Cybersecurity Act of 2012 Puts Focus on the Shadow Wars

On February 14, 2012, a 205 page comprehensive new Cybersecurity Act of 2012was introduced in the Senate to address the growing concerns about cyber-warfare, cybersecurity, and cyber-terrorism. The bipartisan Cybersecurity Act of 2012 is co-sponsored by Senators Joe Lieberman (I-Ct), Susan Collins, (R-Maine) Jay Rockefeller (D-WV) and Diane Feinstein (D-Cal) to address the potential gaps in the critical U.S. infrastructure. As defined in the USA Patriot Act,

[T]he term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

The proposed law expands on the USA Patriot Act and existing presidential directives to provide sector-by-sector assessment, standards and regulations to improve these assets. Presently, the DHS provides utterly circular guidance on the existing directives. Hopefully, the new proposal will at least increase the awareness within these sectors for comprehensive security.

The proposed legislation defines ‘‘cyber risk’’ as “any risk to information infrastructure, including physical or personnel risks and security vulnerabilities, that, if exploited or not mitigated, could pose a significant risk of disruption to the operation of information infrastructure essential to the reliable operation of covered critical infrastructure.” The information infrastructure is the privately owned communications systems located in the U.S., presumably including everything from telephones and cable to Facebook and Google.

 Howard Waltzman suggests that a critical infrastructure system or asset may be deemed “covered” only if damage or unauthorized access to the infrastructure could lead to:

• The interruption of life-sustaining services (e.g. food, energy, or emergency services) sufficient to cause a mass casualty event or mass evacuations;
• Catastrophic economic damage to the United States, including failure or disruption of a US financial market or sustained disruption of a transportation system; or
• Severe degradation of national security capabilities.

Ninety days following the passing of the legislation, a sector-by-sector review of the critical infrastructure will provide a prioritized list of the most at-risk systems.

There are significant exemptions in the law to protect private vendors (perhaps security software companies, search engine providers, and social media networks) so that particular products cannot be singled out. Similarly, there is a weak attempt to provide free speech protections to the system and to protect technologies based solely on their ability to be used in critical infrastructure.

The timing of the legislation is particularly interesting in light of the recent cyber attack in Israel by a Saudi Arabian hacker and retaliatory credit card hacking by an Israeli against the Saudi banks.  Attacks against Google and US defense contractors allegedly by Chinese sponsored hackers raised similar concerns.

Moreover, a stealth war with Iran appears to be heating up, including the assassinations of government scientists and public officials, increased sponsorship of terrorism targeting soft targets, and heightened war rhetoric.

As with the SOPA and PROTECT IP Act, the critical issue will be focus on the primary risks rather than political maneuvering for legislators to prove who is the toughest on the perceived threat. The costs for upgrading critical infrastructure will likely be immense; the complexity will be monumental; and the challenges significant. Where our nation is at risk, these steps must be taken. But the process must include some caution and common sense so that the process is moderated and proportional to the outstanding threats.

Tweet all that you can tweet – U.S. Army Social Media Guide Updated

The U.S. Army recently released the second version of its Social Media guide. The revised Army guide sits alongside the previously released Navy Command Social Media Handbook providing a very useful summary of best practices for the adoption of social media for business (and even personal use). Both documents are hosted and available through Slideshare.

While the general public may not need the reminder about the Uniform Code of Military Justice, many sections are highly relevant to individuals and business organizations. Checklists for operations are helpful reminders. Admonitions to” mix it up,” to “balance ‘fun’ with ‘medicine,'” and to measure its impact are quite important.

Nearly as interesting is the discussion on branding. The Guide explains the brand behind “Staying Army Strong” and the various color and style guides. Again, most small business would be well advised to have such a clear statement of their brand strategy for their employees and the public.

A related website, the DoD Social Media Hub provides a wealth of resources on education, training and laws related to social media, informatics, cyber defense and many of the various military policies. As with the social media guidelines, the other DoD policies provide excellent resources to begin developing a company’s own policies – as well as understanding what our government is engaging in at the moment. In particular, the Education  & Training page plays host to many helpful resources. (For example, everyone should double check the NSA summary on protecting home networks.) The Web and Internet-based Capabilities (IbC) Policies is another useful source.

And of course, as government-authored documents, all the materials actually created by the U.S. government are in the public domain. So use and reuse, and be all you can … you get it.