Modernizing Authentication — What It Takes to Transform Secure Access
On Capitol Hill, most bills die young, smothered in their cribs by partisanship, philosophical differences or simple lack of money.
But even with the president's blessing, there's no guarantee a law will achieve its authors' high-minded aims. Some languish in the statute books, unworkable and unused.
That could be the fate awaiting the Science and Technology Emergency Mobilization Act -- at least a key part of it.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
Passed last year, the measure calls for a National Emergency Technology (NET) Guard -- a group of tech-savvy volunteers to prevent, or at least mimimize, the sort of network gridlock that added to the confusion and fear the morning of Sept. 11.
"It is essential to ensure that America's anti-terrorism efforts tap the tremendous science and technology talents of the private sector," Sen. Ron Wyden (D-Ore.) said in a floor speech last July.
In early December, Wyden's spokeswoman said it might take a year before the program was running. But now, five months later, nothing has been done, and there's a real possibility nothing ever will be.
The Difference Between Shall and May
Though there are a slew of practical reasons NET Guard has not progressed, the mechanism enabling inaction is contained in the bill's language.
In a town where the definition of "is" has been parsed, phrasing is paramount. Imprecision yanks the teeth from criminal law, opens gaping and unintended loopholes in tax law, and in this case, allows an agency to opt-out of administrative law.
"The law says that our department may enact a system like NET Guard, it doesn't actually require it," said David Wray, a spokesman for the Department of Homeland Security Department, which is charged with overseeing NET Guard.
The statute says the president "shall" pick a department to keep a list of volunteers, but two paragraphs later says DHS "may" decide to organize them in regional teams and help them contact each other.
Since it's unclear if NET Guard will even be formed, there is no effort to recruit volunteers, and no database to maintain.
"We are looking at it but we have an awful lot to do and have to do," said Wray, adding that the war with Iraq has caused DHS to focus on issues other than NET Guard.
"Conceptually NET Guard has a lot of appeal," said John L. Williams, co-founder and CTO of Preventsys, a Carlsbad, Calif., network security firm. "Say I'm a guy on commercial side of house, I exist to make money, but there's a new world out there where terrorists attack national interests -- and I can do something about it."
Williams cites Howard Schmidt's recent move from Microsoft executive to White House cybersecurity chief, as an example of this new, or perhaps rediscovered public spirit.
Please see page 2 for other hurdles.
Too Many Questions
War or no war, there are too many questions for NET Guard to advance beyond an appealing concept.
How much time will it take to organize? What are the qualifications for members? How will they be screened? Would they be compensated? What allowances would their employers be asked to make?
With the military's National Guard and Reserve units (the ideological model for NET Guard) these are all detailed for volunteers and their employers.
Many of the questions were left unanswered on purpose. The bill "does not create a large bureaucracy, nor does it seek to micromanage," Wyden told his colleagues. (Remember too that the DHS didn't even exist when the bill was drafted.)
Since its formation in late November, DHS chief Tom Ridge has been merging and reorganizing 22 federal agencies and 170,000 employees in the new cabinet-level department.
Carol Guthrie, Wyden's spokeswoman, was diplomatic when asked about the lack of progress.
"I think it's somewhat understandable that with all it has on its plate the Department of Homeland Security hasn't turned to (NET Guard) yet," she said.
Because of press reports last year, Guthrie said the office received many inquiries from IT experts interested in the program. But, according to Wray, those names haven't been passed to DHS.
This sort benign neglect was a concern of skeptics, including Michael Drapkin, CEO of Drapkin Technology, a New York IT consulting firm, the former chair of e-Commerce management for Columbia University's Executive IT Management program.
"The government has pretty much sat on the sidelines throughout the entire rise of the Internet," Drapkin said. "I don't have much of a sense of this going anywhere except the usual lip service and congressional hearings with big CEOs that don't produce anything."
So far, he's right.
It's unclear, what if any pressure Wyden, or the bill's other sponsor, Sen. George Allen (R-Va.), could bring on DHS. At this point, probably very little. Wyden still "believes it is an incredibly helpful program," Guthrie said.
Americans remain concerned about terrorism remains, but real-time images of servicemen and women facing machine gun fire and suicide bombers can't help but lessen concern about "virtual" computer systems incursions.
Earlier this week, Richard A. Clarke, President Bush's former IT security chief, told a congressional committee that DHS lacks the resources and staff to carry out the administration's overall plan.
Ultimately, it's up to DHS whether the NET Guard goes anywhere.
The DHS has merged three IT staffs, including one from the FBI, to monitor the performance of the nation's core Internet and phone networks and flag problems. Though they may not have the local presence that NET Guard would, the experts are doing some of the work outlined for the NET Guard.
"We're confident they are sufficient to do the job now," Wray said. "We will continue to monitor the systems and focus on developing the techology needed to deal with threats."
Williams, the security expert, said there are small, but useful, steps that could be taken, namely, spreading the word about actions companies to block network attacks.
Some signs within the federal government are promising, including some agencies publishing security policies for the first time. NET Guard could still work, if on a smaller scale, if dovetailed with those.
"It would be a shame if it didn't happen," Williams said.