What do you know, I'm not the only one calling for new Federal Legislation concerning securing our I.T. systems and data, a group called the Business Software Alliance (BSA)is calling for the federal government to address cybercrime and increased enforcement. Infoworld reports in
that :
Members of the BSA, a trade group based in Washington, D.C., on Monday asked Congress to pass the Cyber-Security Enhancement Act, which would expand the computer crimes statute in federal law to include the stealing of access codes or electronic identifiers from a computer. The bill would also make it a crime to access a computer without authorization, even if the access does not cause damage, and it would define a new crime of conspiracy to commit cybercrime.
U.S. computers have "never been so vulnerable to attack," said Art Coviello, president of the RSA security division of EMC. In many cases, the vulnerabilities come from companies and individuals needing to share more and more information with others, "without understanding the risks," he said.
Companies and individual computer users need to rethink the way they address security, said Coviello, speaking at a BSA forum. Computer users need to reject popular beliefs that security can be bolted on to software after it's developed and that security can be accomplished with a perimeter defense, he said.
Cybersecurity needs to become more granular, and organizations must begin to prioritize what information they need to keep most safe, Coviello said. "Security needs to adapt to facts and circumstances," he said.
Coviello criticized Congress, saying it only focuses on cybersecurity for a short time each year, when U.S. agency cybersecurity grades come out. In the following weeks, some members of Congress will get up in arms about all the bad grades, then forget about the issue, he said.
But what U.S. agencies need is funding for cybersecurity efforts, he said.
"Give money, not lectures," Coviello said. "Then you can hold people accountable."
The Cyber-Security Enhancement Act, introduced in May, would also give an additional $10 million a year to three U.S. government agencies that fight cybercrime.
Representative Steve Chabot, an Ohio Republican and co-sponsor of the bill, told the BSA that more laws are needed to fight organized cybercrime.
"The rise in the number of sophisticated cybercrimes ... shows that we need to do more to protect individuals and businesses," Chabot said. "These cyberattacks are becoming increasingly sophisticated."
We all need to do our part in letting our Congressmen know that we need to do this, before the cyberattacts and data thefts go beyond serious and enter the realm of life threating.
I'm glad some one is starting to pay attention to this vital topic, now get out there and spread the word, or we'll be worrying about a lot more than who has our SSN's. Sphere: Related ContentSome critics of the U.S. government's cybersecurity efforts might argue that nothing short of a bomb going off--or, well, purported Chinese cyberattacks on feds' machines--will land the issue more notice.
Without tougher security standards, Americans are in danger of hacker-induced blackouts, some politicians say.This time around, the wake-up call for politicians was, indeed, an explosion: In September, U.S. Homeland Security officials revealed that researchers at the Idaho National Laboratory had managed to destroy a small electrical generator through a simulated cyberattack. A few weeks ago, CNN aired a gloom-and-doom segment featuring snips from the once-classified video showing the device going up in smoke.
Although the prospect of that sort of incident causing massive disruption to the U.S. electrical grid has been around for years, the success of the experimental hack is drawing new calls from Congress for tougher federal security standards on the computer systems that control the nation's power systems.
"I'll be blunt--if this administration doesn't recognize and prioritize these problems soon, the future isn't going to be pretty," said Rep. Jim Langevin (D-R.I.), chairman of a House of Representatives cybersecurity panel that convened a hearing here on the topic Wednesday afternoon.
It's widely agreed that the threats to so-called "control" systems--sometimes known by the acronym SCADA, short for "Supervisory Control And Data Acquisition"--have grown in recent years. That's because more and more of them are being hooked up to "open" networks, including corporate intranets and the Internet, in an effort by their owners and operators to improve efficiency and lower costs.
But there was never much focus on the idea of building security features into those systems when they were first created, and that trend, unfortunately, continues today, said Joseph Weiss, a consultant and nuclear engineer who spent more than 30 years designing, implementing and analyzing control systems.
Feds: We're on it
Government regulators, for their part, say they are growing increasingly aware of those shortcomings and working valiantly to address the problem. Homeland Security's cybersecurity czar, Greg Garcia, told politicians Wednesday that his agency is handing out cybersecurity self-assessment guidelines to control systems operators, offering training to workers in that sphere, and distributing recommended "mitigations" against real-world attacks like the one simulated in Idaho.And right now, the Federal Energy Regulatory Commission (FERC), which is responsible for overseeing the reliability of the nation's power systems, is considering proposed rules that purport to strengthen cybersecurity standards for the nation's power systems.
That proposal, however, falls woefully short of offering sufficient protections, Langevin and his Democratic and Republican colleagues said in comments filed recently with FERC. One major problem: The proposed rules are written in such a way that they would not even require electric grid operators and owners to install comprehensive security measures on all critical pieces of their systems that, if compromised, could cause significant disruptions, they argued. Instead, they'd have some latitude to focus only on certain components and neglect others.
The politicians are urging FERC to incorporate some of the more comprehensive, stringent standards developed by the National Institute of Standards and Technology, which is considered home to the government's technical experts.
Weiss, the consultant, argued that the infamous blackout that pummeled the Northeast in August 2003 (and was reportedly linked to the so-called MSBlast worm) arguably wouldn't have been prevented by the proposed regulations, but the NIST rules are comprehensive enough to deal with that issue.
Some suggested that the rules may not be up to par because, as required by law, they were devised chiefly by a group called the North American Electric Reliability Corporation (NERC), which was long considered the trade association for the power industry and was recently given legal authority to propose regulations for federal regulators to approve. An entity with those potential conflicts of interest isn't necessarily well-positioned to come up with objective standards, and it's high time for Congress to create a more independent means of devising critically important cybersecurity rules, Weiss said.
Rep. Zoe Lofgren (D-Calif.) appeared sympathetic to that idea and suggested that Homeland Security's cybersecurity division should be granted more authority to help out. "I don't think the energy sector is necessarily the expert on cybersecurity," she said.
NERC Executive Vice President David Whiteley said his organization was open to revising the proposed rules, while Joseph McClelland, director of FERC's Office of Electric Reliability, acknowledged that further improvements should be made before the rules gain final approval.
Although the electric grid was the primary focus Wednesday, threats to the control systems that deal with myriad other types of utilities could also prove, how shall we say, messy.
0 comments:
Post a Comment