(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.
(b) MANDATORY LICENSING- Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.
This has got to be among the worst cybersecurity ideas I have ever heard of, somewhere between "Security by Obscurity" and "Just Trust the contractor to do the right thing."
This blithe call for licensing and certification in Senate Bill 773 speaks the language of the "Butter and Bombs", mainstream crowd, to whom the Senators are looking to communicate their sense for better security. It is a population that is unfamiliar with the deeply nested complexity and variety of issues that conspire to weaken cyber security. In speaking with some non-IT acquaintances about my discomfort, I could see the political logic for this language. "I need to get a license to drive, and that has got to easier than this." "A plumber or electrician needs to be licensed, why shouldn't a security guy?" It sounds great, in the abstract, to be able to give the imprimatur to trained professionals, weeding out the posers, but the nature of security, and of IT, makes this a massive misperception.
Security is not a monolithic expertise. Most "security experts" tend to gravitate to a specific area of security, whether it is crypto, or penetration testing, application analysis, or architectures. There is PKI, anomaly detection, intrusion prevention, and more. I could probably whip together an excellent Dr. Seuss story about all of the different types of security, but that would further distract me from the point. Security has many disciplines, and it is impossible to find anyone who would be good enough at all of them to be certified as an expert generalist.
This means that the likely outcome of passage of this legislation would be both more complexity and cost, with less expertise and far less available resources. The realization would come quickly that there needed to be classes of certification, and various types of licenses or credentials. "Jack holds his MCSA (Masters Certification in Software Analysis), his MCSB (Masters Certification in Security Basics), his MCSC (Multi-user Computing Security Certification), his MCSD (Mandatory Cryptography Standards for Data), and on, and on, and on." It would then fall to the customer/acquirer to decide what they needed. If they were well-informed enough to do this, they would already be hiring people with the right expertise.
It is also hard to imagine that the licensing process would be limited to expertise. It strikes me that background history, drug and alcohol testing, basic clearance kinds of information, would also likely inform the divination of a qualified individual. In spite of the broad language and coverage of the prospective pool of customers constrained by this licensing (any organization the President's team views as critical to national infrastructure), I think that many of the most appropriate candidates for this type of work might well opt-out.
As a last critique, I would refer you back to a May, 2007 article on StorefrontBacktalk, by Evan Schuman, titled PCI Efforts Crippled By Inconsistency, Conflicts . In it, along with other salient points, Evan describes the frustration and natural conflicts that occur with interpretation of a standard by experts who will naturally have a variety of biases, regardless of certification. In this case, the tests for PCI compliance are fairly well defined, but there is vastly uneven compliance interpretation, due to the expertise, the experience, and the inclination of the auditor. One cannot rely on a license to an expert as a substitute for knowing what the organization, itself, should be doing.
The real problem that the Cybersecurity Act of 2009 should address is an overwhelming lack of detailed understanding, emphasis, and engagement with security in the contracting organizations, not a lack of expertise on the part of practitioners. Much of the weakness we see in the news arises because of incomplete requirements, incomplete testing, and fundamentally inadequate definition and assessment of the security of these systems. Instead of creating yet another unsustainable regulation that will bring more pain than benefit, direction should be given to enforce better requirements, acceptance testing, and performance criteria that are driven by security.
Cybersecurity does require action in 2009, as it has for many years. Effective legislation should focus on asserting the requirements for security, and the variable definitions for security, and integrating that knowledge with the tens of millions of machines, applications, databases, and users, that rely on them everyday.
0 comments:
Post a Comment