Orwell Must Be Smiling as Government Takes on Cybersecurity

This blog is one in a series of blog postings regarding a review of legislation currently before the US Congress. It should be noted that there is a re-write of the bill however, as of this writing, that version is not posted in either the Library of Congress or the Government Printing Office websites.

Mention George Orwell and/or the book “1984” and immediately terms like “Big Brother”, “invasive surveillance”, “totalitarianism” and others come to mind. It would seem that parts of the Cybersecurity Act of 2009 would inch us closer to this becoming a reality.

Section 5 of this Act states that “the Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards.” These Centers will be comprised of non-profit institutions/organizations or a consortium of said entities. The purpose of these centers will be to enhance the cybersecurity of small- and medium-sized businesses in the United States through (as outlined in (b)(2)of this section) the participation of individuals from industry, universities, state government, other Federal agencies, and, when appropriate, the Institute in cooperative technology transfer activities. As encompassing as that sounds, with the Government providing much of the funding, the implied power rests with the Department of Commerce.

Section 5, Part (c) – Activities states that these centers will disseminate/transfer cybersecurity technologies, standards, best practices based on research by NIST to small- and medium-sized companies. Paragraph 3 of this section calls for the government to “make loans, on a selective, short-term basis, of items of advanced cybersecurity countermeasures to small businesses with less than 100 employees.”

Without more details to me this begs several questions:

(1) Is the Government going to determine which is the best technology and/or device in the marketplace and force these on small/medium organizations? Even if the government maintains a list of technologies/devices it could be a disaster for security vendors not “approved” by the government.

(2) Loaning out cybersecurity countermeasures is one thing but what about the expertise to install and/or implement them into the client network? Generally speaking most organizations of under 100 employees do not have security experts on staff (as a primary function) and thus they will need help putting the countermeasures in place. Along with the countermeasure (which may have already been purchased by the Department of Commerce or the Regional Center) installation/implementation costs money. Is the government going to “loan” out the security expertise as well as the countermeasures and if so will these experts be from the public or private communities?

(3) If I am a small/medium business with fewer than 100 employees it is tempting to ponder ever buying such countermeasures. If we can get one for free, then why purchase? Without more details on the limits of the loan period – if any – this seems a reasonable discussion to have.

(4) What if the small/medium business does not want to subscribe to the NIST standards? Will they then be excluded from obtaining these advanced countermeasures?

This sounds like, although I could be wrong, a big brother approach to cybersecurity. The Government (Department of Commerce) is going to establish Regional Centers to disseminate (require?) standards developed by NIST down to small/medium businesses.

Now, all notions of “1984” aside, I do think that small/medium businesses need some sort of help with security. Many studies and articles have shown that they are as much of, if not more than, a target as larger organizations. And let’s be honest – cybersecurity is not cheap, whether done in-house or outsourced it still costs money. And I can imagine that the “advanced cybersecurity countermeasures” mentioned in the Act are probably outside the budgets of small/medium businesses.

I also admire, and praise, the hard work that the fine folks at NIST have (and continue) to do. I have used many of their security publications in the course of my work. The same admiration goes out to the list of entities that will make up these consortiums. Basically a lot of people from lots of industries, to include government, are working hard to make our assets more secure.

However I don’t know that, certain regulated industries aside, the government should be forcing small/medium businesses to adopt their security standards or else. Given the broad powers to monitor data traffic (albeit under supposed certain circumstances) whether users of these centers will be opening up their networks to more monitoring but that will be another blog entry.