New Legislation Would Federalize Cybersecurity

Hugh Pickens writes "Senators Jay Rockefeller and Olympia J. Snowe are pushing to dramatically escalate US defenses against cyberattacks, crafting proposals in Senate legislation that could be introduced as early as today, that would empower the government to set and enforce security standards for private industry for the first time. The legislation would broaden the focus of the government's cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. 'People say this is a military or intelligence concern, but it's a lot more than that,' says Rockefeller, a former intelligence committee chairman. 'It suddenly gets into the realm of traffic lights and rail networks and water and electricity.' The bill, containing many of the recommendations of the landmark study 'Securing Cyberspace for the 44th Presidency' (PDF) by the Center for Strategic and International Studies, would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. The legislation calls for the appointment of a White House cybersecurity 'czar' with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway. It would require the National Institute of Standards and Technology to establish 'measurable and auditable cybersecurity standards' that would apply to private companies as well as the government. The legislation also would require licensing and certification of cybersecurity professionals."

Not such a good idea

[Bruce+Perens]

I don't tremendously trust the government to:

• Maintain competence in a technical topic undistorted by political agendas.
• Be free of influence from deep-pockets technical companies to the disadvantage of smaller and disruptive players.
• Be platform-indepependent in their requirements and certification process.
• Segregate the power to turn off segments of the network to manage attacks vs. turning them off to manage other issues such as some mis-guided concept of "piracy", etc.

I side with Vinge in believing that segmentation of the network is a sure indicator of a government going feral.

Bruce

Re:Not such a good idea

[clarkkent09]

Missed an important one:

- Not abuse access to data held by said companies

Let me get this straight, NSA (the agency recommended for the job according to tfa) will conduct "ongoing audits" of private networks owned by the utilities (telecoms too?) and nowhere does it say that this does not include access mountains of data held by those utilities on just about every person in the US

Re:Not such a good idea

[phantomfive]

How so? Attaching some strings to the tax money they pump into failed businesses?

You clearly haven't been paying attention. Apart from trying to tax bonuses with unconstitutional laws, they've bailed out some companies while letting others fail with no clear motive, they've bailed out companies when letting them fall into bankruptcy would likely be a better option, they've spent a lot of money on projects that won't particularly help the economy all that much, they've spent so much money that inflation will be hard to avoid in the near future (and you REALLY don't want inflation during a recession), they've sent unclear messages about what they are trying to accomplish (some have speculated that Bernanke's ultimate goal is to never be accused of not spending enough), and on top of it they've proposed a budget that will triple the national debt in 10 years, and double it in five. If you want to go back a little farther, we can talk about starting two wars, not a great idea to begin with, but more importantly they were waged with clear incompetence from the beginning.

As for the new cyber-security initiative being flawed, compared to what? The baseline is: nothing.

I don't know if you are trolling here, or if you just haven't read the article, but they want the power to shut down any network they want. This is significantly worse than nothing, for reasons pointed out by Bruce above.

Sometimes it is better to do nothing. As the saying goes, "Don't just do something, stand there!"

Cybersecurity 'Standards"

[actionbastard]

"measurable and auditable cybersecurity standards" that would apply to private companies as well as the government.

Until your elected representatives fully understand that any public infrastructure networks should not be connected to the 'Internet' -for any reason- any discussion of 'cybersecurity' is simply wasted words. WTF does it take for these 'public officials' to realize that critical infrastructure networks need to be completely isolated and secured from the hostile environment that the 'Internet' has become?

Re:Cybersecurity 'Standards"

[jofny]

"Public Officials" have absolutely -nothing- to do with where "public infrastructure" networks are connected since this "public infrastructure" is almost exclusively -privately- owned. You really, really don't want the federal government making these decisions. Really.

Right!

[koterica]

Because US government officials ALWAYS make good technical decisions. Because the placement of officials is NEVER based on politics rather than skill.

Maybe we could legislate some openness instead.

Never was the "It's a Trap" Tag More Appropriate

Large vendors are behind this. With all the extra security certifications and processes that small businesses (or independent/open source developers) will be required to apply because of "security" open source would be closed out of the market by this.

Please watch this very carefully. Red Hat and free software companies actually large enough to have lawyers, please, please, please sniff out the rats.

Re:Last one out....

[Z00L00K]

This may be a late April fools joke by government standard, but it sure contains plausible concerns.

Concerning the document, I would say that it isn't a joke, but you may have to express some concerns about if the proposed methods are causing more problems than they are solving.

If you shut down a whole network, then you also cut off the owners of possible infected computers from the services that may help them to clean them up. This has been tried before within larger companies which just ended in a deadlock, nothing was done at all until the network was up again. In effect - you got an ultimate D.o.S attack!

If anything - put more effort into hunting down and apprehending the perpetrators. This will give a much better result in the long term. In effect - follow the money.

Another approach would be to put more effort into hardening of operating systems and tools for operating system management. SELinux is one good example, but unfortunately this only works to some extent and it only covers one area of security measures.

One detail that also is cause for concern is ISP:s that migrates from several routed segments to a large segment where switches are used instead. It makes sense from an economic perspective, but it's not making sense from a security perspective. This means that more computers can be joined into dark nets using private IP addresses for internal communication, which in turn can make attacks even better coordinated.

Large switched segments where private IP addresses propagates can also result in new intriguing ways of obscuring file sharing traffic and other traffic that is to be masked. This can result in the funny effect of making a whole town suspected of possession of child pornography.