Slashdot Mirror
Ask Cybersecurity Commission Chairman Jim Langevin About US Cybersecurity Plans
US Representative Jim Langevin (D-RI) is one of the chairs of the CSIS Cybersecurity Commission that released a comprehensive 96-page report on Dec. 8 under the title, Securing Cyberspace for the 44th Presidency. The aim of the Commission is to help the incoming administration balance "cyberspace" security needs with civil liberties. We'd like to thank Rep. Langevin and his staff (some of whom are ardent Slashdot readers) for taking time to answer your (hopefully) cogent questions. Usual Slashdot interview rules apply, and — also as usual — we'll post Rep. Langevin's answers as soon as he gets them back to us.
Why run this out of the Executive Office of the President? Trying to run operational units directly from the White House seldom works well; the environment is political, not operational. The present cybersecurity office, in Homeland Security, is ineffective because the incumbent is a former lobbyist. When Amit Yoran was in charge there, progress was being made. He quit because he wasn't getting backing from higher in Homeland Security. The office needs a high-level champion in the White House, but that's a liasion job.
Cyberspace? I think if you want a comprehensive strategy you need to get a way from words that make you seem like a "series of tubes" style neo-luddite.
Lets move through the executive summary:
Reinvent the public private partnership:
Mmmmmm, pork.
Regulate cyberspace:
So you want to regulate it without telling anyone what to do. That should work.
Authenticate Digital Identities:
So, you want crypto for everyone, is that what you're saying? After that you're going to have to have some form of universal id/biometrics to keep those secure crypto identities from being stolen. And that won't actually work.
Modernize authorities:
The secret is realizing that just because a traditional crime is happening online, it doesn't make it a new crime. Once you take that step it's shocking how few new laws are actually needed.
Use acquisitions policy to improve security:
More pork. Seriously are people buying stuff that they know is insecure? (Not counting windows obviously.) You should be pouring money into open source development, and not shutting down things like the NSA's security enhanced linux program just because it's not putting money into the coffers of the big campaign contributors.
Build capabilities:
Nice and safe, that one.
Do not start over:
I'd argue that there hasn't even been a real start at this point on any of the above points, so that shouldn't be hard.
This just doesn't even seem serious to me. You need to get people who know vaguely what they're talking about, set up a secure, interoperative, interconnected network for the government. And if you manage to achieve that goal, then you can start trying to rearrange the rest of the world. But get your own house in order first.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Are you a supporter of net neutrality?
In today's political environment, "balance" is short for "annhilate but in a way that doesn't draw public attention." They already monitor all domestic and much of international internet traffic. There are several super-massive networks dedicated to this, and data-centers that make Google's resources look like a street beggar next to a executive banker. Their two main challenges are sifting the data for timely intelligence and warehousing the data. Fortunately for them, much of internet traffic is redundant, especially when you already have a copy of something previously sent -- you can use deltas and journals to store and retrieve the data streams at a fraction of the cost of brute force storage approaches. Privacy died years ago but people are still clinging to the idea that it's out of reach because their imagination can't fully encompass the full magnitude of the surveillance effort. This slashdot post, and tens of thousands like it, undoubtedly reside in a database, instantly accessible, and tools exist to conduct a variety of analysis' at every level of communication. These tools make Wireshark look like a high school science fair project in comparison, and while they are internally developed, often poorly implemented, and are not easy to use -- they still work well enough and research is always underway to improve them.
What the government is continuing to do is surround itself in a dense layer of laws, bureauacracy, and legal framework to insulate itself from public protest, hoping to repel or entirely dissipate any manner of organized dissent. This is simply another step in what has been a progressive march towards total control of the global communications networks, and the United States has had assistance from over a dozen major players. The spectre of terrorism, in tandem with rapid advances in sigint technology has simply accelerated long-sought for powers and caused a paradigm shift in the way intelligence is gathered and distributed. To bypass certain legal restrictions placed on them, they simply "outsource" intelligence work, pooling their collective resources while maintaining plausible deniability and a layer of obfusciation with the sole purpose of continuing the charade for the publics' benefit in the respective member countries.
If any of this is news, it shouldn't be -- the major governments of the world want a global internet where every electronic communications device interconnects with every other because they already control most of the gateways and they are holding most of the keys. They are only too happy to have the assistance of people like you and me who labor under the notion that this will ultimately help society economically, socially, and politically. And it's true -- a global communications infrastructure will do exactly that, making the world a smaller place, making geographical and political lines largely irrelevant, streamlining economic exchanges, and bringing the thousand cultures of the world right to our fingertips. All under the watchful vigilance of ethereal and nameless soldiers, who promise you safety in exchange for an eye and an ear on the innermost details of your life.
And we're going to give it to them, not because we have a choice, but because several thousand years of human history says that somebody has to man the walls, somebody has to watch the gates, somebody has to enforce the laws (however arbitrary), and we're desperately afraid that this invisible framework that holds back the chaos today will fail and unleash a flood of uncertainty. All such frameworks are of course transitory in nature, but we will nevertheless sacrifice our freedoms in exchange for the promise of safety because we've never known any other way to live.
Freedom ever was only an illusion, a dream we continually strive for yet fail to achieve in any lasting way. Yet, because people continue have impossible dreams a balance will always be maintained between the extremes of tyranny and freedom. It was as true two hundred years ago on muddy battlefields as it is today, in a ethereal world of electric impulses.
#fuckbeta #iamslashdot #dicemustdie
I noticed briefly in the document that it mentions the inability of the Govt. to hire the .com burst. In reality the American IT profession is under assault by
necessary talent to combat these issues. Namely it mentions the drop in CS student enrollments and
attempts to relate it to the
both outsourcing and the current H1B visa program.
How do you intend to increase CS enrollment when the job market is being eroded by these two factors?
Got Code?
These may have belonged in my earlier question, but anyway:
1) Are you concerned with biting off more than you can chew with the "Manage Identities" portion of the recommendation? (or, put another way, are you sure the government should really be doing any of those in the first place?)
A number of people are already uncomfortable with the idea of a national identity card (witness the problems that RealID is having these days)...your report goes even farther, though, by proposing a government-issued identity card that consumers could use for purchases online. If I'm already suspicious of a national ID, why in the world would I want to use a government-issued online ID?
2) Also, your recommendations have some huge loopholes: point 17 says that you want to allow consumers to use strong government-issued credentials for online activities, but point 18 then says that there should be regulation preventing businesses from *requiring* the use of those credentials.
In practice, one of these two lines will be pointless (companies will say that it's optional to do business with them, so it's not "required"). By way of example, it's illegal for a company to *require* an SSN for non-banking business, but just try to get water service in Maryland without giving it to them...you can't do it.
Doesn't this sort of loophole make your "consumer protection" recommendations pointless?
Qu'on me donne six lignes écrites de la main du plus honnÃte homme, j'y trouverai de quoi le faire pendre*.
-- Armand Jean du Plessis, Cardinal et Duc de Richelieu and first minister to Louis XIII
* If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
This is BS, the one don't affect the other. What this is, is the introduction of total population surveillance under the pretext of protecting us against the CyberTerr'ists ..
davecb5620@gmail.com
Why must civil liberties be given up under any circumstance under the guise of "cybersecurity"? Why is there no open public review for people to proclaim that under no circumstance do they plan to give up civil liberties for sake of a bad us government cybersecurity plan? I for one do not plan to give up any form of "rights" just because the government has an inability to secure their own systems. I'm sure we all know the Thomas Jefferson quote for this.
Basically, my question is: why are we focused on balancing rights for security when we could spend more effort securing the existing government computer systems that we use, and it would be more effective? This is like pointing a finger at the washington monument and blaming it for the market collapse, and does not directly address the issue I just mentioned.
The aim of the Commission is to help the incoming administration balance "cyberspace" security needs with civil liberties.
Give specific examples where civil liberties might need to be "modulated" for the benefit of electronic security measures.
"'Yrch!' said Legolas, falling into his own tongue."
No, after the Bush Administration's damages to privacy, the question should be,
:)
"How many civil liberties to you plan to give back to us?"
to spend whatever it takes to build the infrastructure for the military to completely close off and protect its important systems? Even if it costs $50B/year, will you be willing to seek support in Congress to ensure that the military is as secure as the current state of IT can make possible?
Have you read TFA yet?
I'm still going through the report, but it criticizes one of Bush's initiatives (CNCI) as having its effectiveness reduced by unnecessary secrecy.
The one thing I don't like about the report is that in general, I consider the word "cyberspace" to be too buzzwordy for some of the ways the report uses, especially the "National Office for Cyberspace"... Maybe something like "National Office for Information Technology Security" or something like that?
"Cyberspace" is one of those words that are almost never used by people who really know what they're talking about.
Why do you do nothing about the credit card companies handling the proceeds of crime? Most cybercrime relies on credit/debit card companies
You have a very poor grasp of "cyber crime" and what the current trends are in it. Spam is distributed by botnets, and I'm pretty sure they don't need a valid credit card number to operate. Malware is being developed every day that exploits people's online banking login credentials to conduct wire transfers, which do not involve credit/debit card companies or the ATM network (not directly anyway), in addition to secondary uses in industrial espionage and selling computing cycles for things like key cracking.
Lastly, the commissioner is asking about what can be done to secure cyberspace, which is a loftier goal than getting "cheap viagra" off the market and squelching spam. You can direct those comments to a panel being setup on questioning the effectiveness of the FDA and why the #$@! there's no funding to prosecute vendors for making intentionally false claims about their products.
Perhaps I can rephrase your question in a more meaningful way:
Chairman, how will you work to improve cooperation between domestic and foreign law enforcement to effect a more rapid response to cyber crimes (for example, stolen credit card data)?
#fuckbeta #iamslashdot #dicemustdie
So we've been hearing on Slashdot a fair bit about what the Air Force is trying to setup as a cyber-warfare unit. While the goal is understandable (after all, the Estonia DoS attacks have demonstrated how to cripple a country through digital means), I'm a little worried that this unit being in control of the Army could lead to a real problem as far as accountability. No offense to our Air Force generals, but internet security and hacking have little to do with organizing strategic bombings or dogfighting. Who would you like to put in charge of such a division and why?
And what responsibilities would you assign them? As they are part of the US military forces, they are here to protect American interests on this other world that is cyberspace - would they be given the task of attacking hackers and their bot-nets disrupting American businesses? And how would you prefer they go about it? Since the cyber-warfare unit is one of the first of its kind, what kind of rules are they supposed to follow, in this generally un-ruled space known as the Internet?
---- I am certain of only one thing : I know nothing else.
When someone buys the fake Viagra on the dodgy pills site, they use their credit card. It is presumably possible for the credit card companies to identify the merchants tied to these sites in the same way as they identify online casinos in order to comply with other laws regarding those. Therefore, they could block these transactions (or cut off the merchant accounts completely if thats fesable)
And how do you propose vetting a vendor to ensure they're legitimate without either making it privacy invasive or resource-intensive? This is the same problem as with background checks, and on the internet, nobody knows you're a dog. If you want to win, you attack the problem at its source, not at the periphery.
#fuckbeta #iamslashdot #dicemustdie
I can answer this one and I base my answer on my own experiences in computer security.
Security largely gets lip service. That's it. It's not just Congress. It's everywhere. Most people just don't understand the threat or appreciate the damage that is being done every day.
When you tell people they can't use IE 6 because of security issues, they rise up en masse and complain they can't do their work. Management sides with them and soon the IT security guy is in the doghouse for trying to compromise productivity.
Same thing for requiring strong passwords. They are just too hard to remember. And users *need* to be able to connect to your network with personal, inadequately-protected computers because it's too expensive to buy everyone the company expects to work offsite their own computer and to forbid personal use or visiting any non-work websites, sending all sorts of fun Powerpoint and other attachments to e-mail, etc.
And in the private citizen sector, most don't have a clue that they need to update their systems and install patches. Most just notice their computer slows down when they do so they click the "ask me again later" buttons. People notice their computers slow down overall but never consider that their transactions could be being monitored, their computers could be hosting spam or kiddie porn, or be used in various network attacks.
The list is endless. Security means people can't have as much fun, won't be quite as productive, and takes effort and vigilance on everyone's part.
At least this has been my experience and it sure makes being active in security less attractive.
While it's all well and good to have yet another set of policy statements the fact is that policies do not win these battles. Managers, reporting chains, and the junior security personnel do not win these battles. The guys with stars on their shoulders do not win these battles. The senior talent with hands on keyboards provide the tools, indicators, and insights needed to be able to successfully attack or defend.
One senior guy that can reverse engineer a piece of malware quickly and accurately provides the key data needed survive an attack. You could throw 100 junior people at that same piece of code and get no where. The same holds true for analyzing detection events, writing signatures, performing penetration tests, analyzing log data, and the list goes on. True network attack and defense is more like Special Forces than a bunch of grunts. The sooner that's figured out the better. The challenge is how to build a special forces structure across so many organizations and extend it all the way out to the private sector.
Without a healthy defensive security ecosystem that reacts quickly to threats without information being buffered by managers or junior personnel that are clueless, we're doomed to a never ending stream of compromises. Only the strong technical players survive, the weak get rooted. Responding to intrusions requires a full spectrum of capabilities that hinge on some strong geeks to feed law enforcement, management, politicians, and others reliable info that they can act upon.
No one senior geek can do it all. They rely on each other to provide different pieces of the overall picture from the various networks that are involved in the intrusion activity. How does the CSIS report address identifying this challenge of building a network of strong talent and removing the organizational barriers to collaboration between the players?