The Alan Paller Testimony

A while ago the U.S. Senate Committee on Homeland Security and Governmental Affairs held a hearing on protecting Cyberspace as a national asset. To this end they introduced a Senate Bill (S 3480) and they asked various people to share their opinions. Among others they asked Alan Paller, Director of Research at the SANS institute and overseer of the Internet Storm Center (ISC), for his opinion on the Bill. He responded on June 15th with a written testimony. This testimony is available online here:

http://www.sans.org/security-resources/alan-paller-testimony.pdf

Or if you prefer video, you can also see the full senate hearing here:

http://www.senate.gov/fplayers/I2009/urlPlayer.cfm?fn=govtaff061510p&st=795&dur=8580

I believe he has made some very good points. He sums up why the US is in trouble right now, referring to various past events and quotes several high-ranking US officials. More importantly he makes a strong case for modification that will make the Bill more effective and these will probably be well-received by the industry.

Many industry experts have pointed out that the old FISMA bill, by making NIST standards and guidance mandatory, has become a huge administrative beast producing only useless reports that contain mostly outdated information. In fact, this burden has become so great that it has become an industry on its own. Many companies and departments are spending a large portion of their security budget hiring contractors writing the reports just to stay compliant. All this budget and effort is spent there instead of resolving the actual problems. Mr. Paller goes on to point out how this new Bill does fix those issues, but makes four suggestions to further improve it.

He also warns against pandering to highly paid antibodies in Washington that are doing their best to stymie government oversight and regulation because they claim the government lacks the expertise to do so properly. His best point, in my opinion, is that if Government oversight and regulation is so bad, why did Google turn to the government for help when they were being attacked with the now well-known Aurora attacks? Surely if the government lacked the expertise, what good would that do?

In all, Alan Paller’s testimony is levelheaded, fair and insightful. I appreciated that he didn’t paint doom scenarios like some others seem to do, and I respected his remarks about the Washington lobbyists that are doing everything to keep the government from creating proper regulations and oversight. His testimony is an easy read and I advise anyone with a few spare minutes to read it.