Last week introduced Senators Sheldon Whitehouse (D - RI) and Jon Kyl (R - AZ) cyber security awareness Act 2011 (S. 813). Senator Whitehouse explains the need for the Bill:
"[W] e as nation remain frighteningly aware of the risks not, that cyber attacks pose to our economy, our national security and privacy." This problem is caused largely by the fact that cyber threat information normally classified, if it were collected by the Government or held as proprietary if collected by a company, which was attacked. "As a result have Americans no corresponding sense dangers, with which they faced as individual Internet users, the damage, carried out on our company and the jobs that create it or the scale of the attacks by foreign agents against American interests."
To resolve this issue, the proposed legislation would each Congress the Department of Homeland Security and the Department of Defense to the statistics on the number of cyberattacks against computers in the domains .gov and .mil to present require, as well as the estimated cost for these attacks. The legislation calls for investigations, prosecutions and convictions also annual reports from the Ministry of Justice and FBI on the number of Internet crime. Finally, it calls reports of cyber vulnerabilities and proposed responses of critical infrastructure, such as the financial industry regulatory authorities.
I have written discourse on the issue of cybersecurity in the United States in the past in detail about the poor quality of public policy. Claims of serious cyber threats and 3) the lack of transparency of Government and industry secure drei Themen wurden insbesondere Sorge: 1) of the lack of clear definitions of key terms and problems, 2 inconsistent application and quality of the evidence. So, while I know the Senators appreciate attempts at transparency, I am convinced that greater transparency is not really reachable without addressing the first two concerns to be covered by the proposed legislation.
First, important terms is left unspecified. The law calls for Congress by DHS and DOD cyber "penetrate" "Violations," reports "Incidents" and "Sabotage." But it is not entirely clear what these terms (and others) actually mean. Each reporting agency could compare them in a different way, results reports and agencies define more difficult. This make it difficult to get the type of the parent view of the threats it, that the Senators claim is (correctly) urgently needed.
Secondly, the annual time frame of reporting requirements will exacerbate this problem. Most reports will be made only once a year to Congress. But in the arena of rapidly developing cyber threats, this timeline is too long. While summary annual or quarterly reports required be to, should more often, in close to real time reports, which is available on the Web also be required.
Thirdly, Web availability reporting addresses the question to what extent the reports commissioned by this legislation are actually used, to increase public awareness. All responsible, that reports to the Congress and not directly to the public. If the target is "Public", a mechanism for retrieving this information directly to the public in a way that is understandable and useful then it should be. In short, the concern is raising awareness of fast-moving cyber threats at a time when "Open government" should be a priority, annual written reports directly to the Congress with no publicly available Web component are inadequate.
Fourthly, the work of report generation is meant, public awareness, who before or co-occurent with efforts to "Obstacles to the public consciousness" rate set (10 seconds). This solves two problems. One is that there no mechanism in the legislation for the results of this assessment to shape future public awareness campaigns. The other is that it assess no mandate, what the public is currently doing and know not about cybersecurity. In the ideal case current public awareness should first be examined and a plan to overcome the obstacles and addressing gaps in the awareness. At least, it should be a mechanism with the reporting requirements can be changed on the basis of the results of an assessment of public awareness and related barriers.
Fifthly, in any case reporting requirements include the template "A classified Annex need." Sources, methods to protect proprietary or confidential business information and national security while it is understandable that some information must remain classified, it is unclear how this legislation will be the well-known tendency to the overvaluation, which is a major cause of poor public awareness of cyber threats in the first place.
Finally, a further contribution to poor awareness which is public (and therefore bad public discourse on cybersecurity) the way in the evidence (or not) provided to support the claims about cyber threats and vulnerabilities. There are too many claims that my previous posts above inadequate (see) are supported linked with sufficient evidence. The proposed legislation does not this problem deal with. For example, it calls for "estimated cost for the Elimination of infringements against" by DHS and DOD. But how to Congress and the public about the accuracy of these estimates or data and methods to the calculation of they sure? Add in the lack of common definitions and there is a very real possibility that these reports are increasingly instead of meaningful awareness for touchpad own budget requirements serve only as an additional vehicle for the note on agencies.
Finally during the spirit of the Senators legislation is applause, it is not clear that it actually solve the problem is, that seeks to address. What's more, if problems with the definition, overvaluation and questionable use of the evidence are not sufficiently taken into account, could serve in fact legislation, more public awareness rather than improving to undermine it.
No comments:
Post a Comment