Dueling Cyber Security Bills

Posted by Sam Churchill on

Four U.S. senators have sounded a warning on cybersecurity, reports C/Net. In February, Sens. John D. Rockefeller IV, (D-W.Va.), Joe Lieberman (I-Conn.), Susan Collins (R-Maine), and Dianne Feinstein (D-Calif.) have jointly sponsored the Cybersecurity Act of 2012, a bill that has been in the works for more than three years.

Increasing reports of hacking risks and flaws in software used in systems controlling critical infrastructure lend a sense of urgency to the cause.

Every day, rival nations, criminal syndicates and maybe even terrorists probe for weaknesses in our most critical computer networks, seeking to steal data, money, and identities. Even more dangerous is their potential to plant malicious code in industrial control systems that would allow them to seize control of a region’s electric grid, crash stock markets, or contaminate water supply with the touch of a key from a world away.

Last Sunday, 60 Minutes ran an interview with Michael Hayden, former chief of the NSA and CIA, on the Stuxnet virus. Hayden has publicly called for legislators to harness the power of the NSA in fighting cyberattacks, saying the NSA has the ability to fight the war, now it needs the authorization to unleash it.

To counter these threats, the Senators have introduced the bipartisan Cybersecurity Act of 2012 (PDF). Their bill has several key provisions.

It ensures that the systems that control our most critical infrastructure are secured. These are the systems that if breached or manipulated could reasonably lead to mass casualties, evacuations of major population centers, the collapse of financial markets, or degradation of our national security. A competing bill recently introduced in the Senate contains no provisions whatsoever to protect critical infrastructure. That is a major omission.

A controversial part of the bill calls on private companies that run critical infrastructure operations to prove to the government that they have taken steps to safeguard against attack.

After identifying these precise systems, the Department of Homeland Security would then work with private-sector owners of these vital systems to develop cybersecurity performance requirements based on risk assessments of those particular industries. Covered entities must meet these performance requirements for specific systems and assets, not for their entire company.

But a group of Republican senators led by John McCain of Arizona last week introduced similar legislation without designating a lead government agency to take the helm on the issue. They argued that the Lieberman-Collins legislation puts too much power in the hands of DHS. They introduced the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act (SECURE IT). “Instead of the heavy hand of the government, our approach promotes information sharing and keeps the taxpayers’ wallets close,” said Senator Grassley.

Industry opposition to regulation provisions has held up cyber security legislation. Meanwhile, a controversial “kill switch” provision that critics said could led to a government mandated Internet shut down, was removed a year ago.

In other news, PCMag says they have long relied on test results from AV-Test.org and others to help identify the best PC antivirus products. AV-Test.org now includes the Android antivirus market, with over 40 products tested.

The very best products detected over 90 percent of the threats. This group included two products not associated with PC-based antivirus vendors, Lookout Security & Antivirus and Zoner Antivirus Free. The other top-scoring apps were avast! Mobile Security, Dr.Web anti-virus Light, F- Secure Mobile Security, IKARUS mobile.security LITE, and Kaspersky Mobile Security (Lite).

The AV-Test report concludes (pdf):

Even if Google now checks all apps on its Android Market, you should consider installing a security app, because nowadays the malware authors are able to load their malicious code after a seemingly clean app has been installed. Regarding the detection rates, you can trustfully choose from at least 17 products to protect your Android device. What you should also have in mind when choosing your mobile security app are additional functions such as backup and anti-theft protection (e.g. find your lost device or wipe all data remotely). To keep your device free of malware even without a security app, you should install apps only from trusted sources, like the Google Android Market or the Amazon Appstore for Android.

Posted by Sam Churchill on Tuesday, March 6th, 2012 at 7:24 am .

Leave a Reply