Slashdot Mirror
Ask Cybersecurity Commission Chairman Jim Langevin About US Cybersecurity Plans
US Representative Jim Langevin (D-RI) is one of the chairs of the CSIS Cybersecurity Commission that released a comprehensive 96-page report on Dec. 8 under the title, Securing Cyberspace for the 44th Presidency. The aim of the Commission is to help the incoming administration balance "cyberspace" security needs with civil liberties. We'd like to thank Rep. Langevin and his staff (some of whom are ardent Slashdot readers) for taking time to answer your (hopefully) cogent questions. Usual Slashdot interview rules apply, and — also as usual — we'll post Rep. Langevin's answers as soon as he gets them back to us.
So how many civil liberties you guys plan on taking away?
The NSA has had great success with Red Teams and competitions between security experts in helping learn how to better secure sensitive data and to keep up to date with the latest attack techniques.
What are your plans to utilize this powerful technique? If applied elsewhere, Red Team competitions can help better secure other aspects of the internet and to stay uptodate.
A few days ago, I read a story here in which Esther Dyson calls anonymity one of the "greatest disappointments of the Internet's evolution". What are your views on remaining anonymous online? I prefer to take measures to be anonymous so that information can not be gathered about me, as the notion of that makes me uncomfortable. Also, with countries like Russia and China advancing so rapidly technologically, what will the US do about cyberdefense? I can't help but feel that the US has been lagging technologically for a while. It seems though other countries have more people going into computer studies and are using computers more for cyber warfare. How much does the current administration depend on open source software? Will this change with Obama as president? i am in school and don't have time to read the entire report right now. sorry if i am asking anything that is answered in there. thanks!
For example, almost all spam promotes products paid for by credit card: if the credit card companies were threatened with puncishment for handling transactions for goods spromoted by spam, there would be no more spam.(Even spam originating in other contries promotes goods sold to Americans, and paid for through American Credit cards).
Sent from my ASR33 using ASCII
The free and open nature of the internet is its biggest asset. How do you plan on enforcing "cybersecurity" without damaging its free and open nature? Are you sure that the cure (government regulation) isn't worse than the disease (cybercrime)? Remember there was no cybercrime before the internet. The internet has brought us both crime and prosperity, so far the prosperity has far exceeded the crime. I benefit far more than I suffer from having an unregulated internet, can you convince me that a regulated internet is even necessary?
What sort of measures can you take to fight cybercrime without affecting my unfettered access to the internet? The phrase "If you have nothing to hide, you have nothing to fear" is not an acceptable response.
Give me Classic Slashdot or give me death!
The internet is a whole hell of a lot more then the US. How are any security regulations not a waste of time and taxpayers money? The Federal government can require security procedures for federal agencies just the same as they most likely require secure handling of sensitive physical document. I don't see a Commission or a chairman of Dead Tree Security so why is the money wasted on something that just has a more menacing name.
"I use a Mac because I'm just better than you are."
To build on this, how are you planning on addressing the credibility gap between what the executive wants to achieve, and what the rest of the internet community (at least in the US) believes you really can/should achieve?
For example, I was at BlackHat this year, and the keynote speaker was one of the Feds, speaking about the federal plans for cyber security. The discussions in the hall after his keynote were scathing. Many of the attendees concluded that he had no clue what he was talking about. This, I think, has to be the first hurdle the executive needs to clear before accomplishing anything. Put simply: the private sector just doesn't believe in government's ability to succeed. How are you going to fix that?
I work in IT security and thus I wonder how you plan to deal with two conflicting problems: Rapid change of threat scenarios and ability to supervise and monitor the actions taken by the "cyber police".
Threats in IT change rapidly. Over the course of days sometimes. So quick reactions to emerging threats is a necessity. You have to react fast when something emerges, you can't let debates go on forever with weeks passing to give various interest groups a say in the matter.
How do you plan to ensure that civil liberties will not suffer from the necessary fast response when trying to make the internet a safer place? That whatever organisation is supposed to make the "net safer" will have certain powers is a given. Whenever, though, someone who has power has to do something fast (i.e. before someone could complain or interfere), the temptation to abuse this power (claiming "danger in delay", when the only danger would have been that someone could find out that power abuse is afoot) is present as well. How do you plan to address this?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It is no secret that our nations national security is threatened by the current single
platform strategy. The lack of operating system diversity creates a fatal environment
in which a single system flaw can expose all govt facilities and networks. As it stands
today a single serious vulnerability could be exploited to blackout most if not all of
our govt infrastructure.
How do you intend to address this serious problem?
Got Code?
What are you actually securing? Military computers? Government computers? Or is "cybersecurity" intercepting everyone's communications to bust dopers and other "terrorists?"
We've lost fewer than 4000 people to terrorism this century, while ten times that many die on the highways yearly.
Free Martian Whores!
I feel that Homeland Security lacks a mission that defines the scope of its surveillance powers. Is this a long term danger to our democracy? Our history has shown us how when agencies like the FBI are given powers without clear scope and oversight they eventually get abused.
Furthermore, a lot of signals intelligence related operations have been largely outsourced to prevent government being hampered by existing laws. This clearly creates a dangerous situation. Can we put the genie back in the bottle?
Besides sensitive government computers, which for whatever reason need to be connected to the WWW, exactly what part of the US portion of the Web needs to be secured and why?
Much of the question of civil liberties in cybersecurity seems to be related to enforcement after the fact. The ability to find out who did what after the event occurs. That seems like a principle indication that there is a problem in our approach. Once an event happens, it cannot be undone. This is particularly true when considering information assets, which once lost cannot be recovered in the same sense in which a painting or automobile can be recovered.
Given these facts, is the direction of hardening and prevention being given sufficient weight when considering cybersecurity? Being able to put a criminal in jail is a fine objective, and perhaps there is some amount of freedom that is worth sacrificing to support that objective. Of course, it would be better to prevent the harm from occurring in the first place.
Do you you place higher priority on hardening our information infrastructure, or on enhancing our ability to find out who did it after a breach occurs?
Stop-Prism.org: Opt Out of Surveillance
Wow, there are a lot of good questions being made here, but one thing REALLY bothers me:
The aim of the Commission is to help the incoming administration balance "cyberspace" security needs with civil liberties.
The word balance suggests that there is give and take on either side of the scale. I posit that there is not. Civil liberties must be maintained, at the cost of security on the Internet if required. Q: How do you intend to manage that problem?
A government commission on 'cyberspace' security should obviously be intending to bring 'cyber criminals' to justice in order to protect ..... what exactly? What exactly is 'cyberspace' that you are going to secure?
If your domain is bringing criminals to justice, shouldn't you simply be an enhanced part of the FBI?
In what ways have you, and will you work with groups from other countries with similar mandates?
So far, you seem to like using 15-20 year old buzz words. How does this reflect on your ability to react quickly to the changing landscape of threats to Internet infrastructure, businesses, and commerce etcetera? Further, 'cyberspace' as most of us know it is very big. How do you intend to react quickly and 'secure' it when the tens of thousands of people and companies currently trying to do so are not able to? Making it illegal to run un-patched databases on websites will NOT fix the problem, so how do you intend to fix the problems?
As someone who writes software I am keenly interested to know if my vocation will come with risk of incarceration in the future. Will simple security mistakes bring to me risk of punishment, other than punishment of losing my current job?
Aside from virus software one of the largest commercial security problems is DDoS attacks. Will you address that problem, or only problems that you can easily handle? Will the FCC be assisting you in any respect with regard to DDoS attack handling etc. Since 'cyberspace' runs on commercial pipes for the most part, and those pipes/tubes are full of lolcats running P2P, what will be the commissions reaction to capacity issues with regard to security of 'cyberspace'.
Are there any specific commercial ventures that will be ignored by the commission's work? Will this affect my local website AND Google, or just Google?
Is the word 'cyberspace' used in the title to relieve anyone of actually having to define what you will be responsible for?
Support NYCountryLawyer RIAA vs People
What would be a "worst case" scenario for internet warfare (I *hate* the term "cyber") against the US. What are some specific scenarios you're trying to defend against? Do you consider, for example, the rampant credit card fraud on the internet to be a form of economic warfare against the US at this point? How will you go about shoring up the security of our network infrastructure against massive, coordinated intrusion or denial-of-service?
Causation can cause correlation
Except we already know the answer to that: absolutely none.
Governments never give rights back, they only take them away. (Note this isn't the same as expanding existing rights to cover people they didn't cover before: civil liberties didn't grant anybody rights, they just gave everyone the same rights they already had.)
The only exception to this blanket statement I can think of is Prohibition, and with the ever-expanding drug war, it's obvious that was a special case.
The Democrats are, if anything, even more likely to take away our rights than the Republicans are. We won't be getting any rights back under Obama. If we're very lucky, we won't lose any more, but with Democrats in control of the government, I wouldn't count on it.
Don't forget, "Free Speech Zones" were an invention of the Democratic National Convention to keep undesirables away. Republicans only followed the trend.
Yes, but don't we already know that the answer is going to be "None, but ... Hey, look over there! A big shiny war!" ?
The United States for a long period of time discouraged the use of encryption, labelling it as a munition. The result is that the vast majority of computer data and internet communication is not encrypted. This situation has been a benefit to police and intelligence agencies because unencrypted information is much easier to analyze for evidence of crimes and terrorism in comparison to encrypted information. However, unencrypted information is much easier for criminals and terrorists to use as well. For example, if our laptops and USB keys were encrypted as a matter of normal practice, many data leaks would have been prevented.
As you might guess, I view encryption as a necessary (but not sufficient) tool for protecting information. Do you? Where do you place yourself in the tradeoff between encouraging encryption as part of protecting information from criminals and discouraging encryption as part of surveillance for criminals?
Most organizations with an active and alert IT staff actively block many segments of the internet to prevent malware/spyware access to command and control, payload servers, and information exfiltration intermediate sites. Sites that do scanning also get blocked.
Wouldn't it be possible to install perimeter firewalls that act on behalf of the whole United States and block a lot of the suspicious traffic? Kind of a huge iptables firewall?
I realize that places like Chinanet host many innocent netizens that don't mean harm, but we are having to balance National security with providing communications to the US for citizens of other countries.
These would also be moving targets and the "bad guys" are using the standard techniques of hiding among civilians. Address spoofing and false flag attacks could be countered by aggregating information the way private net security organizations already do.
Regardless, shouldn't we be actively blocking and frustrating these attacks, reconnaissance, and exfiltration attempts? I personally believe that blocking subnets that might not deserve it is the lesser evil to leaving ourselves open to attack.
All of this would definitely up the ante and we would probably see much more distributed attacks against distributed targets in the same way as there are now distributed but coordinated brute force attacks against ssh logins.
It would also put the onus and motivation on controlling the bad actors on the various subnets (and even countries) that suffer repeated blocking. It's not an easy choice, but our alternative seems to be just leaving the doors open for others to devise as many creative ways to attack us as possible.
I live in DC and am currently pursuing a technical computer security-related graduate degree.
Many of my fellow students work in computer security with the DoD, DoJ, etc., although I do not work for the federal government. And the stories that I have heard of the politics involved with federal service and the lack of accountability endemic to the system, particularly at the SES level, ensure that I will not be doing so either.
Regardless, the common denominator among most of these people, or at least those with whom I have discussed technical or computer security issues, is there cluelessness as to how the underground computer culture really works. It is as though they are tourists who are trying to disguise themselves as natives, and it is just as effective.
For instance, some time ago I spoke to a computer security guy who worked for a branch of the military and he honestly thought that it was "dangerous" to read leading hacking publications. I was absolutely amazed.
How can you possibly consider yourself competent in a technically-oriented computer security position WITHOUT reviewing the opposition's literature and culture? Does a field commander not read intelligence reports on enemy activities? It makes no sense.
In my opinion, one of the main impediments to really securing all of the federal government's systems is the hiring system. It's inefficiency and byzantine structure are infamous. The pay doesn't help either.
But another problem that does not receive attention is that the best hackers I have known personally either used drugs, are using drugs, or will probably be going home to use drugs as soon as our conversation was over. It is just a part of being a brilliant, pissed off, rebellious teen who spends the next decade or two to become knowledgeable about computer security in ways they don't teach you about in classes.
I know people like this who are now executives in major corporations and, believe me, their corporate biographies omit some very colorful information about their past.
Do you have any plans to address the federal hiring process, especially as it regards computer security professionals? What about the clearance system, vis a vie more exemptions or exceptions for past drug use depending on the hiring agency?