This comes from Lauren Weinstein's list and it's worth a read.
It's a bill introduced into legislation, who knows where and when
and if it will become law but, wow.
http://lauren.vortex.com/Cyber-S-2009.pdf
I'll just give you a teaser:
SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM.
3 (a) INGENERAL.—Within 3 years after the date of
4 enactment of this Act, the Assistant Secretary of Com-
5 merce for Communications and Information shall develop
6 a strategy to implement a secure domain name addressing
7 system. The Assistant Secretary shall publish notice of the
8 system requirements in the Federal Register together with
9 an implementation schedule for Federal agencies and in-
10 formation systems or networks designated by the Presi-
11 dent, or the President’s designee, as critical infrastructure
12 information systems or networks.
13
Other pearls of wisdom: the government will license all "cyber" security
folks and you don't work on government or "any network deemed by
the president to be critical infrastructure" without one.
If only we knew: to achieve a secure DNS all you need to do is
publish a notice in the Federal Register.
jy
This comes from Lauren Weinstein's list and it's worth a read.
It's a bill introduced into legislation, who knows where and when
and if it will become law but, wow.
http://lauren.vortex.com/Cyber-S-2009.pdf
Relying on Lauren to hear about cybersecurity related news is like
relying on Fox News for an accurate picture of what Obama is doing.
Ignore.
I'll just give you a teaser:
SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM.
There's more than enough government supported work going on that
promotes DNSSEC, in case you're not aware?
Other pearls of wisdom: the government will license all "cyber" security
folks and you don't work on government or "any network deemed by
the president to be critical infrastructure" without one.
Do you by any chance get to go work on sensitive government networks
without, say, a security clearance?
--srs
Read it again. It says all government networks and any network the president deems vital, I'd have to assume that would at least be all of the major backbones.
What's the point of picking on the source of the information? Sure his list is moderated and a bit self-serving, that's why you read from the source.
And yes, I am aware of a number of activities inside the Fed Gov around secure DNS, while I applaud them for making a first step, an effective total effort will not come via government procurement. Or aren't you aware?
jy
Suresh Ramasubramanian wrote:
This comes from Lauren Weinstein's list and it's worth a read.
It's a bill introduced into legislation, who knows where and when
and if it will become law but, wow.
http://lauren.vortex.com/Cyber-S-2009.pdf
Relying on Lauren to hear about cybersecurity related news is like
relying on Fox News for an accurate picture of what Obama is doing.
Ignore.
Personally, I always read press releases from the White House and take that as absolute fact. You can't trust people to give you accurate information if they aren't completely subservient to the agenda.
Deeming something vital / critical has a whole lot of extra baggage
attached to it. Check out for example the OECD surveys on critical
information infrastructure.
a. http://www.oecd.org/dataoecd/49/28/40839436.pdf - OECD Seoul Declaration
for the Future of the Internet Economy,
b. http://www.oecd.org/dataoecd/25/10/40761118.pdf - comparative study of
CIIP in OECD economies (Australia, Canada, Korea, Japan, The Netherlands,
the United Kingdom and the United States)
--srs
* Jeff Young:
If only we knew: to achieve a secure DNS all you need to do is
publish a notice in the Federal Register.
In the end, this is how we got many of our (non-public-key)
cryptographic algorithms, and people seem to be quite happy about
them.
I suggest that we wait until the actual text of S.778 actually shows up at http://thomas.loc.gov before reacting to hyperbolic analysis of drafts not actually assigned to the Committee on Homeland Security and Governmental Affairs. Although I am concerned with what has been attributed to this bill, not all drafts seem to contain the worst text. Once the Committee takes up the bill, the most effective way to fix or kill it is for the constituents of the members of that Committee to call or write them:
http://hsgac.senate.gov/public/index.cfm?Fuseaction=About.Membership
John
Wrong bill. You want S.773, not S.778. There were two bills introduced
concerning cyber security. The one that has everybody talking is S.773.
S.778 concerns the creation of the Office of National Cybersecurity Advisor
within the Executive Office of the President.
S.773
Title: A bill to ensure the continued free flow of commerce within the
United States and with its global trading partners through secure cyber
communications, to provide for the continued development and exploitation of
the Internet and intranet communications for such purposes, to provide for
the development of a cadre of information technology specialists to improve
and maintain effective cybersecurity defenses against disruption, and for
other purposes.
Sponsor: Sen Rockefeller, John D., IV [WV] (introduced 4/1/2009)
Cosponsors (3)
Latest Major Action: 4/1/2009 Referred to Senate committee. Status: Read
twice and referred to the Committee on Commerce, Science, and
Transportation.
S.778
Title: A bill to establish, within the Executive Office of the President,
the Office of National Cybersecurity Advisor.
Sponsor: Sen Rockefeller, John D., IV [WV] (introduced 4/1/2009)
Cosponsors (3)
Latest Major Action: 4/1/2009 Referred to Senate committee. Status: Read
twice and referred to the Committee on Homeland Security and Governmental
Affairs.
Marc
What the draft actually says:
SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS.
(a) IN GENERAL. - Within 1 year after the date of enactment of this Act, the
Secretary of Commerce shall develop or coordinate and integrate a national
licensing, certification, and periodic recertification program for
cybersecurity professionals.
(b) MANDATORY LICENSING. - Beginning 3 years after the date of enactment of
this Act, it shall be unlawful for any individual to engage in business in the
United States, or to be employed in the United States, as a provider of
cybersecurity services to any Federal agency or an information system or
network designated by the President, or the President's designee, as a critical
infrastructure information system or network, who is not licensed and certified
under the program.
A few thoughts:
1) Somebody's going to make a mint of money doing certification testing.
2) Somebody's network is going to be left flapping in the breeze because
their provider didn't get certified in time.
3) It's interesting that "providers of cybersecurity services" have to be
licensed, although others who do security-relevant work on the system/net don't
have to be - nor do they define what a "provider of cybersecurity services" is.
So - quick show of hands: If you have a net that this applies to, do you know
which of your engineers do/don't need a cert? 
Maybe. There was enough scary stuff in a draft of S.778, and its title in some of the worry on the Web that both probably need to be watched. Having one bill referred to Commerce... and one to Homeland Security ... does entail a two-front war.
John
Seems like they're following up on Department of Defense Directive 8570.01, whereas all Information Assurance personnel (that being defined as anyone with privileged access) are required to be certified.
Fully policy manual is here.
http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf
Sort of what I was worried about - "Providers of cybersecurity services" and
"has privileged access" aren't exactly the same thing.