Meaningful regulatory approach promised WASHINGTON – The chairman of a U.S. Congress subcommittee dealing with cybersecurity promised legislation late this year that will affect how private businesses secure their pieces of cyberspace, but he didn’t disclose the details about what he has in mind.The cybersecurity legislation will be “meaningful regulatory approach to securing private-sector critical infrastructure” but, because many members of Congress don’t seem to recognize the potential threat of cyber attacks, it will not be as wide-ranging as the Sarbanes-Oxley Act of 2002, which governs accounting procedures at public companies, said Representative Adam Putnam, chairman of the House Government Reform Committee’s Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.“There are a couple of areas where I believe the subcommittee will be drafting bills towards the end of this year that would impact the private sector,” said Putnam, speaking at an e-government and cybersecurity event in Washington, D.C., Thursday. “We hope to begin that process before a major catastrophe. We would like to be on the front side of that.” Right now, it’s difficult to say what that cybersecurity legislation will look like, added Putnam, a Florida Republican.Putnam’s comments came in response to a question from Daniel Burton, vice president of government affairs for security vendor Entrust Technologies Inc. Burton cited Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as examples of a “creeping aggregation of regulations.”Congress shouldn’t take a “knee-jerk, let’s legislate” approach to cybersecurity, Putnam answered, but many people in Congress and in the general public don’t realize how many pieces of the U.S. critical infrastructure are controlled through networked technology. He used the example of flood-control gates on the Mississippi River or the power grids that serve stock markets. After a disaster, Congress’ response “is not the most well thought-out,” Putnam added. “We want to put something out there that makes sense, that’s balanced, that accomplishes the same goals, without it being this headlong rush to prove that we’re doing something for our constituents because we were asleep at the switch when there was this digital Pearl Harbor.”After Putnam’s speech, Burton said it sounds like Putnam’s subcommittee will bring clarity to regulations on businesses. “Regulations are already here; people are just trying to understand what they mean,” he said.Congress has made good progress in educating itself on cybersecurity, added Tim Hoechst, senior vice president for technology at Oracle, and Putnam’s comments seem to indicate that Congress is planning to take a next step toward mandated guidelines about cybersecurity. “It sounds like we’re getting beyond the just-talking-about-it stage, and that makes me happy,” Hoechst said in an interview. “But it could go in a million different directions.”Putnam also said his subcommittee will look at whether U.S. government agencies other than the Department of Defense should require the software they use to meet security standards under the International Common Criteria for Information Technology Security. The Defense Department, in a policy from January 2000, requires commercial software used in national security-related functions be certified in the Common Criteria or an alternative certification from the National Institute of Standards and Technology.“We’re taking a pretty serious look at whether that requirement should be expanded government-wide,” he said. “The certification process, the length of time that takes, how burdensome that is or is not, and the costs involved — those are all factors in our decision. But having a standard template to work with is an important thing.” Because of the cost and time taken up by achieving the Common Criteria, vendors selling non-certified software currently have an advantage over those that seek the standard, said Oracle’s Hoechst, who was encouraged by Putnam’s remarks.“The thing we find interesting now is there aren’t too many agencies left in government that aren’t related to national security,” Hoechst added. “We hope the government uses its buying power to encourage others to buy software meeting those standards as well.”Putnam criticized the efforts of government agencies to pump up cybersecurity, saying the problems aren’t related to technology but rather to personnel and workplace culture. Fourteen of 24 government agencies received failing grades in a cybersecurity report card issued by Congress in late 2002, he noted, and another seven agencies scored D+ or lower. Putnam also placed some blame with his colleagues in Congress. “Frankly, I’m finding a lack of attention and a lack of understanding by the Congress and the (Bush) administration as to the serious nature of the threat,” he said. “It’s not nearly as sexy, or as engaging, or as interesting as the threats that are posed by terrorists boarding aircraft, or terrorists threats to the Brooklyn Bridge … or to Disney World, and so the cyber threat has taken a back seat to the physical threat. I think that is a dangerously lopsided approach to homeland security.”While Putnam ripped the U.S. government’s cybersecurity efforts, Mark Forman, administrator of the Office of Electronic Government at the White House Office of Management and Budget (OMB), defended the Bush administration’s direction. Government agencies have a lot more work to do in cybersecurity, Forman said, but they are making progress.Agencies must conduct yearly security assessments, with an independent audit, and OMB conducts quarterly e-government reviews of government agencies, and those reviews include security as one of five criteria, he said in a speech at the event. Agencies are rated on a scale from green to red, and President Bush questions agency heads when their ratings fall, Forman said.“For some strange reason, when the (agency) secretaries see their scores next to each other, and they see who’s red and who’s green, red is not a very good place to be,” Forman said. “When the president asks, ‘Mr. Secretary, why are you not making progress in these three areas,’ when everybody else has, it’s not a very good place for a secretary. There’s recognition of the importance of cybersecurity at the secretary level, all the way up to the president.”The forum on cybersecurity and e-government, titled “E-government: Securing the Information Infrastructure,” was hosted by the Business Software Alliance and the Center for Strategic International Studies. Attendees included members of Congress and their staffs, federal officials, and industry executives. Security