New Bill Would Put DHS In Charge of 'Critical' Private Networks

GovTechGuy writes "A new bill unveiled Wednesday by House Homeland Security chairman Bennie Thompson (D-Miss.) would give the Department of Homeland Security the authority to enforce federal cybersecurity standards on private sector companies deemed critical to national security. The Homeland Security Cyber and Physical Infrastructure Protection Act of 2010 authorizes DHS to establish and enforce risk and performance-based cybersecurity standards on federal agencies and private sector companies considered part of the country's critical infrastructure. Such firms include utilities, communications providers and financial institutions."

It feels like

[Rosco+P.+Coltrane]

a deaf man telling others how to sing. Maybe they should get their act together before giving lessons...

Re:What is the determination?

[LordLimecat]

That has absolutely nothing to do with whats being proposed, according to TFA. This is about setting network security requirements and enforcing them, not shutting down threats of any kind. Grats on not reading the summary tho.

Re:Not necessarily monoculture

[anegg]

I have been involved in government IT security for many years now as an employee of a government contractor often hired to perform various parts of the government security process. One of the biggest problems with the government security "standards" and "processes" in place now is that there is practically no cost feedback to the controls. The policies all say that the cost of the controls should be commensurate with the value of the system being protected, but many of the security "approvers" demand gold-plated security, and are often opposed to signing off on anything less. (Hey - you can't be held responsible for a security problem in a system you approved if you simply never approve any systems.) There are numerous government systems operating either "unauthorized" or under "temporary waivers" (for years and years) because the security folks wouldn't sign off the controls.

These problems are with the government policing the government. I can't imagine it would be any different when they are enforcing the standards on commercial companies. Although private enterprises can and do go underboard with security, government monitors are almost certain to go overboard. I have some (but limited) experience reviewing IT security for commercial entities (financial services firms, oil and gas firms, pharmaceuticals) and they often "get" most of what needs to be done... with a few lapses (like connecting SCADA networks to the regular corporate network, which is also connected to the Internet).

If the approach is to have a few *simple* rules (like networks over which critical infrastructure communicates must be isolated from corporate networks that are attached to the Internet), then I think some government oversight wouldn't be bad. But if the approach is to require private enterprise to demonstrate compliance with full-blown government IT security C&A with the government doing the certification, I would predict drastic increases in costs, without necessarily dramatically increasing actual security.