Guest post by Matt Olney
There is little in our world today that is as poorly managed, rapidly changing and outright dangerous as "cyberspace."

So the "Protecting Cyberspace as a National Asset Act of 2010" (.pdf) proposed legislation from Senate Homeland Security and Governmental Affairs Committee members Joe Lieberman, Susan Collins and Thomas Carper provides a necessary rework of federal management of cybersecurity issues. There are a lot of things in the bill that I think are necessary.  

Then there's the section that should be killed by fire for essentially handing over to the executive branch complete control over the nation's critical infrastructure.

Let's start with the good points of the bill first, such as creation of an Office of Cyberspace Policy within executive office of the president. Having a White House apparatus to manage these issues, from a strategic point of view, is important. The office would be tasked with creating a "national strategy to increase the security and resiliency of cyberspace."

The director of cyberspace policy would be tasked with, to paraphrase, overseeing all policies and activities of the federal government across "all instruments of national power" to ensure the security and resiliency of cyberspace. The bill cites diplomatic, economic, military, intelligence, law enforcement and homeland security activities and also calls for the management of

                    offensive activities, defensive activities and other policies and activities necessary to ensure effective capabilities to operate in cyberspace.

So while it is organized for "protecting cyberspace," the options available to ensure cyberspace is available would be, well, everything--including utilizing the National Security Agency and Defense Department Cyber Command's offensive capabilities to keep the peace.

The bill would also create National Center for Cybersecurity and Communications within the Homeland Security Department. This is where a lot of the good work of this bill happens. The most important duty of the NCCC, in my opinion, would be

                    sharing and integrating classified and unclassified information, including information relating to threats, vulnerabilities, traffic, trends, incidents and other anomalous activities.

The communication thing is critically important. This game is hard enough without having as much information as possible on which to base a defensive posture, and when the private sector runs 80 percent of the Internet's American critical infrastructure, it shouldn't be so difficult to get actionable information out of the government.

This determination to improve communication comes into play again in the section defining the responsibilities of the US CERT. The information isn't limited to domestic sources either, with the bill specifically calling for the secretary of defense, the director of national intelligence, the secretary of state and the attorney general to develop

                    information sharing pilot programs with international partners of the United States.

But government communication comes with some strings attached. Those private sector entities deemed to be "covered critical infrastructure" would be required to report any cybersecurity issue that might indicate an actual or potential cyber vulnerability or exploitation of a cyber vulnerability. And the DHS would get to decide the procedures to enable that reporting. So if you're a critical infrastructure operator, you no doubt get a little uncomfortable here, no matter how many disclaimers about the protection of information are placed into the bill.

Then there's sections 248 to 250, in which DHS would be granted near unlimited authority to deliver requirements to critical infrastructure providers on handling security threats.

DHS would be able to deliver a mandate that a certain security issue be addressed, and a set of mitigations to be used. Now, in an exceptionally rare, well thought out approach to this mandate (and a shout out to Richard Clarke and the open-ended mandate crowd), the bill allows DHS to accept alternate mitigations provided by the operator, if the DHS determines they are adequate.

My inner libertarian gets pretty spooked when it comes to this kind of thing. However, market forces seem to push companies into doing the wrong thing when it comes to security. Since self-regulation appears not to work, maybe this is the answer.

Now here comes the section that drives everyone nuts (you know, the kill-it-with-fire part), Section 249, "National Cyber Emergencies."

In short, the bill would give DHS the authority, when the President declares a cyber emergency, to

                    develop and coordinate emergency measures or actions necessary to preserve the reliable operation and mitigate or remediate the consequences.

What this means is that during a "cyber emergency," DHS would be able to do anything it feels necessary to the critical infrastructure systems of the United States and could mobilize the entirety of the federal government, provided that DHS does not

                    supersede the authority of the Secretary of Defense, the Attorney General or the Director of National Intelligence in responding to a national cyber emergency.

Yeah, this is a good time to panic. I think we've amply demonstrated over the last decade that even when a president is restricted by law his actions can be...aggressive.

It doesn't matter that there are hoops to jump through, the authority and the broad power that this bill allows for is simply unacceptable. As a country we've absolutely avoided holding any high-level political figure accountable for his or her actions (did you just say Scooter Libby? Get real...) as they relate to violations on the restriction of powers. We just don't do it.

Also, I've never had a great deal of respect for anyone that comes to me in a panic about some issue when they've failed to do the things already in their power to address it themselves. There already exists regulatory power already vested in a number of government entities, and they have failed to exercise that power to mandate even the most basic of security practices (like not putting our power grid on the Internet). The list of critical Infrastructure that relies on the Internet is simply unforgivable. If it's critical, get the damn thing off the Espionage Super-Highway. What I'm saying here, is don't say you need broad, unmitigated power to manage a situation because it is so horrible when you have failed utterly to mitigate and reduce the chance that that situation will actually come to fruition.

This clause is glass-house based rock throwing. When the federal government demonstrates that it can protect itself from a cyber attack, when it can stop the terabytes of data flooding out from government and defense contractors, when it can show that this issue is so important that they are willing to deliver regulation now to these critically important organizations, when it has done everything it can to ensure that this power will never need to be used--well, then, and only then, is it appropriate to allow for passage of this section. Earn it, Senator Lieberman. Show me that the federal government is willing to do more than just panic after the fact.  

So here's the deal, Mr. Lieberman. You're on the right track if you concentrate on the following:

• Ensure open communications channels between the private sector and the federal government.
• Ensure an aggressive declassification (within the limits of law and protecting sources, etc.) of threat information so that the private sector can be notified so they can modify their defensive posture.
• Build a coordination center that targets not just federal to private sector communication, but communications within an industry vertical with the ability to bring in both offensive and defensive experts to assist in mitigations.
• Provide an avenue for technical assistance to critical infrastructure organizations so that even organizations without a mature security posture can react in an agile manner to threats. If market forces don't move critical infrastructure operators to do right, then fix it.
• Prove that you are willing to take the steps necessary to prevent incidents of this magnitude prior to them happening. We cannot simply hand over the infrastructure to the Federal government.

Good luck, Joe...unfortunately, you're going to need it.

Matt Olney is a senior research engineer at Sourcefire, a Columbia, Md.-based cybersecurity company. Olney has 15 years of informations systems experience with extensive experience in both high-availability network engineering and network based security forensics and enforcement.

Read FierceGovernmentIT's coverage on the Lieberman cybersecurity bill:
Lieberman says Internet cyber attack response crippled by liability woes
Lieberman wants to give federal government power over Internet cybersecurity