[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ACM Washington Update, Vol. 9.10 (October 31, 2005)
=============================================================
ACM Washington Update
Vol. 9.10
31 October 2005
=============================================================
CONTENTS
[1] Newsletter Highlights
[2] USACM Chair Warns Against Underfunding Cybersecurity Research
[3] USACM and Others Criticize DoD Export Proposal
[4] Data Security Legislation Moving Forward in Congress
[5] U.S. Passports to Get RFID Chips
[6] U.S. Resisting U.N. Pressure on Internet Governance
[7] Events in November
[8] About USACM
=============================================================
[1] NEWSLETTER HIGHLIGHTS
Below are highlights of the top stories for October; there's more
detail on each below, as well as on our weblog at
<http://www.acm.org/usacm>:
* USACM Chair Eugene Spafford, testifying before a House Armed
Services Committee hearing on cybersecurity issues, calls for more
cybersecurity research funding and for a new approach to DoD
cybersecurity, including less reliance on commercial-off-the-shelf
products.
* USACM says that a Department of Defense proposal to increase
restrictions on foreign researchers would burden research, unfairly
views foreign researchers as an automatic security risk, and doesn't
account for other equally restrictive government proposals.
* Two data security bills advance in committees in both chambers,
while senators strive to integrate the four major pending bills on the
subject into legislation that can be addressed before the Thanksgiving
break.
* The State Department announces its plans and timetable for
introducing RFID chip technology into U.S. passports.
* Several members of Congress voice their strong opposition to
granting the United Nations a larger role in Internet governance, an
area currently under U.S. (and ICANN) control.
=============================================================
[2] USACM CHAIR WARNS AGAINST UNDERFUNDING CYBERSECURITY RESEARCH
Last week the House Armed Services Committee convened a hearing
entitled "The Asymmetric and Unconventional Threats" to discuss issues
related to cybersecurity, information assurance, and information
superiority. Among the witnesses was Dr. Eugene Spafford -- USACM
Chair, Purdue University computer science professor, and director of
Purdue's Center for Education and Research in Information Assurance
and Security (CERIAS). Spafford was joined on the panel by David
Grawrock (Principal Engineer and Security Architect at Intel) and Paul
Kurtz (Executive Director of the Cyber Security Industry Alliance).
In his oral comments, Spafford stressed several points:
* The interconnectedness of systems today, meaning that a
vulnerability or attack in one system can lead to problems for other
systems;
* The fuzzy line now between civilian and military infrastructure
(e.g., many military bases rely on civilian power grids, civilian
networks, etc.);
* The danger in underfunding and shortening the horizon for
cybersecurity research; and
* The need for more well-trained cybersecurity professionals.
Spafford also discussed the danger he sees in continuing to patch and
upgrade existing software and systems, especially with respect to the
many pieces of commercial off the shelf (COTS) products employed by
DoD -- in his view this is an ineffective approach to cybersecurity.
Spafford urged a different approach involving a shift away from COTS
and away from systems and software with extraneous functionality -- an
approach that he admitted would be more expensive, but one that would
be best from a cybersecurity standpoint.
Spafford's written testimony is available here
http://acm.org/usacm/PDF/HASC.pdf
In addition, an audio archive of the hearing will be available shortly
from the committee's web site at
http://www.house.gov/hasc/schedules/
=============================================================
[3] USACM AND OTHERS CRITICIZE DOD EXPORT PROPOSAL
USACM, the Computing Research Association (CRA), and more than 100
other respondents recently filed comments with the Department of
Defense criticizing its proposed changes to the Defense Federal
Acquisition Regulation Supplement (DFARS). Among other things, the
proposal mandates that all DOD contracts include a clause requiring
contractors to
1. Create and maintain unique badges for foreign nationals and
foreign persons employed by the entity;
2. Build segregated work areas for these persons; and,
3. Prevent these individuals from gaining any access to
export-controlled technology without first obtaining a specific
license, authorization or exemption, even if these individuals may be
working under the longstanding fundamental research exemption.
USACM’s comments express its concern that the proposal, among other
things, would place a costly new burden on research, discriminate
against foreign researchers, and jeopardize the fundamental research
exemption that has long promoted an open and fertile research
environment.
USACM is also worried that DOD, in issuing this proposal, has not
given enough consideration to a similar advanced notice of proposed
rulemaking issued recently by the Department of Commerce’s Bureau of
Industry and Security (BIS). USACM and others were critical of BIS's
proposal, as well.
USACM’s full statement on the DOD proposal and other relevant items
mentioned here are available at
http://www.acm.org/usacm/weblog/index.php?p=320
CRA's official comments on the proposal are available at
http://www.cra.org/govaffairs/blog/archives/000421.html
=============================================================
[4] DATA SECURITY LEGISLATION MOVING FORWARD IN CONGRESS
Recently, we reported on the weblog that the Senate Judiciary
Committee -- a major player in the effort to enact federal data
security legislation -- approved Senator Jeff Sessions’ (R-AL)
legislation (S. 1326) intended to protect private electronic
information. Since that time, we've seen reports (e.g., in National
Journal) which suggest that key Senators will merge at least three
bills into one and try to pass the package before the Senate leaves
for Thanksgiving. Such an effort would require merging the products
and priorities of three different committees – Judiciary, Senate
Commerce, and Senate Banking -- and then getting floor time.
The bills that would likely be merged are Senator Arlen Specter’s
legislation (S. 1332), Senator Sessions’ legislation, Senator Gordon
Smith’s (R-WA) legislation (S. 1408), and Senator Richard Shelby’s
(R-AL) legislation (S. 1461). A side-by-side comparison of these
bills is available here
http://www.acm.org/usacm/PDF/privacy_bills2.pdf
It is difficult to predict what parts will end up in the final bill.
Our sense would be some new regulatory structure for all businesses
modeled after the Gramm-Leach-Bliley Act, which partly governs the
financial industry’s use of private data, with much of the specific
detail left to the Federal Trade Commission to work out. It will
probably also include some data breach notification requirements and
increased protection of information in government’s hands.
Meanwhile in the House, the Energy and Commerce Committee is set this
week to markup Rep. Cliff Stearns' "Data Accountability and Trust Act"
(H.R. 4127), which looks to be an updated version of the committee
discussion draft that circulated earlier this year. Among other
things, Stearns' bill calls for the creation of data security programs
for organizations (including special requirements for data brokers),
security breach notification, and preemption of similar state laws.
The bill would leave many of the details up to (and would be enforced
by) the Federal Trade Commission. Interestingly, this bill includes
an exemption from security breach notification for breaches involving
encrypted data and goes so far as to reference National Institute of
Standards and Technology (NIST) encryption standards. Complete
information about H.R. 4127 is available at
http://thomas.loc.gov/cgi-bin/query/z?c109:H.R.4127:
Any comprehensive regulatory bill will almost certainly contain
provisions to preempt state law. Interestingly, the National Journal
story mentioned above notes that pressure on Congress to act isn’t
coming from the public clamoring for protection of their private
information; rather, it is coming from the business community who fear
having to comply with 50 different state laws. This improves the
chances for a new federal law, because while the onslaught of data
breach stories has slowed, the pressure inside the Beltway for
preemption of state laws from business groups isn’t likely to stop.
=============================================================
[5] U.S. PASSPORTS TO GET RFID CHIPS
The U.S. Department of State issued regulations recently regarding the
inclusion of radio frequency identification (RFID) computer chips in
U.S. passports. The new 64-kilobyte passive RFID chip will contain a
machine-readable version of such information as the passport holder's
name, nationality, gender, date and place of birth, and digitized
photograph.
The department made a number of changes to the plan following a public
comment period earlier this year which generated more than 2000 sets
of comments (only 1% of which were supportive of the plan as
published). The changes include the addition of "anti-skimming"
material (i.e., material that would prevent an attacker's gaining
access to an RFID chip's contents surreptitiously without the owner's
knowledge) in the front cover and spine of the electronic passport and
the implementation of Basic Access Control (BAC), which uses "a form
of Personal Identification Number (PIN) that must be physically read
in order to unlock the data on the chip."
Critics of the passport plan argue, among other things, that despite
the changes to the plan personal information contained on the chips is
still at risk from skimming. Some in the technical community are also
concerned about the security of the encryption keys used with BAC.
The new passports will start coming out at the end of this month and
the department is targeting October 2006 for all passports to be
electronic. The actual State Department rule is available online at
http://makeashorterlink.com/?X54825D0C
Also, for more perspective on the passports, see Declan McCullagh's
recent News.com article at
http://makeashorterlink.com/?H1BE2201C
=============================================================
[6] U.S. RESISTING U.N. PRESSURE ON INTERNET GOVERNANCE
Tension continues to mount between the United States and the United
Nations regarding the U.S. role in Internet governance in the
remaining days before a significant international gathering that is
expected to address the issue. As many readers will know, the U.S.
Department of Commerce has authority over the administration of the
Internet's basic structure (i.e., the domain name system or DNS)
through an agreement with ICANN, the Internet Corporation for Assigned
Names and Numbers. However, pressure has been building in recent
months within the U.N., the E.U., and several other countries for the
U.S. to relinquish its dominant role in the administration of the
Internet to a more international body within the U.N.
The U.S. government recently reasserted and reaffirmed its role in the
administration of the Internet and announced that it has no intention
to hand over that role. See
http://www.ntia.doc.gov/ntiahome/domainname/USDNSprinciples_06302005.htm
More recently, several members of Congress and two major U.S.
newspapers (i.e., the New York Times and the Wall Street Journal) have
made strong statements insisting that the U.S. not allow the U.N. to
assume a more prominent role in Internet control. Senator Norm
Coleman (R-Minn.), for example, introduced a resolution in the Senate
to "protect the U.S.’s historic role in overseeing the operations of
the Internet." More information about the resolution is available
from the senator's web page at
http://makeashorterlink.com/?E2C11211C
A similar resolution (H.Con.Res. 268) has also been introduced in the
House by Representatives Doolittle (R-Calif.), Goodlatte (R-Va.), and
Boucher (D-Va.); see
http://thomas.loc.gov/cgi-bin/query/z?c109:H.CON.RES.268:
In addition, the four co-chairs of the Congressional Internet Caucus
also recently sent President Bush a letter in support of the
administration's position on preserving the U.S. role in Internet
governance; see
http://netcaucus.org/events/2005/wsis/Letter-to-Bush.pdf
Clearly, given the level and range of support among U.S. policymakers
for maintaining the current U.S. role in Internet governance, major
changes in this area are unlikely anytime soon. In any event, the
issue is expected to be a matter of significant debate at next month's
U.N. World Summit on the Information Society (WSIS) in Tunis, Tunisia,
where, among other things, participants will address the report of the
Working Group on Internet Governance (WGIG), which we reported on in
August at
http://www.acm.org/usacm/weblog/index.php?p=305
The U.S. delegation to WSIS is being led by Ambassador David Gross,
who is planning to hold an Internet chat on November 2 to discuss WSIS
(see below for more information).
=============================================================
[7] EVENTS IN NOVEMBER
November 2: Internet chat Ambassador David Gross regarding the
upcoming WSIS meeting.
http://usinfo.state.gov/eur/Archive/2005/Oct/25-499.html
November 3: House Energy and Commerce Committee markup of H.R. 4127,
the Data Accountability and Trust Act.
http://energycommerce.house.gov/108/Markups/11032005markup1696.htm
November 3: House Judiciary Subcommittee on Courts, the Internet, and
Intellectual Property hearing on "Content Protection in the Digital
Age: The Broadcast Flag, High-Definition Radio, and the Analog Hole."
http://www.house.gov/judiciary
November 7: Workshop on Privacy in the Electronic Society,
Alexandria, Va. (organized in conjunction with ACM CCS 2005, described
below).
http://wpes05.dti.unimi.it/
November 7-11: ACM Conference on Computer and Communications Security
(ACM CCS 2005), Alexandria, Va.
http://www.acm.org/sigs/sigsac/ccs/CCS2005/
November 16-18: World Summit on the Information Society (WSIS),
Tunis, Tunisia.
http://www.itu.int/wsis/tunis/index.html
November 30-December 4: ICANN meeting, Vancouver, Canada.
http://icann.org/meetings/vancouver/
=============================================================
[8] ABOUT USACM
USACM is the U.S. Public Policy Committee of the Association for
Computing Machinery (ACM). ACM is widely recognized as the premier
organization for computing professionals, delivering resources that
advance the computing and IT disciplines, enable professional
development, and promote policies and research that benefit society.
ACM hosts the computing industry's leading Digital Library and Guide
to Computing Literature, and serves its 80,000 global members and the
computing profession with journals and magazines, conferences,
workshops, electronic forums, and its Career Resource Centre and
Professional Development Centre. For more information about USACM and
ACM, see
http://www.acm.org/usacm/about.html
=============================================================
BACK ISSUES
For earlier editions of the ACM Washington Update, see
http://www.acm.org/usacm/update/
SUBSCRIBE/UNSUBSCRIBE
To subscribe to ACM's Washington Update newsletter, send an e-mail to
<listserv@xxxxxxx> with "subscribe WASHINGTON-UPDATE 'First Name'
'Last Name'" (no quotes) in the body of the message. To unsubscribe,
simply include the "SIGNOFF WASHINGTON-UPDATE" command in an email to
<listserv@xxxxxxx>.
QUESTIONS/COMMENTS
Should you have questions, comments, or suggestions regarding this
newsletter, public policy issues, or USACM activities, please contact
the ACM's Washington, D.C., Office of Public Policy by email at
<david.padgham@xxxxxxx> or by calling 202-659-9711.