Policy and Law: Federal and Cybersecurity

The National Telecommunications and Information Administration (NTIA) is inviting comments regarding Domain Name and Addressing System Security Extensions (DNSSEC) implementation at the root zone. Comments are due on November 24, 2008. EDUCAUSE and Internet2 are planning to prepare joint comments so your input is welcome. Below are a few additional resources:

• EDUCAUSE Washington Update Blog
• NTIA Press Release
• Federal Register Notice
• DNSSEC Supporting Materials and Comments Received

The National Telecommunications and Information Administration, of the U.S. Department of Commerce, has issued a Notice of Inquiry (NOI) regarding “Enhancing the Security and Stability of the Internet’s Domain Name and Addressing System”. The NOI begins with the following background:

The Department of Commerce (Department) notes the increase in interest among government, technology experts and industry representatives regarding the deployment of Domain Name and Addressing System Security Extensions (DNSSEC) at the root zone level. The Department remains committed to preserving the security and stability of the DNS and is exploring the implementation of DNSSEC in the DNS hierarchy, including at the authoritative root zone level. Accordingly, the Department is issuing this notice to invite comments regarding DNSSEC implementation at the root zone.

The NOI seeks comments in response to the following general questions:

New federal regulations to address identity theft go into effect November 1, 2008, and are likely to affect colleges and universities in nuanced ways. Compliance will require careful study and collaboration among business officers, human resources, legal counsel, student services, IT, and other affected campus units. The rules require users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency. They also require that institutions develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts.

Citing that “the number of data security breaches at colleges and universities increased over 67 percent from 2006, and the number of educational institutions affected increased over 72 percent”, H. Con. Res. 425 was submitted as a concurrent resolution expressing the sense of Congress of “the need to pass meaningful legislation to protect commercial and government data from data breaches.”  While the reported aim is to protect “commercial and government data”, the resolution acknowledges that data breaches occur in a wide range of institutions, including government, military, education, health care companies, banking, and credit and financial services.

The resolution, introduced by Rep. Michael C. Burgess (R-Texas) and Rep. Charles A. Gonzalez (D-Texas), highlights a number of facts to underscore the importance of action before the adjournment of the 110^th Congress.  For example: 

The U.S. Department of Homeland Security (DHS) has published the IT Security Essential Body of Knowledge (EBK). A Glossary of Key Terms used in the EBK is also provided.

According to the overview on the US-CERT website:

The IT Security EBK conceptualizes IT security skill requirements in a new way to address evolving IT security challenges. The EBK characterizes the IT security workforce and provides a national baseline representing the essential knowledge and skills that IT security practitioners should have to perform specific roles and responsibilities.

The EBK was featured in a November 2007 EDUCAUSE Live! presentation when DHS was accepting comments on a draft version of the document.

The U.S. Department of Homeland Security (DHS) has published the IT Security Essential Body of Knowledge (EBK). A Glossary of Key Terms used in the EBK is also provided.

According to the overview on the US-CERT website:

The IT Security EBK conceptualizes IT security skill requirements in a new way to address evolving IT security challenges. The EBK characterizes the IT security workforce and provides a national baseline representing the essential knowledge and skills that IT security practitioners should have to perform specific roles and responsibilities.

The EBK was featured in November 2007 on EDUCAUSE Live! presentation when DHS was accepting comments on a draft version of the document.

In anticipation of an administration change following the next presidential election, the Homeland Security Advisory Council has issued a report entitled Top Ten Challenges Facing The Next Secretary of Homeland Security. The report concluded:

The key challenges and recommendations follow:

Congressman Jim Langevin (Dem.-RI), Chair of the Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, has announced the creation of a House Cybersecurity Caucus. The purpose of this Caucus is to raise awareness and provide a forum for Members representing different committees of jurisdiction to discuss the challenges in securing cyberspace. 

“Congress plays a key role in the future of cybersecurity policy,” said Langevin.  “Just as this Administration has not spoken with one voice, however, committee jurisdictional squabbles threaten to divide the attention and focus of Congress on these issues.  That is why this Caucus is so important.” 

Langevin said the caucus "has already received great support from a number of members" and he looked forward to hosting a kick-off event in January.

EDUCAUSE joined the American Council on Education (ACE) in comments to respond to a Notice of Proposed Rulemaking regarding the Family Educational Rights and Privacy Act (FERPA). The EDUCAUSE contribution addressed the proposed rules treatment of Social Security Numbers (SSN's), Student ID Numbers, and Student User ID's in the context of "directory information." The comments state: