Slashdot Mirror
New Legislation Would Federalize Cybersecurity
Hugh Pickens writes "Senators Jay Rockefeller and Olympia J. Snowe are pushing to dramatically escalate US defenses against cyberattacks, crafting proposals in Senate legislation that could be introduced as early as today, that would empower the government to set and enforce security standards for private industry for the first time. The legislation would broaden the focus of the government's cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. 'People say this is a military or intelligence concern, but it's a lot more than that,' says Rockefeller, a former intelligence committee chairman. 'It suddenly gets into the realm of traffic lights and rail networks and water and electricity.' The bill, containing many of the recommendations of the landmark study 'Securing Cyberspace for the 44th Presidency' (PDF) by the Center for Strategic and International Studies, would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. The legislation calls for the appointment of a White House cybersecurity 'czar' with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway. It would require the National Institute of Standards and Technology to establish 'measurable and auditable cybersecurity standards' that would apply to private companies as well as the government. The legislation also would require licensing and certification of cybersecurity professionals."
Standardized KeYing NETwork.
I side with Vinge in believing that segmentation of the network is a sure indicator of a government going feral.
Bruce
Bruce Perens.
Do either of them have any clue about what they're legislating? Hope they've got someone on their staffs who know the difference between a SCADA system and a server farm, because I'm quite sure they don't. The alternative is that they've let the intel agencies and the security industry write the legislation, which is just about the worst possible alternative.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
New laws -> new prisoners -> new prisons -> new slave market
They already have arbitrary control over hiring, firing, and wages at private companies, why not authority over private networks too? If we're becoming neofascist, may as well go whole hog.
The current situation is living proof of the old saying, people get the government they deserve.
Got to be some self-interest behind this. Who are the lobbyists?
"Old bag" has more than one meaning.
"measurable and auditable cybersecurity standards" that would apply to private companies as well as the government.
Until your elected representatives fully understand that any public infrastructure networks should not be connected to the 'Internet' -for any reason- any discussion of 'cybersecurity' is simply wasted words. WTF does it take for these 'public officials' to realize that critical infrastructure networks need to be completely isolated and secured from the hostile environment that the 'Internet' has become?
Sig this!
Because US government officials ALWAYS make good technical decisions. Because the placement of officials is NEVER based on politics rather than skill.
Maybe we could legislate some openness instead.
Hopefully the terrorists won't get hold of the CIP device.
Veramocor
Large vendors are behind this. With all the extra security certifications and processes that small businesses (or independent/open source developers) will be required to apply because of "security" open source would be closed out of the market by this.
Please watch this very carefully. Red Hat and free software companies actually large enough to have lawyers, please, please, please sniff out the rats.
The April Fools crap is over now? It's a silly day anyway.
Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
We all know that today is/was April 1st. We all know Slashdot will roll out a whole bunch of crappy jokes. It is getting really old.
Here's a thought...how about one really well thought, well planned, actually funny joke.
...trying to get under the wire, then please just fucking shoot me.
I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own.
'Public officials' are responsible for making sure that infrastructure like traffic lights, water systems, sewage systems, and the like, are completely secure and isolated from any 'public' network like the 'Internet'. If the control systems for these critical systems are connected to the 'Internet', every citizen should be outraged at the complete disregard for the security -or lack thereof- for these systems.
Sig this!
Common sense approaches to system security tell me that if I was in charge of these systems they would be secured by every means possible. There is absolutely no excuse for exposing critical infrastructure to attack by every thirteen year old Romanian hacker on the planet because I was not familiar with the latest means to secure my networks. This is, after all, the 21st Century.
Sig this!
If passed, this could have the effect of a de-facto outlawing of Linux. For example, consider the typical business small business owner's plight: he uses Windows mostly on the desktop, but has a few Linux servers handling things like mail and print services.
I understand the government wants to ensure "cyber security" - whatever that means - but they, of all organizations, are the least qualified to implement it. The conflict of interest between big business and government interests is just too great for this to be anything but a tremendous waste of time and money.
And this without even considering the larger question of why the government should have any control over the software private users run on their own computers.
The society for a thought-free internet welcomes you.
What about SELinux?
Isn't it NSA sponsored?
Haven't we already been under attack for a while? Granted, I'm no expert in this field but haven't foreign nations been attacking the US for a while? Wasn't there a story a couple of days ago about GhostNet?
I heard a lot of tin foil hat people talking about an "i-Patriot Act" but I thought it was a lot of nonsense. When the government tries things like this and says they will work in a way as to try and not infringe on privacy, how many actually believe them.
The biggest concern I have would be the power to shut off networks. If there is a widespread attack that will hurt the most vulnerable, wouldn't shutting the system off hurt even more? For example, if the nations hospital networks were under attack, would we really want to shut those off? Or even traffic lights, does that sound like a good idea to anyone?
Maybe someone here with more knowledge about cybersecurity can correct or alleviate my concerns.
Misery loves company. That's why many Statists will drag the rest of society down to their level. We must all suffer together so we may be bonded together with a closer kinship they say. Ya, right. Uh huh. Sure....
And people wonder how the horrors of Communism rears its ugly head throughout the world.
Life is not for the lazy.
Mod parent up.
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
Until we get operating systems that can run code without having to trust it, we're going to keep getting the same crap, over and over.
Linux isn't the answer. Hell, even SElinux isn't the answer.
Start reading up on Eros, Keykos and Capros to see about systems that might actually solve the security issues once and for all.
"a government gone feral"
I argue that it's an inevitable outcome of ecological diversification of information and the Internet. It's not just occurring in the United States. The internet is "speciating", evolving differentiation in order to limit infectious memes.
http://www.realmeme.com/roller/page/realmeme?entry=global_differentiation
Is our government nuts?
Well, yes.
But that's a separate issue.
I sure hope there is some mention of a court order before shutting down anything, whether public or private. Even if it is in such a way where they do it first, then get the court order within like 72 hours.
Because the one thing we've learned from having software mono-culture is that its a Good Thing(tm).
Now we're attempting to fix the problem by having federally mandated mono-culture? Please!
And as someone who has worked for companies that have developed government specs, I can assure you that the process will be corrupted as to bias towards certain vendors. Any required feature that can be patented will be, and any open-source implementation will be sued out of existence.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
You can even read the book or the blog
1.) Instead of a Czar, I like "Commissioner Of The Internets" 2.)Issues like this make me question where these senators get their information. They obviously do not know the current technology well enough to create laws involving it... maybe we should focus more on the lobbyist groups that funded their campaigns and figure out who benefits the most from this!
Anything involving a new "czar" invariably fails to achieve its objectives and shows disregard for our rights. Joe Biden is credited with coining the term "Drug Czar" and was a vocal proponent of making it a cabinet level appointment. Ironically, the current administration has downgraded the post to a non-cabinet level position. I hate the term and wish it would go away, it sounds anti-democratic and seems to act accordingly.
This may be a late April fools joke by government standard, but it sure contains plausible concerns.
Concerning the document, I would say that it isn't a joke, but you may have to express some concerns about if the proposed methods are causing more problems than they are solving.
If you shut down a whole network, then you also cut off the owners of possible infected computers from the services that may help them to clean them up. This has been tried before within larger companies which just ended in a deadlock, nothing was done at all until the network was up again. In effect - you got an ultimate D.o.S attack!
If anything - put more effort into hunting down and apprehending the perpetrators. This will give a much better result in the long term. In effect - follow the money.
Another approach would be to put more effort into hardening of operating systems and tools for operating system management. SELinux is one good example, but unfortunately this only works to some extent and it only covers one area of security measures.
One detail that also is cause for concern is ISP:s that migrates from several routed segments to a large segment where switches are used instead. It makes sense from an economic perspective, but it's not making sense from a security perspective. This means that more computers can be joined into dark nets using private IP addresses for internal communication, which in turn can make attacks even better coordinated.
Large switched segments where private IP addresses propagates can also result in new intriguing ways of obscuring file sharing traffic and other traffic that is to be masked. This can result in the funny effect of making a whole town suspected of possession of child pornography.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
the terrorists build a CIP device, and then storm the White House, and then they get bioweapons in DC.
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
as in, the legislators, not the day
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
[The bill] would require the National Institute of Standards and Technology to establish "measurable and auditable cybersecurity standards" that would apply to private companies as well as the government. It also would require licensing and certification of cybersecurity professionals. "
And any of us who went public with information on illegal/un-ethical wiretapping or gross incompetence would lose their license.
That'll shut up those pesky security professional/privacy advocates.
Federalizing cybersecurity?
FUCK THAT!
Big Brother already has a hell of a time keeping the US's *physical* borders secure, with all of the politically-correct bullshit that is allowing drug smugglers, human traffickers, illegal aliens, and other less-desirable what-not to cross the border illegally at will.
If you want an idea on how it will go, take all the political-correctness and bureaucratic hurdles that have prevented effective enforcement of physical borders. Then, substitue *your* computer for the concept of a national border.
Scary thought, huh?
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
While I applaud the Senators' efforts to assist in securing cyberspace, historical efforts to legislate cyber-security have not proven effective. (that was tough to say with a straight face) To wit, examine the Government's own record: Currently all federal agencies are required to follow strict guidelines/policy, yet the average info-security grade given by OMB, for FY2007 was a C-. How far would you get in life if your average grade was a C-? I'd guess the average Slashdotter had better than a 1.7 average.
Further, they seem to think that if NIST establishes "measurable and auditable cybersecurity standards", then all will be right with the world. NEWSFLASH - The Fed already has that for the entire GOV, and while many agencies have improved it has not shown to be the panacea they intended. According to OMB's report out 3 weeks ago(go to page 9), the DOD, the agency with the most important security concerns and highest risk (and consequently the most stringent InfoSecurity program) is failing miserably.
Funny, if you read the FISMA top page, it refers to 'cost-effective' security programs, but nowhere does it mention effective programs...
New legislation is not the answer - holding people accountable is. [to keep this relatively short I'm not going to expand on this - you know how to find the laws]
As one previous poster noted, a bunch of us posting here is not going to change anything. So, I will end this with a call to action for all Slashdotters - write a letter to your Senator and Congressman and let them know (using clear, thoughtful words) that this is an f'ing stupid idea and that they should not support it.
Find your congressman
Find your senator
Most of what everyone is going on is speculation. We don't have the bills to read so we don't know. It could simply be limited to private companies that provide electricity and power for all we know, or any public infrastructure-based system.
Just calm down, wait until the bills are even introduced, read it, pick it apart, contact your Senator and express your dismay over the project.
communists, terrorists and now hackers, what is next, aliens?
Both China and Russia have enormous 'cyber-armies', for want of a better word. Funded, organized and made up of proud nationalistic young people. America has hacker culture, mocked, criminalized and alienated. Who do you think is better prepared? America has the manpower and the ingenuity it just needs to bring hackers and IT culture in general in from the cold, make it something to aspire not just to get beaten up in highschool over.
And what is this stuff about "water"?
Sorry, but the States own the waterways.
My chief worry is actually not so much about "increased powers" - I suspect they can already do most of this in one way or another. But centralising things means that an attacker only needs to find one weakness, so to speak, and then they would be able to wreak havoc on a grand scale.
Yeah, like Britain, Germany, France, the Netherlands, Sweden, Norway, Spain, Italy, Belgium - in fact most civilised countries in the world.
If you want to live in a dog eat dog world go and do it. See how long you last. I don't believe communism is responsible for the recent financial meltdown, throwing people out of work and their homes.
Idiot.
At the rate the world population is growing, you will either get along with others peacefully or you will engage in constant war. No one group or person has any more intrinsic rights than any other, so why pretend they do ? Unless you want everything YOUR own way of course, which marks you out as a selfish asshole, no better than Madoff.
> I don't need no education
I like Pink Floyd's music as much as the next man, but quoting them, out of context, in a forum which is supposed to be for informed debate won't get you brownie points, at least with me. The opposite, in fact.
> Common sense approaches to system security tell me that if I was in charge of
> these systems they would be secured by every means possible.
OMG, I'm glad that you aren't in charge of things. Do you have any idea how much it would cost to secure them "by every means possible"? That would include large vaults and armed guards, eh? Like with everything else, you have to evaluate advantages and disadvantages and make a decision. Not fly off the handle like you're doing. This doesn't mean I disagree that connecting the systems to the Internet might be a bad idea. Assuming the systems do need communications, you'll still need to connect them to some other network, and you'd have to secure that network instead. BTW, if you want that network to be hermetically isolated from attack, you'd probably have to build it from scratch, at an enormous cost.
Frankly, I'd guess that using specially certified VPNs running between specialized embedded endpoints which run off of non-writable memories might be secure enough, even if it used the Internet as a communications medium.
NSA started SELinux but stopped development several years ago. Or at least, stopped sharing what they developed. ;-)
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
Your sig is dumb. You can buy 1U dual opteron systems for like $150. I have one I'll sell you for that price, in fact. It's an IBM with IPMI and 2GB, expandable to 12GB.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
That the phone system is a network? That traffic lights are often networked, and have to be remotely accessible? Etc. etc. etc.
There's more to networking than "the internet".
Best Slashdot Co
China also has the max of the death penalty for hacking. Russia does not care about hackers going after the us and taking our money Likely a kick back kind of thing in Russia.
Right after the conficker worm hits everybody hard, we finally get someone with brains doling out a new regulation that makes companies responsible for their work environment, even on the PC.
Awesome, I hope they come out with proper fines and hierarchy of payment levels.
Now if they could do this with recycling, it would be really great.
As much as I agree with the fears of significant government intrusion, I also have to say that national cyberdefense is every bit as important, and rapidly more so, than national military defense. Without a unified strategy of national defense, we've left ourselves extraordinarily vulnerable to attack. And although we have some cyber 'militias' in the country, we have no such dedicated, professional group. Imagine getting paid well and fairly by the government to develop and promote secure systems!
Had a discussion with one of my security guys and he had a very insightful point. Security is the best when there is a disparate security apparatus, where I might use X, Y, and Z vendors for my security solution and my competitor uses A, B, and C. This creates complexity for malicious hackers due to complexity created by this disparity. By mandating standards, the Government creates a target that security vendors have to reach and have no incentive to go beyond that standard. This might create an unintended consequence that net security value goes down due to similar approaches.
My current research is centered on the reimbursement systems of the Centers for Medicare and Medicaid Services (CMS). I have noticed that CMS and Congress are good at making decisions that focus on some hot button issue, without considering the fallout of those decisions. For example, the Prospective Payment System (PPS) of Medicare and Medicaid has lowered health quality due to changes in incentive. Conversely, the proposed fixes to PPS, Pay for Performance (P4P) and non-payments of Hospital Acquired Conditions (HACs) are regressive in nature, targeting the urban and rural poor disproportionally.
The fact of these unintended consequences that the government creates gives me a nice, warm feeling on the future of cyber security.
In God we trust, all others require data.
Obviously, the "enlightened self-interest" of companies doesn't work, given the constant reports of breakins.
And for those who don't realize (like Jane Q. Public), utilities like the electric grid, and municipal water and gas supplies, are computer controlled (no! duh!), and in some cases, Dilbert managers have had the controls made accessible via the 'Net, rather than an air gap between their control systems and the 'Net.
A year or two ago, over in the UK, there was a train accident - don't remember if it was a derailment, or a passenger train running into a freight train - because some idiot teenage cracker had gotten into the rail line's control system and screwed with the actual switches on the tracks.
So, yeah, it *is* what we need.
mark
We can't trust the private sector to spend money to actively protect these same systems, and they are key to our survival. There have already been hundreds of successful attacks on these systems throughout the nation. Each utility does their own thing, which means differing levels of protection, if any, across like utilities within the same state or region.
Controlling potable water is critical. There needs to be similar security on flood control systems. The Army Corps of Engineers, Civil Works side of the house, manages flood control throughout the country with specialized data centers. It's already tough enough to do that job well with Mother Nature throwing constant change-ups. Can you imagine what might happen if someone took over those systems and created disasters?
Water and energy sources can't be taken too lightly. If someone malicious shuts down power, you lose critical services, such as heating, cooking, and the ability to read Slashd
The government can't find its own navel with a mirror, 500,000 pages of regulation, a constellation of GPS satelites, Echelon, and an Army Divison. What makes anyone think they can handle the cybersecurity for themselves much less every little mom and pop organization. Oh yes, they are only talking about critical privately held assets now, but this is a slippery slope to grab control of every computer on the planet. I have "free" anti-virus software installed on all my systems at home because I take classes at a local community college and of course they don't want a virus getting into the network from my house. So far it's voluntary. But sooner or later even individual personal computers will be spotlighted as the hole in the dike that still needs plugging. And when that happens, we'll all have mandatory hardware based security built in and controllable by the Government. After that, when NIST is telling us what a "virus" is, sooner or later, any "unproductive" or "harmful" speech that doesn't serve the common good will be the virus that needs squashed. At that point its just a matter of time before Stalin shuts me down for such speech, or they create a master AI program (SkyNet) who decides that the only leak still needing plugged is the pesky Carbon Based Life forms that pollute the planet and introduce viruses into the otherwise virtual perfection that the Internet has become.
Be More, Be Manly, The Manly Geek Ubergeek Extraordinaire Blogger: www.manlygeek.com/blog Podcaster: podcast.man
Rockefeller wouldn't be interested in locking down the internet, to suppress information about the activities and history of his banking family would he? video series: Money as Debt
~ awaiting spiritual enlightenment ~
I hope you don't mind me pasting that post into a letter I'm sending Olympia Snowe as one of her constituents.
...
Good Idea - Securing various parts of our nation's infrastructure against cyber-attack. Bad Idea - Leaving the job to politicians or one of their appointees. Who knows, maybe we will luck out and someone competent will take the post. I'm not holding my breath though. Besides, how would a single government office be able to effectively coordinate security efforts across several disparate industries and networks? The best I would hope for the government to do is write up a set of standard security procedures that any company could and should follow (e.g. strong passwords, patch your systems, lock down users, don't run as root, etc.) and push for greater end-user education to help prevent social-engineering and phishing attacks (don't open email attachments, don't install crap from the web, don't give anyone your personal info, don't automatically click yes to everything, etc).
In finance, companies routinely send questionnaires to each other to ascertain whether security standards are being enforced. The problem is, the questions are often disconnected from the actual tasks and practices - one-size-fits all queries. Since the questions are generally more-than-half bullshit, you can imagine how the answers come out. The buzzword compliance ratio runs high. Measures that promote or enforce actual security - not so much.
Having more law from the government for this will accomplish one thing: greater standardization of these questionnaires. This will contribute to an illusion of security, and give companies greater CYA capability, based on their show of compliance with the legislated standard. Greater CYA capability leads to lowered concern with actually being secure, since meeting the standard becomes prioritized over actual results.
Ah, but the certification industry will prosper, as each firm shells out thousands for workshops so they can get someone on staff into full buzzword compliance.
"with their freedom lost all virtue lose" - Milton
The reason s/he posted as anonymous coward is obvious: s/he has karma to protect.
Now please do the right thing and make an exception to the usual rules about not modding ACs.
In times of universal deceit, telling the truth gets you modded -1 Troll
Concerning the document, I would say that it isn't a joke, but you may have to express some concerns about if the proposed methods are causing more problems than they are solving.
Wait, the government is displaying (potential) ham-fisted incompetence, and you think "ah! That must be a joke!".
You're not cynical enough to be on /.
... and its security is impressive. It's a trusted computing platform and I
would think also a field test. The system has been hacked once or twice,
exploiting a weakness in the system call interface of the hypervisor and
through game exploits, however Microsoft is not seeing by far the kind of
hacking and repurposing of their hardware that Sony has. (Spoofing the DVD
copy protection is not hacking the box, running your own code on it is).
Now with this kind of legislation all kinds of ahem 'Change' can be mandated
through private enterprise right onto your desktop. Your ISP could at some
point be made to only accept trusted computing platform devices on their
network. Those tcp systems would when connecting also be required to handshake
with an authentication system to show they are in fact tcp devices. And
since they are tcp devices you will not be in control of your machine anymore.
You will not be able to run any code that has not been approved and signed.
Also with your data you will be at the mercy of whatever policy whatever future
authority might set for it. The RIAA wants to nondiscriminately remove all
mp3 files from your system? The next time your box downloads a mandatory update
those files will be gone and no way you're getting them back on an encrypted
hard drive (nooo.. YOU don't have that key, the trusted platform module has it
and it isn't giving it to you, just to your tcp aware hard drive).
In the end they will be able in complete control over your system, they will
be able to mandate what you do with your data, what apps you run, how often
and for how much (pay per use schemes). They will also be able to run what
they want on your box without you ever knowing. (Also think about that most
computers nowadays come with built in cameras and mikes hint hint).
Sounds like a neat piece of legislation, given what you can do with it in the end.
If there were ever a driver for IPv6 implementation, this is it. Big Brother is looming large on this one. Of course it's for our security. In the end, we will have IPv6 addresses on the power meters so that the government can punish people who use too much power (in the guise of saving the environment of course). The traffic cameras will have addresses (in the guise of finding lost children of course). Every citizen will be given their own address at birth. Good bye SSN, hello 01:32:fd:...., That number will jump from device to device with them. ("You want phone service? Sure, just give me your IPv6 identifer.") I can't wait until they integrate the phone system with a DNS like system. That will make it super easy to protect us from problems, because they can instantly find us at any time. Just think of all the wonderful possibilities that can come from cyber security! I can see it now...
tracert joeqpublic
Tracing route to joeqpublic [01:32:fd:...]
over a maximum of 9999 hops:
1 BigBrotherDataCenter.Pentagon.Washington.DC.USA
2 EpicPrivacyInvasionDataWarehouse.USA
3 California.USA
4 Southern.California.USA
5 LosAngeles.Southern.California.USA
6 90012.LosAngeles.Southern.California.USA
7 Starbucks.90012.LosAngeles.Southern.California.USA
8 350SGrand.Starbucks.90012.LosAngeles.Southern.California.USA
9 Register01.350SGrand.Starbucks.90012.LosAngeles.Southern.California.USA
10 iPhone.joeqpublic
Trace complete.
Just think of how many jobs can be created! People are going to need to setup all those nodes, and keep them running. Device manufacturers are going to have to their devices certified as BigBrotherCompliant. There are going to need to be working groups, and policy councils, and advocacy teams, and, and and.... I bet there are bureaucrats somewhere right now getting big fat hard-ons thinking about how long it will take to implement this kind of crap (for the good of the citizens of course).
Does this mean that I'll have to take off my shoes before I load /.?
I just wanted someone to undo all that had been done in the last eight years. It seems I'll not even get that.
So tell me, which of the two allowed parties do I vote for for a smaller, less centralized government that makes civil liberties paramount?