Cisco/IBM/Oracle letter re S.3480 06.24.10

3 pages

Please download to get full document.

View again

of 3
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
June 24, 2010: Letter from Cisco/IBM/Oracle to Lieberman/Collins/Carper re the Protecting Cyberspace as a National Asset Act, S. 3480
  June 24, 2010Senator Joseph I. Lieberman, ChairmanCommittee on Homeland Security and Governmental Affairs340 Dirksen Senate Office BuildingWashington, D.C. 20510Senator Susan M. Collins Ranking Member Committee on Homeland Security and Governmental Affairs350 Dirksen Senate Office BuildingWashington, D.C. 20510Dear Senators Lieberman and Collins:Securing our nation’s information infrastructure is not only important to the millions of users and businesses who depend on it for commerce, information and entertainment; it’s also a matter of vital national security. Like our government, the innovative companies who develop and deploythe information technology that comprise the Internet and private networks that are part of thiscritical infrastructure take this very seriously. Preventing malicious attacks and protecting thedata on these networks requires constant vigilance and is demanded by our customers whomanage the global financial system, the power grid, communications networks, healthcaresystems, and our national defense.S. 3480, the Lieberman-Collins-Carper   Protecting Cyberspace as a National Asset Act  , isintended to protect Federal systems and critical infrastructure from cyber attack. As such, itgives new resources and power to the Department of Homeland Security over government procurement and seeks to create a new regulatory, monitoring, response, and remediation role for the DHS for both government networks and  private, commercial networks. While wellintentioned, it ultimately puts U.S. critical infrastructure at increased risk by threatening theintellectual property of American companies that create the IT that operates the vast majority of U.S. government and private-sector critical networks and systems. The unintended result may bea weakening of the domestic software and hardware industry to an extent that could, ironically,leave the U.S. more dependent upon foreign suppliers for their critical IT systems. Section 253 . Specifically, Section 253 mandates that the Secretary of Homeland Security (inconsultation with “the Director of Cyberspace Policy, The Secretary of Commerce, the Secretaryof State, the Director of National Intelligence, the Administrator of General Services, theAdministrator for Federal Procurement Policy, agency CIO’s, agency Chief Acquisition officers,Chief Financial Officers and the private sector”) develop and implement a “supply chain risk management strategy” to protect Federal information infrastructure. This “strategy” would then be applied to the governments procurement system and in effect, regulate the informationtechnology sector. ã   All software and hardware companies who do business with the government, essentiallythe majority of the technology industry, would have to change their development processes, internal procedures, designs and products to comply with the “strategy.” This  directly contradicts the President’s proclamation in May 2009 as part of his cybersecuritystrategy: “So let me be very clear. My administration will not dictate security standardsfor private companies. On the contrary, we will collaborate with industry to findtechnology solutions that ensure our security and promote prosperity.” ã   All products purchased by the government would also have to meet standards approved by NIST – hampering the ability of the government to gain access to new technology thathasn’t yet been vetted by government regulators. ã   This would set the barrier to entry for the government market at a prohibitive level for small businesses that would have to meet new requirements to adhere to the newregulations. ã   Although the bill appears to exempt the DoD and national security systems from itsrequirements, as a practical matter it does not because technology products are developedthrough a single development process and sold globally. ã   The new unbounded, government-wide procurement and testing requirements instituted by DHS would undermine international standards, including the accepted U.S. andinternational standard, the output-based Common Criteria (“CC”), which is intended to provide product assurance globally, prevent the balkanization of technology, and preventforeign governments from demanding access to sensitive, proprietary technicalinformation. The CC is already used to certify products for use in U.S. national securitysystems, and creating a whole new process – as Sec 253 seems likely to do – bothundermines the CC, and sends a signal to other governments that non-standard,unbounded demands are acceptable. Access to this information by foreign governmentscould be used to create domestic competitors to U.S. firms or create other non-trivialsecurity issues.A better approach would be to require technology companies that do business with the Federalgovernment to adhere to the Common Criteria where appropriate for product assurance (ensuringthe product itself exhibits security), and with regard to any specific unit of production, adhere toan internationally accepted standard for ‘chain-of-custody’ supply chain requirements which aredisclosed by the vendor, and audited pursuant to international standards. Additionally, CommonCriteria should be reviewed and improved upon, so as to improve its weaknesses without losingits strengths. These programs would embrace current and insipient international standards for supply chain and software assurance. This would preserve innovation and diversity in themarketplace protecting core intellectual property. Lastly, the expertise in this area does notcurrently reside in the DHS, the agency granted regulatory authority under the bill.It’s also not clear whether giving significant new regulatory authority to the Department of Homeland Security is the right approach. In December the President appointed a new WhiteHouse Cybersecurity Coordinator, Howard Schmidt. The Lieberman-Collins-Carper legislationappears to circumvent the Cybersecurity Coordinator’s authority before the office has been givenan opportunity to succeed.  Section 242 . Another troubling provision in the bill as introduced is Section 242, which creates a“National Center for Cyber security and Communications” operated within DHS which would berequired to “assist in the identification, remediation, and mitigation of vulnerabilities to theFederal information infrastructure and the national information infrastructure ” including“dynamic, comprehensive, and continuous situational awareness of the security status of thenational information infrastructure.” There is no existing authority for the Federal government tohave “continuous situational awareness” of the security status of private networks and this would be impossible to achieve without the deployment of government monitoring devices on privatenetworks, which would also provide access to private personal and commercial data on thosenetworks. Establishing this capability contravenes a commitment made by President Obama inhis announcement of the appointment of a new White House Cybersecurity Coordinator: “Our  pursuit of cybersecurity will not – I repeat, will not include – monitoring private sector networksor Internet traffic.” Section 248(b) . Finally, under Section 248(b), the new DHS Cyber Director is mandated toissue regulations putting under Federal control the IT and network infrastructure of any privatesector company or entity the Secretary deems important enough to be a “covered criticalinfrastructure” entity. This authority extends to any U.S. company determined by the Secretaryto be critical, and the regulatory power is apparently unbounded.We appreciate your attention to these important concerns and look forward to working with youto develop a more robust and secure information infrastructure.Sincerely,Cisco Systems, Inc.IBMOracle Corporation
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks