Ask Cybersecurity Commission Chairman Jim Langevin About US Cybersecurity Plans

US Representative Jim Langevin (D-RI) is one of the chairs of the CSIS Cybersecurity Commission that released a comprehensive 96-page report on Dec. 8 under the title, Securing Cyberspace for the 44th Presidency. The aim of the Commission is to help the incoming administration balance "cyberspace" security needs with civil liberties. We'd like to thank Rep. Langevin and his staff (some of whom are ardent Slashdot readers) for taking time to answer your (hopefully) cogent questions. Usual Slashdot interview rules apply, and — also as usual — we'll post Rep. Langevin's answers as soon as he gets them back to us.

Regulation

[Hatta]

The free and open nature of the internet is its biggest asset. How do you plan on enforcing "cybersecurity" without damaging its free and open nature? Are you sure that the cure (government regulation) isn't worse than the disease (cybercrime)? Remember there was no cybercrime before the internet. The internet has brought us both crime and prosperity, so far the prosperity has far exceeded the crime. I benefit far more than I suffer from having an unregulated internet, can you convince me that a regulated internet is even necessary?

What sort of measures can you take to fight cybercrime without affecting my unfettered access to the internet? The phrase "If you have nothing to hide, you have nothing to fear" is not an acceptable response.

Wow.

[SatanicPuppy]

Cyberspace? I think if you want a comprehensive strategy you need to get a way from words that make you seem like a "series of tubes" style neo-luddite.

Lets move through the executive summary:

Reinvent the public private partnership:
Mmmmmm, pork.

Regulate cyberspace:
So you want to regulate it without telling anyone what to do. That should work.

Authenticate Digital Identities:
So, you want crypto for everyone, is that what you're saying? After that you're going to have to have some form of universal id/biometrics to keep those secure crypto identities from being stolen. And that won't actually work.

Modernize authorities:
The secret is realizing that just because a traditional crime is happening online, it doesn't make it a new crime. Once you take that step it's shocking how few new laws are actually needed.

Use acquisitions policy to improve security:
More pork. Seriously are people buying stuff that they know is insecure? (Not counting windows obviously.) You should be pouring money into open source development, and not shutting down things like the NSA's security enhanced linux program just because it's not putting money into the coffers of the big campaign contributors.

Build capabilities:
Nice and safe, that one.

Do not start over:
I'd argue that there hasn't even been a real start at this point on any of the above points, so that shouldn't be hard.

This just doesn't even seem serious to me. You need to get people who know vaguely what they're talking about, set up a secure, interoperative, interconnected network for the government. And if you manage to achieve that goal, then you can start trying to rearrange the rest of the world. But get your own house in order first.

Re:Why run this out of the EOP?

[gclef]

To build on this, how are you planning on addressing the credibility gap between what the executive wants to achieve, and what the rest of the internet community (at least in the US) believes you really can/should achieve?

For example, I was at BlackHat this year, and the keynote speaker was one of the Feds, speaking about the federal plans for cyber security. The discussions in the hall after his keynote were scathing. Many of the attendees concluded that he had no clue what he was talking about. This, I think, has to be the first hurdle the executive needs to clear before accomplishing anything. Put simply: the private sector just doesn't believe in government's ability to succeed. How are you going to fix that?

How will this power be controlled?

[Opportunist]

I work in IT security and thus I wonder how you plan to deal with two conflicting problems: Rapid change of threat scenarios and ability to supervise and monitor the actions taken by the "cyber police".

Threats in IT change rapidly. Over the course of days sometimes. So quick reactions to emerging threats is a necessity. You have to react fast when something emerges, you can't let debates go on forever with weeks passing to give various interest groups a say in the matter.

How do you plan to ensure that civil liberties will not suffer from the necessary fast response when trying to make the internet a safer place? That whatever organisation is supposed to make the "net safer" will have certain powers is a given. Whenever, though, someone who has power has to do something fast (i.e. before someone could complain or interfere), the temptation to abuse this power (claiming "danger in delay", when the only danger would have been that someone could find out that power abuse is afoot) is present as well. How do you plan to address this?

Over-reaching

[gclef]

These may have belonged in my earlier question, but anyway:

1) Are you concerned with biting off more than you can chew with the "Manage Identities" portion of the recommendation? (or, put another way, are you sure the government should really be doing any of those in the first place?)

A number of people are already uncomfortable with the idea of a national identity card (witness the problems that RealID is having these days)...your report goes even farther, though, by proposing a government-issued identity card that consumers could use for purchases online. If I'm already suspicious of a national ID, why in the world would I want to use a government-issued online ID?

2) Also, your recommendations have some huge loopholes: point 17 says that you want to allow consumers to use strong government-issued credentials for online activities, but point 18 then says that there should be regulation preventing businesses from *requiring* the use of those credentials.

In practice, one of these two lines will be pointless (companies will say that it's optional to do business with them, so it's not "required"). By way of example, it's illegal for a company to *require* an SSN for non-banking business, but just try to get water service in Maryland without giving it to them...you can't do it.
Doesn't this sort of loophole make your "consumer protection" recommendations pointless?

Re:Translation

[girlintraining]

Ah yes, forgot -- the question. So, Mr. Chairman, what will you recommend to improve the protection of the global surveillance network from abuse by foreign and domestic interests? What oversight will be available, and what punishments will be dealt for such abuses? What's to prevent the oversight committee from becoming too comfortable and complacent in its duties that an erosion of vigilance occurs and ultimately makes it a meaningless appendage of the bureaucratic process?

If I may offer a suggestion: Disclosure. Show us some of the near-collisions between this ethereal world and the real one, how close we've come to losing valuable assets. Show the challenges and balancing act that is as much about people as technology -- put a human face on the men and women who work in secret to protect us every day. Take us inside. Give us a reason to trust your commission, and the people they oversee, rather than empty assurances that abuse isn't happening. I accept there isn't much we can do to turn back the clock, but I'd sure like to know that the people manning the walls and standing at the gates are people like me who understand the moral implications of the choices they make every day. Because right now I have my doubts, as do millions of other Americans who look uneasily to the future.

Re:PLEASE MOD THIS UP!

[Ethanol-fueled]

No, after the Bush Administration's damages to privacy, the question should be,

"How many civil liberties to you plan to give back to us?" :)