Slashdot Mirror
Ask Cybersecurity Commission Chairman Jim Langevin About US Cybersecurity Plans
US Representative Jim Langevin (D-RI) is one of the chairs of the CSIS Cybersecurity Commission that released a comprehensive 96-page report on Dec. 8 under the title, Securing Cyberspace for the 44th Presidency. The aim of the Commission is to help the incoming administration balance "cyberspace" security needs with civil liberties. We'd like to thank Rep. Langevin and his staff (some of whom are ardent Slashdot readers) for taking time to answer your (hopefully) cogent questions. Usual Slashdot interview rules apply, and — also as usual — we'll post Rep. Langevin's answers as soon as he gets them back to us.
Is there is no Cybersecurity Plan... You do not talk about the Cybersecurity Plan....
I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
So how many civil liberties you guys plan on taking away?
Particularly in Democracies, and is more likely antithetical to them. Be careful that whatever short term secrets you might secure in the future are not obtained by the terrible mortgage of a future empire.
This is my sig.
I'm interested in how we're going to deal with threats originating in foreign countries (China and Russia, I'm looking at you) without having to basically just unplug them. Can it be done?
The NSA has had great success with Red Teams and competitions between security experts in helping learn how to better secure sensitive data and to keep up to date with the latest attack techniques.
What are your plans to utilize this powerful technique? If applied elsewhere, Red Team competitions can help better secure other aspects of the internet and to stay uptodate.
Why run this out of the Executive Office of the President? Trying to run operational units directly from the White House seldom works well; the environment is political, not operational. The present cybersecurity office, in Homeland Security, is ineffective because the incumbent is a former lobbyist. When Amit Yoran was in charge there, progress was being made. He quit because he wasn't getting backing from higher in Homeland Security. The office needs a high-level champion in the White House, but that's a liasion job.
A few days ago, I read a story here in which Esther Dyson calls anonymity one of the "greatest disappointments of the Internet's evolution". What are your views on remaining anonymous online? I prefer to take measures to be anonymous so that information can not be gathered about me, as the notion of that makes me uncomfortable. Also, with countries like Russia and China advancing so rapidly technologically, what will the US do about cyberdefense? I can't help but feel that the US has been lagging technologically for a while. It seems though other countries have more people going into computer studies and are using computers more for cyber warfare. How much does the current administration depend on open source software? Will this change with Obama as president? i am in school and don't have time to read the entire report right now. sorry if i am asking anything that is answered in there. thanks!
For example, almost all spam promotes products paid for by credit card: if the credit card companies were threatened with puncishment for handling transactions for goods spromoted by spam, there would be no more spam.(Even spam originating in other contries promotes goods sold to Americans, and paid for through American Credit cards).
Sent from my ASR33 using ASCII
The free and open nature of the internet is its biggest asset. How do you plan on enforcing "cybersecurity" without damaging its free and open nature? Are you sure that the cure (government regulation) isn't worse than the disease (cybercrime)? Remember there was no cybercrime before the internet. The internet has brought us both crime and prosperity, so far the prosperity has far exceeded the crime. I benefit far more than I suffer from having an unregulated internet, can you convince me that a regulated internet is even necessary?
What sort of measures can you take to fight cybercrime without affecting my unfettered access to the internet? The phrase "If you have nothing to hide, you have nothing to fear" is not an acceptable response.
Give me Classic Slashdot or give me death!
The internet is a whole hell of a lot more then the US. How are any security regulations not a waste of time and taxpayers money? The Federal government can require security procedures for federal agencies just the same as they most likely require secure handling of sensitive physical document. I don't see a Commission or a chairman of Dead Tree Security so why is the money wasted on something that just has a more menacing name.
"I use a Mac because I'm just better than you are."
Dear Cybersecurity Commission Chairman,
Please shoot all your spammers.
Sincerely,
The Rest of the World.
I beg you, please. Someone needs to ask this.
Well, umm...yeah, do you, like, have one?
I'm only half-joking...
---"What did I say that sounded like 'Tell me about your day?'"---
Cyberspace? I think if you want a comprehensive strategy you need to get a way from words that make you seem like a "series of tubes" style neo-luddite.
Lets move through the executive summary:
Reinvent the public private partnership:
Mmmmmm, pork.
Regulate cyberspace:
So you want to regulate it without telling anyone what to do. That should work.
Authenticate Digital Identities:
So, you want crypto for everyone, is that what you're saying? After that you're going to have to have some form of universal id/biometrics to keep those secure crypto identities from being stolen. And that won't actually work.
Modernize authorities:
The secret is realizing that just because a traditional crime is happening online, it doesn't make it a new crime. Once you take that step it's shocking how few new laws are actually needed.
Use acquisitions policy to improve security:
More pork. Seriously are people buying stuff that they know is insecure? (Not counting windows obviously.) You should be pouring money into open source development, and not shutting down things like the NSA's security enhanced linux program just because it's not putting money into the coffers of the big campaign contributors.
Build capabilities:
Nice and safe, that one.
Do not start over:
I'd argue that there hasn't even been a real start at this point on any of the above points, so that shouldn't be hard.
This just doesn't even seem serious to me. You need to get people who know vaguely what they're talking about, set up a secure, interoperative, interconnected network for the government. And if you manage to achieve that goal, then you can start trying to rearrange the rest of the world. But get your own house in order first.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I work in IT security and thus I wonder how you plan to deal with two conflicting problems: Rapid change of threat scenarios and ability to supervise and monitor the actions taken by the "cyber police".
Threats in IT change rapidly. Over the course of days sometimes. So quick reactions to emerging threats is a necessity. You have to react fast when something emerges, you can't let debates go on forever with weeks passing to give various interest groups a say in the matter.
How do you plan to ensure that civil liberties will not suffer from the necessary fast response when trying to make the internet a safer place? That whatever organisation is supposed to make the "net safer" will have certain powers is a given. Whenever, though, someone who has power has to do something fast (i.e. before someone could complain or interfere), the temptation to abuse this power (claiming "danger in delay", when the only danger would have been that someone could find out that power abuse is afoot) is present as well. How do you plan to address this?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Are you a supporter of net neutrality?
In today's political environment, "balance" is short for "annhilate but in a way that doesn't draw public attention." They already monitor all domestic and much of international internet traffic. There are several super-massive networks dedicated to this, and data-centers that make Google's resources look like a street beggar next to a executive banker. Their two main challenges are sifting the data for timely intelligence and warehousing the data. Fortunately for them, much of internet traffic is redundant, especially when you already have a copy of something previously sent -- you can use deltas and journals to store and retrieve the data streams at a fraction of the cost of brute force storage approaches. Privacy died years ago but people are still clinging to the idea that it's out of reach because their imagination can't fully encompass the full magnitude of the surveillance effort. This slashdot post, and tens of thousands like it, undoubtedly reside in a database, instantly accessible, and tools exist to conduct a variety of analysis' at every level of communication. These tools make Wireshark look like a high school science fair project in comparison, and while they are internally developed, often poorly implemented, and are not easy to use -- they still work well enough and research is always underway to improve them.
What the government is continuing to do is surround itself in a dense layer of laws, bureauacracy, and legal framework to insulate itself from public protest, hoping to repel or entirely dissipate any manner of organized dissent. This is simply another step in what has been a progressive march towards total control of the global communications networks, and the United States has had assistance from over a dozen major players. The spectre of terrorism, in tandem with rapid advances in sigint technology has simply accelerated long-sought for powers and caused a paradigm shift in the way intelligence is gathered and distributed. To bypass certain legal restrictions placed on them, they simply "outsource" intelligence work, pooling their collective resources while maintaining plausible deniability and a layer of obfusciation with the sole purpose of continuing the charade for the publics' benefit in the respective member countries.
If any of this is news, it shouldn't be -- the major governments of the world want a global internet where every electronic communications device interconnects with every other because they already control most of the gateways and they are holding most of the keys. They are only too happy to have the assistance of people like you and me who labor under the notion that this will ultimately help society economically, socially, and politically. And it's true -- a global communications infrastructure will do exactly that, making the world a smaller place, making geographical and political lines largely irrelevant, streamlining economic exchanges, and bringing the thousand cultures of the world right to our fingertips. All under the watchful vigilance of ethereal and nameless soldiers, who promise you safety in exchange for an eye and an ear on the innermost details of your life.
And we're going to give it to them, not because we have a choice, but because several thousand years of human history says that somebody has to man the walls, somebody has to watch the gates, somebody has to enforce the laws (however arbitrary), and we're desperately afraid that this invisible framework that holds back the chaos today will fail and unleash a flood of uncertainty. All such frameworks are of course transitory in nature, but we will nevertheless sacrifice our freedoms in exchange for the promise of safety because we've never known any other way to live.
Freedom ever was only an illusion, a dream we continually strive for yet fail to achieve in any lasting way. Yet, because people continue have impossible dreams a balance will always be maintained between the extremes of tyranny and freedom. It was as true two hundred years ago on muddy battlefields as it is today, in a ethereal world of electric impulses.
#fuckbeta #iamslashdot #dicemustdie
I noticed briefly in the document that it mentions the inability of the Govt. to hire the .com burst. In reality the American IT profession is under assault by
necessary talent to combat these issues. Namely it mentions the drop in CS student enrollments and
attempts to relate it to the
both outsourcing and the current H1B visa program.
How do you intend to increase CS enrollment when the job market is being eroded by these two factors?
Got Code?
These may have belonged in my earlier question, but anyway:
1) Are you concerned with biting off more than you can chew with the "Manage Identities" portion of the recommendation? (or, put another way, are you sure the government should really be doing any of those in the first place?)
A number of people are already uncomfortable with the idea of a national identity card (witness the problems that RealID is having these days)...your report goes even farther, though, by proposing a government-issued identity card that consumers could use for purchases online. If I'm already suspicious of a national ID, why in the world would I want to use a government-issued online ID?
2) Also, your recommendations have some huge loopholes: point 17 says that you want to allow consumers to use strong government-issued credentials for online activities, but point 18 then says that there should be regulation preventing businesses from *requiring* the use of those credentials.
In practice, one of these two lines will be pointless (companies will say that it's optional to do business with them, so it's not "required"). By way of example, it's illegal for a company to *require* an SSN for non-banking business, but just try to get water service in Maryland without giving it to them...you can't do it.
Doesn't this sort of loophole make your "consumer protection" recommendations pointless?
This is BS, the one don't affect the other. What this is, is the introduction of total population surveillance under the pretext of protecting us against the CyberTerr'ists ..
davecb5620@gmail.com
Why must civil liberties be given up under any circumstance under the guise of "cybersecurity"? Why is there no open public review for people to proclaim that under no circumstance do they plan to give up civil liberties for sake of a bad us government cybersecurity plan? I for one do not plan to give up any form of "rights" just because the government has an inability to secure their own systems. I'm sure we all know the Thomas Jefferson quote for this.
Basically, my question is: why are we focused on balancing rights for security when we could spend more effort securing the existing government computer systems that we use, and it would be more effective? This is like pointing a finger at the washington monument and blaming it for the market collapse, and does not directly address the issue I just mentioned.
It is no secret that our nations national security is threatened by the current single
platform strategy. The lack of operating system diversity creates a fatal environment
in which a single system flaw can expose all govt facilities and networks. As it stands
today a single serious vulnerability could be exploited to blackout most if not all of
our govt infrastructure.
How do you intend to address this serious problem?
Got Code?
The aim of the Commission is to help the incoming administration balance "cyberspace" security needs with civil liberties.
Give specific examples where civil liberties might need to be "modulated" for the benefit of electronic security measures.
"'Yrch!' said Legolas, falling into his own tongue."
What is your definition of "civil liberties," and to what levels do you believe they need to be protected? What defines protection?
Actually, this is an interesting question. I'd actually like to see this answered as well. Although a spin on what the OP said, this is a question that I'd like to see covered and not trivialized.
Mod this up.
What are you actually securing? Military computers? Government computers? Or is "cybersecurity" intercepting everyone's communications to bust dopers and other "terrorists?"
We've lost fewer than 4000 people to terrorism this century, while ten times that many die on the highways yearly.
Free Martian Whores!
I feel that Homeland Security lacks a mission that defines the scope of its surveillance powers. Is this a long term danger to our democracy? Our history has shown us how when agencies like the FBI are given powers without clear scope and oversight they eventually get abused.
Furthermore, a lot of signals intelligence related operations have been largely outsourced to prevent government being hampered by existing laws. This clearly creates a dangerous situation. Can we put the genie back in the bottle?
Besides sensitive government computers, which for whatever reason need to be connected to the WWW, exactly what part of the US portion of the Web needs to be secured and why?
When corrupt officials are busted how is it they still keep their security clearance, and still have access to government buildings and computers?
In this light.
What good is the Dept of Homeland Security?
The only thing they seem to be cracking down on is honest citizens trying to shine a light on corruption.
Much of the question of civil liberties in cybersecurity seems to be related to enforcement after the fact. The ability to find out who did what after the event occurs. That seems like a principle indication that there is a problem in our approach. Once an event happens, it cannot be undone. This is particularly true when considering information assets, which once lost cannot be recovered in the same sense in which a painting or automobile can be recovered.
Given these facts, is the direction of hardening and prevention being given sufficient weight when considering cybersecurity? Being able to put a criminal in jail is a fine objective, and perhaps there is some amount of freedom that is worth sacrificing to support that objective. Of course, it would be better to prevent the harm from occurring in the first place.
Do you you place higher priority on hardening our information infrastructure, or on enhancing our ability to find out who did it after a breach occurs?
Stop-Prism.org: Opt Out of Surveillance
After Esther Dyson's semantically loaded Mauve Herring question a couple of days ago, I want to know what side she is on. It was clearly designed to get the Right Wing, who already hates abortion, to now hate Anonymous Friends (which they may not yet have had a clear opinion on.)
I seriously have to get a couple books and review the Logical Fallacies. It's becoming a survival imperative.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
to spend whatever it takes to build the infrastructure for the military to completely close off and protect its important systems? Even if it costs $50B/year, will you be willing to seek support in Congress to ensure that the military is as secure as the current state of IT can make possible?
In order to enforce a strong cybersecurity strategy, the US government and major owners of US telecommunication assets will have to cooperate. Unfortunately, the recent scandals regarding the illegal spying of US citizen using the telco infrastructure has affected the trust these privates companies had in the US government. Aside from granting them retroactive immunity, what other steps are you willing to take to ensure future cooperation from the private industry?
In case you are a canuck and aren't clicking every link you see in TFS, this is NOT the Canadian CSIS, which for the information of those outside of Canada, is the Canadian CIA - our government intelligence organization.
Born to Play
What would be a "worst case" scenario for internet warfare (I *hate* the term "cyber") against the US. What are some specific scenarios you're trying to defend against? Do you consider, for example, the rampant credit card fraud on the internet to be a form of economic warfare against the US at this point? How will you go about shoring up the security of our network infrastructure against massive, coordinated intrusion or denial-of-service?
Causation can cause correlation
With no disrespect to the office of the president. However even the president of the United States is Human, and he is not an IT Expert. How do you prevent him from clicking "that button" which could create a security compromise. I would suspect that the President of the united sates would have web access, and would want to go to the basic media outlets which often have questionable adds on them, and sometimes attempt to trick you into clicking "that button" .
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Hello. I am currently doing an analysis of your report and I have several questions.
1. What do you consider to be the most significant change to FISMA that is proposed?
2. Do you expect new Industrial Control System (ICS) regulations to be based on NIST 800-82?
3. There have been many efforts on the procurement front to ensure the security of software that the government purchases including NIAP, Common Criteria Certification and SCAP. This is discussed in the report What regulations are needed to consolidate this into a common stable process for vendors?
4. Does the document propose merging the military and civilian security standards (that seems to be implied) such as FDDC and the DISA-STIGs?
5. What role do you expect existing security/compliance organizations, such as ISSA, ISACA and particularly Infragard, with the three new public-private organizations that the report proposed to create?
6. The SCAP process has worked on a common format for reporting compliance of federal systems. Should this become the overall government standard and should it be mandated for private compliance as well?
7. The report made a strong point that information security must be a global effort (which is part of the reason to remove most of that responsibility from the Department of Homeland Security). What role should organizations like ISO play in this effort?
Thanks.
I believe our network is kind of insecure. Information can be syphoned off in transit. I and I'm sure others would like to provide information to improve security without having to resort to new technologies that will take time to implement.
The question is will there be a way for a US citizen to communicate directly with the government? Something like a forum but with strict registration to US citizens and a blacklist to all proxies including known hijacked systems. I know that privacy would be an issue but I know there are some people out there that would like to stick their neck out to help out, even if a bit misguided sometimes. Also, is there an issue with public agenda separating itself from foreign interest like this? Would there be a conflict of interest that can cause unforeseeable problems in the future?
I ask this because a means to communicate on how to improve security could help civil liberties indirectly.
So we've been hearing on Slashdot a fair bit about what the Air Force is trying to setup as a cyber-warfare unit. While the goal is understandable (after all, the Estonia DoS attacks have demonstrated how to cripple a country through digital means), I'm a little worried that this unit being in control of the Army could lead to a real problem as far as accountability. No offense to our Air Force generals, but internet security and hacking have little to do with organizing strategic bombings or dogfighting. Who would you like to put in charge of such a division and why?
And what responsibilities would you assign them? As they are part of the US military forces, they are here to protect American interests on this other world that is cyberspace - would they be given the task of attacking hackers and their bot-nets disrupting American businesses? And how would you prefer they go about it? Since the cyber-warfare unit is one of the first of its kind, what kind of rules are they supposed to follow, in this generally un-ruled space known as the Internet?
---- I am certain of only one thing : I know nothing else.
Catch-22
Catch-22 is a sort of senseless, cruel, and idiotic unspoken rule.... that you have to be insane to fly a bombing mission, which means that you should be grounded (not allowed to fly a mission), but if you don't want to fly, that clearly proves that you are sane and must fly the missions.
Describing the meaning of the phrase "Catch-22".
Yeah, this is going to be long ...
I find myself (and a very few others) in a position similar to Cliff Stoll in his book:
"The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage"
http://en.wikipedia.org/wiki/Clifford_Stoll
Certified anomalies permeating the net of a hardware based logic bomb / trojan.
This is cross-platform simply because "hardware trumps root".
I have dealt with this since 1997 and have contacted through a Lawyer all the channels one would contact.
This is not your "normal" beast.
I don't require an answer here, from Representative Jim Langevin, in this forum, a contact below is provided.
This requires attention.
Required reading:
Reflections on Trusting Trust
Ken Thompson
http://portal.acm.org/citation.cfm?id=358198.358210&coll=ACM&dl=ACM&CFID=14389570&CFTOKEN=96928429
Companion:
http://portal.acm.org/citation.cfm?id=777313.777347&coll=ACM&dl=ACM&CFID=14389570&CFTOKEN=96928429
This is a good a place to start as any.
Nancy has named it:
Subversion:
Nancy's Story: (expired site certificate)
(2005-present)
https://tagmeme.com/exmachina/a/002450.html
Same situation:
http://www.securityfocus.com/comments/articles/11372/33017/threaded#33017
http://www.securityfocus.com/comments/articles/11372/34206/threaded#34206
http://www.securityfocus.com/comments/articles/11372/33500/threaded#33500
http://www.securityfocus.com/comments/articles/11372/34207/threaded#34207
It took me years to find anyone that was aware as some of these folks.
This is highly sophisticated, prevalent and dangerous.
I am a Systems Administrator working in the western United States.
hylas [AT] operamail {DOT} com
~hylas
A recent Business Week article indicated that we are loosing the Cyber War. I work in Computer Forensics and one of the obstacles I see (regularly) for a secure computer (secure data) is the operating system being used. We have had little choice but to use Windows or Macintosh for the past 10 years, and according to Secunia, Windows is still unpatched (XP has 13% unpatched vulnerabilities and Vista has 12%). With the current state of the economy, and with the prospect of loosing the so called "Cyber War", what are the governments plans to save money while increasing security, without affecting the Rights and Freedoms we currently enjoy on the Internet?
--E--
Dear Congressman Langevin,
Need a hand? Call me!
The United States for a long period of time discouraged the use of encryption, labelling it as a munition. The result is that the vast majority of computer data and internet communication is not encrypted. This situation has been a benefit to police and intelligence agencies because unencrypted information is much easier to analyze for evidence of crimes and terrorism in comparison to encrypted information. However, unencrypted information is much easier for criminals and terrorists to use as well. For example, if our laptops and USB keys were encrypted as a matter of normal practice, many data leaks would have been prevented.
As you might guess, I view encryption as a necessary (but not sufficient) tool for protecting information. Do you? Where do you place yourself in the tradeoff between encouraging encryption as part of protecting information from criminals and discouraging encryption as part of surveillance for criminals?
Why did you steal our acronym? (Note: I'm Canadian)
Canadian Security Intelligence Service
As this is a constant issue that is very pressing in our current society, I am reminded of another question.
Would you be willing to be part of ongoing interviews of similar topics to this for slashdot (assuming slashdot is as well)? Say every couple months or so?
an open forum for discussion is important. An active open forum discussion is even more so.
Dear Rep. Langevin:
As a hacker/computer security professional, I work daily to stay aware of emerging threats and computer security issues. I interact with people in both the public and private sector (read businesses and military/spooks). Both groups perceive the US government, specifically the legislature, as unresponsive, exhibiting misplaced priorities, and tolerating ongoing breaches of security by civil servants, our elected officials and by public agencies.
Congress appears to be - and has appeared to be (I'm dating myself) since way back in the day when the l0pht crew sat in the Rayburn building and scared the crap out of them with the infamous "we can take down the Internet in under thirty minutes" comment - unresponsive and downright clueless.
My question is, "Why does Congress appear to care so little about the security of America's information assets?" Alternately, does Congress really care, but legislators (okay, their staff) have no clue how to implement computer security effectively?
Or, is it all a charade - does Congress care, and the impression that computer security is a shambles is a well orchestrated ruse?
=;^)
(AKA Ev1l Wrangl3r)
Sir,
Do you agree that security does NOT require the forfeiture of civil liberties? I want my country, my community, and my family to be secure... but I want it without forfeiting the rights and freedoms that make our country great. I cannot think of a situation where a person's civil liberties NEED to be sacrificed for the sake of security, however our government seems to keep using security as a way to take our freedoms.
I would like to know if you have given some thought to shifting the commissions' focus to protecting our civil liberties rather than trading them for a false sense of security.
Civil liberties, such as the ones that protect us from government spying on the people, that allow us to communicate freely and openly, that allow us to assemble publicly or in secret, and that once made the US a haven for business and people alike have been so compromised by repeated use of fear-and-take (promote fear, take a freedom) that I am concerned that your commission might be more interested in deciding what the next thing for us to be afraid should be than you are about making us genuinely safer.
Do you see your position as one of protector of government interests or the people's interests? I feel funny saying that because our government is supposed to be for, by, and of the people... however recent trends have shown that there is polarity between government interests and the peoples interests (such as the bail out of banks).
Please take the time to think about your commissions' role and objectives... it's so easy to focus on the problem when it comes to computer security and typically that only leads to very narrow solutions that have catastrophic secondary effects.
Sometimes the best solution is to stop wasting time looking for an easy solution.
Most organizations with an active and alert IT staff actively block many segments of the internet to prevent malware/spyware access to command and control, payload servers, and information exfiltration intermediate sites. Sites that do scanning also get blocked.
Wouldn't it be possible to install perimeter firewalls that act on behalf of the whole United States and block a lot of the suspicious traffic? Kind of a huge iptables firewall?
I realize that places like Chinanet host many innocent netizens that don't mean harm, but we are having to balance National security with providing communications to the US for citizens of other countries.
These would also be moving targets and the "bad guys" are using the standard techniques of hiding among civilians. Address spoofing and false flag attacks could be countered by aggregating information the way private net security organizations already do.
Regardless, shouldn't we be actively blocking and frustrating these attacks, reconnaissance, and exfiltration attempts? I personally believe that blocking subnets that might not deserve it is the lesser evil to leaving ourselves open to attack.
All of this would definitely up the ante and we would probably see much more distributed attacks against distributed targets in the same way as there are now distributed but coordinated brute force attacks against ssh logins.
It would also put the onus and motivation on controlling the bad actors on the various subnets (and even countries) that suffer repeated blocking. It's not an easy choice, but our alternative seems to be just leaving the doors open for others to devise as many creative ways to attack us as possible.
I think the concerns about privacy are very real. When you increase accountability for actions, by nature you decrease anonymity and privacy - which most would agree is one very positive aspect of the web to fight tyranny, corruption, allow anonymous health concern information, etc.
We risk turning the internet into a strictly business / high security enterprise. Our technological and computer-driven society makes it pretty hard to hide from surveillance-minded overlords (i.e. the Bush administration).
We already lost accountability for search warrants in spite of the ability to gather information in real time as long as proper accounting was provided after the fact. Protections like that have to be restored and made iron clad with the highest penalties imposed for breaking the law. No retroactive immunities and no executive orders. There is just no other way.
What assurances and accountabilities - and penalties - will the government be willing to put in place to prevent ANY abuses of the added accountability that these plans require on the part of American citizens?
While it's all well and good to have yet another set of policy statements the fact is that policies do not win these battles. Managers, reporting chains, and the junior security personnel do not win these battles. The guys with stars on their shoulders do not win these battles. The senior talent with hands on keyboards provide the tools, indicators, and insights needed to be able to successfully attack or defend.
One senior guy that can reverse engineer a piece of malware quickly and accurately provides the key data needed survive an attack. You could throw 100 junior people at that same piece of code and get no where. The same holds true for analyzing detection events, writing signatures, performing penetration tests, analyzing log data, and the list goes on. True network attack and defense is more like Special Forces than a bunch of grunts. The sooner that's figured out the better. The challenge is how to build a special forces structure across so many organizations and extend it all the way out to the private sector.
Without a healthy defensive security ecosystem that reacts quickly to threats without information being buffered by managers or junior personnel that are clueless, we're doomed to a never ending stream of compromises. Only the strong technical players survive, the weak get rooted. Responding to intrusions requires a full spectrum of capabilities that hinge on some strong geeks to feed law enforcement, management, politicians, and others reliable info that they can act upon.
No one senior geek can do it all. They rely on each other to provide different pieces of the overall picture from the various networks that are involved in the intrusion activity. How does the CSIS report address identifying this challenge of building a network of strong talent and removing the organizational barriers to collaboration between the players?
I live in DC and am currently pursuing a technical computer security-related graduate degree.
Many of my fellow students work in computer security with the DoD, DoJ, etc., although I do not work for the federal government. And the stories that I have heard of the politics involved with federal service and the lack of accountability endemic to the system, particularly at the SES level, ensure that I will not be doing so either.
Regardless, the common denominator among most of these people, or at least those with whom I have discussed technical or computer security issues, is there cluelessness as to how the underground computer culture really works. It is as though they are tourists who are trying to disguise themselves as natives, and it is just as effective.
For instance, some time ago I spoke to a computer security guy who worked for a branch of the military and he honestly thought that it was "dangerous" to read leading hacking publications. I was absolutely amazed.
How can you possibly consider yourself competent in a technically-oriented computer security position WITHOUT reviewing the opposition's literature and culture? Does a field commander not read intelligence reports on enemy activities? It makes no sense.
In my opinion, one of the main impediments to really securing all of the federal government's systems is the hiring system. It's inefficiency and byzantine structure are infamous. The pay doesn't help either.
But another problem that does not receive attention is that the best hackers I have known personally either used drugs, are using drugs, or will probably be going home to use drugs as soon as our conversation was over. It is just a part of being a brilliant, pissed off, rebellious teen who spends the next decade or two to become knowledgeable about computer security in ways they don't teach you about in classes.
I know people like this who are now executives in major corporations and, believe me, their corporate biographies omit some very colorful information about their past.
Do you have any plans to address the federal hiring process, especially as it regards computer security professionals? What about the clearance system, vis a vie more exemptions or exceptions for past drug use depending on the hiring agency?
It seems like most of the questions so far have focused on the physical security of cyberspace. They have ranged from dealing with botnets, combating spam, and securing government and military computers from hackers and criminals. I have not yet seen any discussion of what I have perceived to be an important military/government "cyberspace" priority. That priority is control over information. As a specific example, one can look at "insurgent propaganda" (jihadist videos, etc). It appears to be pretty widely acknowledged that the United States is "losing" the propaganda war in "cyberspace" (I hate that term about as much as everyone else here.) What are you people going to do to control and influence media and other similar uses of the Internet? What do you perceive your role, and the role of the United States government is in relation to controlling and shaping the message that reaches users on the Internet? To what extent are you prepared to limit people's freedom of speech in order to further national security interests? It seems like the government is pretty incompetent when it comes to communication. It's pretty sad. This country can spend billions of dollars convincing its citizens to go into debt and stay there and be happy about it, but it can't sell the War on Terror to the Middle East. "They" control the meta message, and we don't seem to have the talent to reframe it on them. Our memetic engineers are epicly failing right now.
What I want to know is what they are going to do to put up a wall of data privacy between ISP's and organizations like the RIAA and MPAA.