ACM WASHINGTON UPDATE
Proposal Seeks to Transfer NIST Computer Security Functions to New Department
New Academy Report Recommends Science and Technology to Fight Terrorism
ACM Fellow Peter G. Neumann Receives Computer System Security Award
House and Senate Work to Resolve Differences Between Cyber Security Bills
New Legislation Attempts to Improve Information Sharing Among Federal Agencies
Update on Recent ICANN Activities
NIST Report Tags Cost of Software Bugs at $59.5 Billion
New European Coalition Forms to Protect Digital Rights
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
June 2002, Volume
6.6
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
INTRODUCTION
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Proposal Seeks to Transfer NIST Computer Security Functions to New Department
The Administration’s proposal to create a new Department of Homeland Transferring current computer security responsibilities from NIST to a new There is also a concern that much of the work the division performs, including To review the Administration’s proposal to establish a Department of To review a letter from the Software and Information Industry Association To review the web site of NIST’s Computer Security Division, see NIST
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
New Academy Report Recommends Science and Technology to Fight Terrorism
A new report issued by the National Academy of Sciences' Committee on To review the Academy report entitled, “Making the Nation Safer: The Role of =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
ACM Fellow Peter G. Neumann Receives Computer System Security Award
Peter G. Neumann, a pioneering figure in computer security and a leader in As co-chair of the ACM Advisory Committee on Security and Privacy, and as To review the NIST announcement of the award, see Neumann Honored
To review ACM’s announcement of the award, see ACM Release
To review Peter Neumann’s web site, see Dr. Neumann
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
House and Senate Work to Resolve Differences Between Cyber Security Bills
Negotiations are moving forward in an effort to resolve the differences between In addition to increasing authorization levels for research and development in To review Dr. Eugene Spafford’s testimony before the House Science Committee, To review Dr. Lance Hoffman’s testimony before the Senate Commerce Committee's To review the Senate version of the Cyber Security Research and Development Act, see: To review the House version of the Cyber Security Research and Development Act, see: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
New Legislation Attempts to Improve Information Sharing Among Federal Agencies
By a vote of 422 to 2, the House recently passed H.R. 4598, the Homeland For a look at the legislation, see:
H.R. 4598
For more information from the House Judiciary Committee, see House Judiciary
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Update on Recent ICANN Activities
The Senate Committee on Commerce, Science and Transportation’s Subcommittee In their testimony, the U.S. General Accounting Office (GAO) identified the lack of In other related news, at its June 28 quarterly meeting in Bucharest, Romania, To review the statements of witnesses at the June 12 Senate Hearing, scroll To review the blog that includes the ERC resolution adopted by ICANN, To review the House Energy and Commerce Committee’s work regarding To review a letter from USACM urging ICANN to focus on its core mission, =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
NIST Report Tags Cost of Software Bugs at $59.5 Billion
A National Institute of Science and Technology (NIST) report conducted by At present, the majority of errors are caught after the sale of the software. Several For additional details on the study, see NIST press release: Press Release
For the NIST report, see: Report
To review USACM recommendations to improve government acquisition of =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
New European Coalition Forms to Protect Digital Rights
Earlier this month, a new coalition of 10 privacy and civil rights organizations For more information regarding European Digital Rights, see EDRI
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Should you have questions, comments, suggestions or recommendations regarding
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Security seeks to transfer several information analysis and infrastructure
protection functions from existing agencies. The National Infrastructure
Protection Center of the FBI, the National Communications System of the
Department of Defense, the Critical Infrastructure Assurance Office of the
Department of Commerce, the National Infrastructure Simulation and Analysis
Center of the Department of Energy, and the Federal Computer Incidentz
Response Center of the General Services Administration are among the list
of functions to be transferred. In addition, the Computer Security Division
of the National Institute of Standards and Technology (NIST) is also included
in the proposal.
agency has proven to be controversial. Under current law, NIST is responsible
for developing standards and guidelines for the security and privacy of sensitive
information in Federal computer systems. In carrying out these responsibilities,
NIST’s Computer Security Division works closely with experts from industry,
academia,and other government agencies to enhance information assurance in
both the public and private sectors. As NIST is a non-regulatory civilian agency
within the Department of Commerce, shifting its computer security functions to
an agency with a law enforcement or national security focus is troubling to many.
awarding research and development grants to advance the state-of-the-art of
IT security applicable to commercial critical infrastructures, will be emasculated
when combined with that of larger agencies and different missions. At a recent
House Science Committee hearing, Congresswoman Zoe Lofgren (D-CA) and
Congresswoman Connie Morella (R-MD) expressed concerns with the proposed
transfer. Science Committee Chairman Sherwood Boehlert pledged committee
action on the proposal by mid-July.
Homeland Security, see White House
registering concerns with the proposed transfer of NIST’s computer security work,
see SIIA Letter
Science and Technology for Countering Terrorism recommends the creation of a
new Homeland Security Institute. The panel suggests that the Institute function as an
independent, quasi-governmental think tank to provide the nation's top homeland
security officials with strategic science and technology support. The co-chairman
of the Academy panel, Lewis Branscomb and Richard Klausner, recently outlined the
recommendations at a joint hearing of the House Science Committee and the Senate
Committee on Commerce, Science and Transportation. At an organizational level,
the panel suggests the Institute should report to an undersecretary for science and
technology within the new Homeland Security Department recently proposed by
the Administration, but remain connected to research-oriented agencies such as the
National Science Foundation, National Institutes of Health, Department of Energy,
and Department of Defense, and the White House's Office of Science and Technology
Policy. Many lawmakers expressed support for the creation of the Institute.
Science and Technology in Countering Terrorism”, see Report
privacy and public policy issues for the Association for Computing Machinery (ACM),
received
the 2002 Computer System Security Award from the Commerce Department's
National
Institute of Standards and Technology (NIST). The award,given annually by
NIST and
the National Security Agency (NSA) for outstanding contributions toward the
advancement
of computer security technology, is considered the most prestigious award
in the area
of information security and assurance. Neumann is a principal scientist at
SRI International
Computer Science Lab in Menlo Park, CA.
moderator of the RISKS Forum, sponsored by the ACM Committee on Computers
and
Public Policy, Neumann has energized and led debates on national issues related
to security, reliability, human safety and trustworthy design. His book, Computer
-Related Risks, is in its fourth printing. In addition, Neumann serves on the Executive
Committee of USACM and co-chairs the ACM Advisory Committee on Security and
Privacy. Other ACM Fellows who are previous winners of the Computer System Security
Award include Ron Rivest, Dorothy Denning, Willis Ware, Donn Parker, Eugene Spafford,
and David Clark.
the House and Senate versions of the Cyber Security Research and Development
Act. While the Senate Commerce Committee passed the House version of the
legislation largely unchanged, a conflict arose with the adoption of an amendment
offered by Senators Ron Wyden (D-OR) and John Edwards (D-NC). The amend-
ment added provisions that would require agencies to adopt benchmark security
standards to be developed by the National Institute of Standards and Technology.
The IT industry objects to the new provisions, as they believe it mandates specific
security technologies that agencies must adopt to be in conformance. Industry would
rather see agencies have the flexibility to choose from several different technologies
that meet prescribed levels of security. Talks are expected to continue during July.
computer network security, the legislation also seeks to increase the number of cyber
security researchers, to provide incentives to conduct more creative research, and to
encourage undergraduates, graduate students and post-docs to study in the field.
see: Testimony
Subcommittee on Science, Technology and Space, see Testimony
S 2182
H.R. 3394
Security Information Sharing Act. The legislation directs the president,the
attorney general and the director of centralintelligence to develop procedures
for federal agencies to facilitate the sharing of classified or sensitive threat
information with certain state and local officials. Further, the legislation provides
an avenue for states to share similar information with federal agencies. Finally,
the legislation directs that agencies use existing declassification techniques and
existing networks such as the National Law Enforcement Telecommunications
System, to share information with state and local officials.
on Technology recently held a hearing to examine issues related to the management
of the Internet by the Internet Corporation for Assigned Names and Numbers (ICANN).
The original “memorandum of agreement” between the Department of Commerce and
ICANN is set to expire this September.
oversight by the U.S. Department of Commerce as a major reason that ICANN has
been ineffective in carrying out its mission. GAO also testified that ICANN has
fallen short of its goals to be representative of the broad Internet community. While
acknowledging that ICANN has organizational and management problems, the
Department of Commerce witness concluded it was too soon to consider
abandoning ICANN for a different entity.
the ICANN board voted 18 to 0 to approval a new organizational plan titled,
“the Evolution and Reform Committee of the Board (ERC) Blueprint for Reform.”
The new ERC plan establishes that ICANN selects its own board members from
representatives of technical, business, government and non-profit organizations
and abandons the effort to allow Internet users to elect a portion of the ICANN
board. Members of the U.S. House Committee Energy and Commerce, which has
jurisdiction over the Department of Commerce, expressed concerns with the new
plan to Department of Commerce Secretary Donald Evans. They wrote that
ICANN’s “complete lack of clearly articulated decision-making processes” was
one of its greatest obstacles. Further, the lawmakers concluded, “Without defined
notice and comment periods, established decision criteria, and the application
of such criteria to the problem, petitioners are left with an ad hoc process.”
to the hearing compilation at the website:Hearings
see the
web site:ICANN BLOG
ICANN, see
their web site: Commerce
see:
Letter
the Research Triangle Institute (RTI) in North Carolina finds that software bugs
cost the U.S. economy an estimated $59.5 billion, or about 0.6 percent of the
gross domestic product. Nationally, more than half of these costs are borne by
software users and the remainder by software developers and vendors, the study
concludes. The 309-page report acknowledges that while not all errors could be
eliminated, an estimated $22.2 billion of the costs could be avoided by an improved
testing infrastructure that allows earlier and more effective identification and
removal of software defects.
factors where identified as contributing to this situation: increasing complexity of
software, shorter product life expectancy, marketing strategies, limited liability by
vendors,and decreasing returns on testing and debugging of software.
software, see USACM Memo
from 7 different countries in the European Union joined forces to preserve individual
rights in the Digital Age. Known as European Digital Rights, the new coalition is
particularly concerned with European data retention requirements, telecommunications
interception, the cyber-crime treaty, initiatives for rating and filtering of Internet
content, notice and takedown procedures of websites, and fair use restrictions. Seated
in Brussels, European Digital Rights will focus its activities towards developments in
the European Union and the Council of Europe.
public policy issues or USACM activities, please contact the ACM Public
Policy
Office located in Washington, DC, by e-mailing usacm_dc@acm.org or calling
(202)659-9711. The ACM Public Policy Office would also be pleased to assist
ACM members in contacting or meeting with their elected officials in
Washington, DC.