the ICE Act will not only take guidance from the current National Institute of Standards and Technology standards, but also look to a list of “Top 20 Security Controls”.

Many in the security industry believe that so far NIST has been too focused on security configuration, rather than on controls that truly prevent attacks. Alan Paller director of research at the SANS Institute and other security professionals argue that the approach is little more than a paper-pushing exercise and doesn't secure systems from known threats. Instead the SANS Institute is pushing (and appears to be getting some traction) with their own “Consensus Audit Guidelines” – a list of twenty relatively inexpensive controls every business should implement to prevent attacks.

Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance

The SANS Institute

http://www.sans.org/cag/print.php

• Critical Control 1: Inventory of authorized and unauthorized hardware.
• Critical Control 2: Inventory of authorized and unauthorized software; enforcement of white lists of authorized software.
• Critical Control 3: Secure configurations for hardware and software on laptops, workstations, and servers.
• Critical Control 4: Secure configurations of network devices such as firewalls, routers, and switches.
• Critical Control 5: Boundary Defense
• Critical Control 6: Maintenance, Monitoring and Analysis of Complete Audit Logs
• Critical Control 7: Application Software Security
• Critical Control 8: Controlled Use of Administrative Privileges
• Critical Control 9: Controlled Access Based On Need to Know
• Critical Control 10: Continuous Vulnerability Testing and Remediation
• Critical Control 11: Dormant Account Monitoring and Control
• Critical Control 12: Anti-Malware Defenses
• Critical Control 13: Limitation and Control of Ports, Protocols and Services
• Critical Control 14: Wireless Device Control
• Critical Control 15: Data Leakage Protection
• Critical Control 16: Secure Network Engineering
• Critical Control 17: Red Team Exercises
• Critical Control 18: Incident Response Capability
• Critical Control 19: Data Recovery Capability
• Critical Control 20: Security Skills Assessment and Appropriate Training To Fill Gaps

The bills "could do more to improve cybersecurity than any action in the last decade," said Jim Lewis, director and senior fellow for the technology and public policy program at the Center for Strategic and International Studies.

"This looks like the game-changer -- or at least the conversation-changer," said Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research group based in Bethesda, Md. "Its reach is far greater than any cyber bill I have ever seen, extending deep into corporate America."

Having a government endorsed “minimum bar” for security that applies to a broad range of industries would definitely be a positive for the security industry and for American businesses. The bill could make it a lot easier for executives in business to get approval for investments in security. Additionally, security is only as strong as the weakest link in the chain, so any initiative that can raise the bar is a good thing.