Senator Pushes for Stronger Cybersecurity

Citing the Code Red worm and an attack on U.S. Department of Defense computers, Senator John Edwards (D-North Carolina) Monday introduced two new cybersecurity bills seeking to increase both government computer security and general education in the field.

If passed, the Cybersecurity Preparedness Act of 2002 would establish a nonprofit consortium of academic and private sector computer security experts who would create and help spread a set of "best practices" that could be used to enhance cybersecurity. The bill would require that set of best practices first be applied to government computers.

Under the measure, a study would be undertaken to determine how to obtain acceptance of those best practices in the private sector. One possibility in the proposed legislation requires federal grantees and contractors who accept government funding to use those best practices.

The second bill, the Cybersecurity Research and Education Act of 2002, aims to train more specialists in computer security. The bill would fund new Information Assurance Fellowships designed to attract doctoral students to cybersecurity, as well as creating a Distinguished Faculty Sabbatical Program allowing top researchers to visit other research facilities and work on new projects. The bill would also create an online university for cybersecurity training.

The Cybersecurity Preparedness Act is "different from any other law I've seen because it makes explicit the single most difficult task--figuring out what makes systems safe," says Alan Paller, director of systems administration at the SANS Institute, an organization for systems administrators.

Part of figuring this out, Paller says, will be testing the best practices recommendations, something he says the bill requires. Other best practices lists exist, but "people don't implement [the lists] because [they] break things," or cause problems, he says. Since the list will be tested to see if it causes problems, that will be another step that systems administrators won't have to worry about it, he adds.

This legislation "takes the fear out" of implementing best practices list, he says.

The research and education bill is also important, he says, because there aren't enough people being educated in the field, as it is seen boring by many. Adding financial backing to cybersecurity studies will likely make people take notice, he says.

"The way you make something not pedestrian is to put money behind it," he says.

Though he thinks there is enough in the first bill "to get 70 percent to 80 percent of what we want done" regarding cybersecurity, the measure is not perfect.

Although it requires testing the best practices list, it does not require the adoption of the practices outside of government computers. This discrepancy is "the long-term problem" with the proposed legislation, Paller says.

Despite this problem, Paller expects that having such a law in place would help create more secure software. Because government agencies will be able to require that vendors they do business with comply with the best practices in their products, the level of security in many software products will likely rise, leading to greater overall security, he says.