Ask Cybersecurity Commission Chairman Jim Langevin About US Cybersecurity Plans

US Representative Jim Langevin (D-RI) is one of the chairs of the CSIS Cybersecurity Commission that released a comprehensive 96-page report on Dec. 8 under the title, Securing Cyberspace for the 44th Presidency. The aim of the Commission is to help the incoming administration balance "cyberspace" security needs with civil liberties. We'd like to thank Rep. Langevin and his staff (some of whom are ardent Slashdot readers) for taking time to answer your (hopefully) cogent questions. Usual Slashdot interview rules apply, and — also as usual — we'll post Rep. Langevin's answers as soon as he gets them back to us.

So.....

So how many civil liberties you guys plan on taking away?

Red Teams

[Bananatree3]

The NSA has had great success with Red Teams and competitions between security experts in helping learn how to better secure sensitive data and to keep up to date with the latest attack techniques.

What are your plans to utilize this powerful technique? If applied elsewhere, Red Team competitions can help better secure other aspects of the internet and to stay uptodate.

Why run this out of the EOP?

[Animats]

Why run this out of the Executive Office of the President? Trying to run operational units directly from the White House seldom works well; the environment is political, not operational. The present cybersecurity office, in Homeland Security, is ineffective because the incumbent is a former lobbyist. When Amit Yoran was in charge there, progress was being made. He quit because he wasn't getting backing from higher in Homeland Security. The office needs a high-level champion in the White House, but that's a liasion job.

Re:Why run this out of the EOP?

[gclef]

To build on this, how are you planning on addressing the credibility gap between what the executive wants to achieve, and what the rest of the internet community (at least in the US) believes you really can/should achieve?

For example, I was at BlackHat this year, and the keynote speaker was one of the Feds, speaking about the federal plans for cyber security. The discussions in the hall after his keynote were scathing. Many of the attendees concluded that he had no clue what he was talking about. This, I think, has to be the first hurdle the executive needs to clear before accomplishing anything. Put simply: the private sector just doesn't believe in government's ability to succeed. How are you going to fix that?

a few things off the top of my head

A few days ago, I read a story here in which Esther Dyson calls anonymity one of the "greatest disappointments of the Internet's evolution". What are your views on remaining anonymous online? I prefer to take measures to be anonymous so that information can not be gathered about me, as the notion of that makes me uncomfortable. Also, with countries like Russia and China advancing so rapidly technologically, what will the US do about cyberdefense? I can't help but feel that the US has been lagging technologically for a while. It seems though other countries have more people going into computer studies and are using computers more for cyber warfare. How much does the current administration depend on open source software? Will this change with Obama as president? i am in school and don't have time to read the entire report right now. sorry if i am asking anything that is answered in there. thanks!

Regulation

[Hatta]

The free and open nature of the internet is its biggest asset. How do you plan on enforcing "cybersecurity" without damaging its free and open nature? Are you sure that the cure (government regulation) isn't worse than the disease (cybercrime)? Remember there was no cybercrime before the internet. The internet has brought us both crime and prosperity, so far the prosperity has far exceeded the crime. I benefit far more than I suffer from having an unregulated internet, can you convince me that a regulated internet is even necessary?

What sort of measures can you take to fight cybercrime without affecting my unfettered access to the internet? The phrase "If you have nothing to hide, you have nothing to fear" is not an acceptable response.

Wow.

[SatanicPuppy]

Cyberspace? I think if you want a comprehensive strategy you need to get a way from words that make you seem like a "series of tubes" style neo-luddite.

Lets move through the executive summary:

Reinvent the public private partnership:
Mmmmmm, pork.

Regulate cyberspace:
So you want to regulate it without telling anyone what to do. That should work.

Authenticate Digital Identities:
So, you want crypto for everyone, is that what you're saying? After that you're going to have to have some form of universal id/biometrics to keep those secure crypto identities from being stolen. And that won't actually work.

Modernize authorities:
The secret is realizing that just because a traditional crime is happening online, it doesn't make it a new crime. Once you take that step it's shocking how few new laws are actually needed.

Use acquisitions policy to improve security:
More pork. Seriously are people buying stuff that they know is insecure? (Not counting windows obviously.) You should be pouring money into open source development, and not shutting down things like the NSA's security enhanced linux program just because it's not putting money into the coffers of the big campaign contributors.

Build capabilities:
Nice and safe, that one.

Do not start over:
I'd argue that there hasn't even been a real start at this point on any of the above points, so that shouldn't be hard.

This just doesn't even seem serious to me. You need to get people who know vaguely what they're talking about, set up a secure, interoperative, interconnected network for the government. And if you manage to achieve that goal, then you can start trying to rearrange the rest of the world. But get your own house in order first.

Re:Wow.

[zappepcs]

Wow, there are a lot of good questions being made here, but one thing REALLY bothers me:

The aim of the Commission is to help the incoming administration balance "cyberspace" security needs with civil liberties.

The word balance suggests that there is give and take on either side of the scale. I posit that there is not. Civil liberties must be maintained, at the cost of security on the Internet if required. Q: How do you intend to manage that problem?

A government commission on 'cyberspace' security should obviously be intending to bring 'cyber criminals' to justice in order to protect ..... what exactly? What exactly is 'cyberspace' that you are going to secure?

If your domain is bringing criminals to justice, shouldn't you simply be an enhanced part of the FBI?

In what ways have you, and will you work with groups from other countries with similar mandates?

So far, you seem to like using 15-20 year old buzz words. How does this reflect on your ability to react quickly to the changing landscape of threats to Internet infrastructure, businesses, and commerce etcetera? Further, 'cyberspace' as most of us know it is very big. How do you intend to react quickly and 'secure' it when the tens of thousands of people and companies currently trying to do so are not able to? Making it illegal to run un-patched databases on websites will NOT fix the problem, so how do you intend to fix the problems?

As someone who writes software I am keenly interested to know if my vocation will come with risk of incarceration in the future. Will simple security mistakes bring to me risk of punishment, other than punishment of losing my current job?

Aside from virus software one of the largest commercial security problems is DDoS attacks. Will you address that problem, or only problems that you can easily handle? Will the FCC be assisting you in any respect with regard to DDoS attack handling etc. Since 'cyberspace' runs on commercial pipes for the most part, and those pipes/tubes are full of lolcats running P2P, what will be the commissions reaction to capacity issues with regard to security of 'cyberspace'.

Are there any specific commercial ventures that will be ignored by the commission's work? Will this affect my local website AND Google, or just Google?

Is the word 'cyberspace' used in the title to relieve anyone of actually having to define what you will be responsible for?

How will this power be controlled?

[Opportunist]

I work in IT security and thus I wonder how you plan to deal with two conflicting problems: Rapid change of threat scenarios and ability to supervise and monitor the actions taken by the "cyber police".

Threats in IT change rapidly. Over the course of days sometimes. So quick reactions to emerging threats is a necessity. You have to react fast when something emerges, you can't let debates go on forever with weeks passing to give various interest groups a say in the matter.

How do you plan to ensure that civil liberties will not suffer from the necessary fast response when trying to make the internet a safer place? That whatever organisation is supposed to make the "net safer" will have certain powers is a given. Whenever, though, someone who has power has to do something fast (i.e. before someone could complain or interfere), the temptation to abuse this power (claiming "danger in delay", when the only danger would have been that someone could find out that power abuse is afoot) is present as well. How do you plan to address this?

Translation

[girlintraining]

In today's political environment, "balance" is short for "annhilate but in a way that doesn't draw public attention." They already monitor all domestic and much of international internet traffic. There are several super-massive networks dedicated to this, and data-centers that make Google's resources look like a street beggar next to a executive banker. Their two main challenges are sifting the data for timely intelligence and warehousing the data. Fortunately for them, much of internet traffic is redundant, especially when you already have a copy of something previously sent -- you can use deltas and journals to store and retrieve the data streams at a fraction of the cost of brute force storage approaches. Privacy died years ago but people are still clinging to the idea that it's out of reach because their imagination can't fully encompass the full magnitude of the surveillance effort. This slashdot post, and tens of thousands like it, undoubtedly reside in a database, instantly accessible, and tools exist to conduct a variety of analysis' at every level of communication. These tools make Wireshark look like a high school science fair project in comparison, and while they are internally developed, often poorly implemented, and are not easy to use -- they still work well enough and research is always underway to improve them.

What the government is continuing to do is surround itself in a dense layer of laws, bureauacracy, and legal framework to insulate itself from public protest, hoping to repel or entirely dissipate any manner of organized dissent. This is simply another step in what has been a progressive march towards total control of the global communications networks, and the United States has had assistance from over a dozen major players. The spectre of terrorism, in tandem with rapid advances in sigint technology has simply accelerated long-sought for powers and caused a paradigm shift in the way intelligence is gathered and distributed. To bypass certain legal restrictions placed on them, they simply "outsource" intelligence work, pooling their collective resources while maintaining plausible deniability and a layer of obfusciation with the sole purpose of continuing the charade for the publics' benefit in the respective member countries.

If any of this is news, it shouldn't be -- the major governments of the world want a global internet where every electronic communications device interconnects with every other because they already control most of the gateways and they are holding most of the keys. They are only too happy to have the assistance of people like you and me who labor under the notion that this will ultimately help society economically, socially, and politically. And it's true -- a global communications infrastructure will do exactly that, making the world a smaller place, making geographical and political lines largely irrelevant, streamlining economic exchanges, and bringing the thousand cultures of the world right to our fingertips. All under the watchful vigilance of ethereal and nameless soldiers, who promise you safety in exchange for an eye and an ear on the innermost details of your life.

And we're going to give it to them, not because we have a choice, but because several thousand years of human history says that somebody has to man the walls, somebody has to watch the gates, somebody has to enforce the laws (however arbitrary), and we're desperately afraid that this invisible framework that holds back the chaos today will fail and unleash a flood of uncertainty. All such frameworks are of course transitory in nature, but we will nevertheless sacrifice our freedoms in exchange for the promise of safety because we've never known any other way to live.

Freedom ever was only an illusion, a dream we continually strive for yet fail to achieve in any lasting way. Yet, because people continue have impossible dreams a balance will always be maintained between the extremes of tyranny and freedom. It was as true two hundred years ago on muddy battlefields as it is today, in a ethereal world of electric impulses.

Re:Translation

[girlintraining]

Ah yes, forgot -- the question. So, Mr. Chairman, what will you recommend to improve the protection of the global surveillance network from abuse by foreign and domestic interests? What oversight will be available, and what punishments will be dealt for such abuses? What's to prevent the oversight committee from becoming too comfortable and complacent in its duties that an erosion of vigilance occurs and ultimately makes it a meaningless appendage of the bureaucratic process?

If I may offer a suggestion: Disclosure. Show us some of the near-collisions between this ethereal world and the real one, how close we've come to losing valuable assets. Show the challenges and balancing act that is as much about people as technology -- put a human face on the men and women who work in secret to protect us every day. Take us inside. Give us a reason to trust your commission, and the people they oversee, rather than empty assurances that abuse isn't happening. I accept there isn't much we can do to turn back the clock, but I'd sure like to know that the people manning the walls and standing at the gates are people like me who understand the moral implications of the choices they make every day. Because right now I have my doubts, as do millions of other Americans who look uneasily to the future.

Hiring Practices And Education

[codepunk]

I noticed briefly in the document that it mentions the inability of the Govt. to hire the
necessary talent to combat these issues. Namely it mentions the drop in CS student enrollments and
attempts to relate it to the .com burst. In reality the American IT profession is under assault by
both outsourcing and the current H1B visa program.

How do you intend to increase CS enrollment when the job market is being eroded by these two factors?

Over-reaching

[gclef]

These may have belonged in my earlier question, but anyway:

1) Are you concerned with biting off more than you can chew with the "Manage Identities" portion of the recommendation? (or, put another way, are you sure the government should really be doing any of those in the first place?)

A number of people are already uncomfortable with the idea of a national identity card (witness the problems that RealID is having these days)...your report goes even farther, though, by proposing a government-issued identity card that consumers could use for purchases online. If I'm already suspicious of a national ID, why in the world would I want to use a government-issued online ID?

2) Also, your recommendations have some huge loopholes: point 17 says that you want to allow consumers to use strong government-issued credentials for online activities, but point 18 then says that there should be regulation preventing businesses from *requiring* the use of those credentials.

In practice, one of these two lines will be pointless (companies will say that it's optional to do business with them, so it's not "required"). By way of example, it's illegal for a company to *require* an SSN for non-banking business, but just try to get water service in Maryland without giving it to them...you can't do it.
Doesn't this sort of loophole make your "consumer protection" recommendations pointless?

cyberspace security needs and civil liberties ..

[rs232]

This is BS, the one don't affect the other. What this is, is the introduction of total population surveillance under the pretext of protecting us against the CyberTerr'ists ..

Why?

[poetmatt]

Why must civil liberties be given up under any circumstance under the guise of "cybersecurity"? Why is there no open public review for people to proclaim that under no circumstance do they plan to give up civil liberties for sake of a bad us government cybersecurity plan? I for one do not plan to give up any form of "rights" just because the government has an inability to secure their own systems. I'm sure we all know the Thomas Jefferson quote for this.

Basically, my question is: why are we focused on balancing rights for security when we could spend more effort securing the existing government computer systems that we use, and it would be more effective? This is like pointing a finger at the washington monument and blaming it for the market collapse, and does not directly address the issue I just mentioned.

Single Platform Vulnerability

[codepunk]

It is no secret that our nations national security is threatened by the current single
platform strategy. The lack of operating system diversity creates a fatal environment
in which a single system flaw can expose all govt facilities and networks. As it stands
today a single serious vulnerability could be exploited to blackout most if not all of
our govt infrastructure.

How do you intend to address this serious problem?

Such as?

[smclean]

The aim of the Commission is to help the incoming administration balance "cyberspace" security needs with civil liberties.

Give specific examples where civil liberties might need to be "modulated" for the benefit of electronic security measures.

Re:PLEASE MOD THIS UP!

[Ethanol-fueled]

No, after the Bush Administration's damages to privacy, the question should be,

"How many civil liberties to you plan to give back to us?" :)

Secure what?

[fuego451]

Besides sensitive government computers, which for whatever reason need to be connected to the WWW, exactly what part of the US portion of the Web needs to be secured and why?

Re:no, mod comment #26093183 up

Except we already know the answer to that: absolutely none.

Governments never give rights back, they only take them away. (Note this isn't the same as expanding existing rights to cover people they didn't cover before: civil liberties didn't grant anybody rights, they just gave everyone the same rights they already had.)

The only exception to this blanket statement I can think of is Prohibition, and with the ever-expanding drug war, it's obvious that was a special case.

The Democrats are, if anything, even more likely to take away our rights than the Republicans are. We won't be getting any rights back under Obama. If we're very lucky, we won't lose any more, but with Democrats in control of the government, I wouldn't count on it.

Don't forget, "Free Speech Zones" were an invention of the Democratic National Convention to keep undesirables away. Republicans only followed the trend.

AirForce's cyber-warfare unit

[Goeland86]

So we've been hearing on Slashdot a fair bit about what the Air Force is trying to setup as a cyber-warfare unit. While the goal is understandable (after all, the Estonia DoS attacks have demonstrated how to cripple a country through digital means), I'm a little worried that this unit being in control of the Army could lead to a real problem as far as accountability. No offense to our Air Force generals, but internet security and hacking have little to do with organizing strategic bombings or dogfighting. Who would you like to put in charge of such a division and why?

And what responsibilities would you assign them? As they are part of the US military forces, they are here to protect American interests on this other world that is cyberspace - would they be given the task of attacking hackers and their bot-nets disrupting American businesses? And how would you prefer they go about it? Since the cyber-warfare unit is one of the first of its kind, what kind of rules are they supposed to follow, in this generally un-ruled space known as the Internet?