Senate Panel Approves Cybersecurity Bill

← Back to Stories (view on slashdot.org)

Senate Panel Approves Cybersecurity Bill

Posted by kdawson on Friday June 25, 2010 @12:47AM from the wrong-meme dept.

GovTechGuy writes "A Senate Committee approved a bill that would give the president an emergency 'kill switch' over the Internet, but added some restrictions to the bill. The president may no longer simply assert that the threat remains indefinitely, he must now seek Congressional approval after 120 days. Still, privacy advocates are concerned about the government's ability to shut down private networks. Sen. Susan Collins (R-Maine) 'said she was disappointed to read reports that the bill gives the White House a "kill switch" for the Internet, an authority she says the president already has under a little-known clause in the Communications Act passed one month after the December 1941 attack on Pearl Harbor by the Japanese. ... Collins [argued] the new bill actually circumscribes the president's existing authority and puts controls on its use.'"

19 of 269 comments (clear)

Wait... by Agent+Z5q · 2010-06-25 00:57 · Score: 4, Insightful

Wait a minute, is this the USA or North Korea I'm living in?
1. Re:Wait... by LWATCDR · 2010-06-25 02:31 · Score: 4, Insightful
  
  I suggest you actually read the law.
  The Communications act already give the president permission to do this. It was passed right after WWII started.
  Do you think you could send a telegram to Japan or Germany in 1943?
  Nope.
  The really rampant fear that people seem to have is just mind numbing at times. Yep go ahead and please debate this but do not use such silly chicken little fears in the debate!
  All that can do is make anyone questioning this bill to look like a nut job.
  Instead of this boarder line pathological fear let us all reason.
  Why should we pass this law?
  What benefits will it have.
  What risks are involved.
  How can we prevent abuses while keeping the benefits there are any?
  No president will use this law lightly because it would be stupid. This would be at the same level as declaring martial law.
  Besides if the government would never use this to silence opposition or debate.
  They would use bot nets to make classic DOS attacks on sites that couldn't be traced or some other tactic that would be more subtle and wouldn't disrupt commerce and the smooth running of the internet.
  To use the big red switch would be clumsy inefficient, and just stupid. Please if the government was going to be that evil don't you think they would be as smart and effective at being evil as some random poster on Slashdot?
  
  --
  See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
2. Re:Wait... by captaindomon · 2010-06-25 02:58 · Score: 3, Insightful
  
  Although I can appreciate the comparison, and it is useful for helping to understand why a police state / dictatorship is a dangerous path we don't want to start down, we also need to be very careful. The USA is NOT remotely like North Korea, and by comparing them too closely, we minimize and marginalize the problem that North Korea is, both for its citizens and for the world. Let's show the citizens of North Korea some respect and admit that life in the USA is NOT like life in North Korea, or Iran, or large parts of Africa. It seems like people that make statements like this have not traveled much, or talked to people that have lived under true dictatorships.
  
  --
  Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
Joe Lieberman by roman_mir · 2010-06-25 00:57 · Score: 4, Insightful

Joe Lieberman is a republican mole in the Democratic party. This much should be obvious from everything that he has done so far, his stance on the health insurance is a good example.
Remember, he is the guy who wants to spend about 187 million to upgrade the Secret Service systems/hardware (pork belly spending obviously), and now he is the guy who came up with this 'Cybersecurity Bill'.
Obviously this has nothing to do with any cybersecurity, the politicians will approve it, whether republicans or democrats, so that they have a way to kill dissenting opinions and news that the Internet allows to spread around. One of the arguments Lieberman gave for this is that China can do it so USA should also be able to. Does USA want to follow China in terms of treating the dissent, the freedom of press, the freedom in general? I guess now, that everything else is made in China this is just the next logical step - import their governing principles as well (at this point it doesn't seem that much needs to be imported anyway).

--
You can't handle the truth.
1. Re:Joe Lieberman by Zancarius · 2010-06-25 08:00 · Score: 3, Insightful
  
  Joe Lieberman is a republican mole in the Democratic party. This much should be obvious from everything that he has done so far, his stance on the health insurance is a good example.
  I'm a Republican, and I really can't stand the guy. Remember, this is the same Joe Lieberman who has supported in the past activities that involved censorship of specific media (music albums, etc.).
  I'm currently reading the bill as was linked from this comment, and it reads as though it were crafted by Symantec, McAfee, Sophos, and all the other "security" vendors who would very much like to be granted a fantastic revenue stream required by law to line their pockets (aside: I suspect it was crafted by them or by lobbyists for their industry)! What I mean specifically can be best explained by reading a small snippet of S. 3480:
  
  develop and acquire predictive analytic tools to evaluate threats, vulnerabilities, traffic, trends, incidents, and anomalous activities;
  This is on page 49 of the PDF. There's 10 pages of recommendations about acquiring "tools" to achieve specific goals--in other words, purchasing the required devices from recommended vendors. The entire bill if it survives as it is written is nothing other than a government-issued directive to dump a significant amount of taxpayer money into various security firms in effort to protect national resources. Though, what worries me is that there appears to be mandates for federal oversight of private systems to ensure that they're following best practices. Coming from the same government that has used the password "password" to protect critical systems, I can only fear that such a mandate would be much more harmful than any sort of purported "cyberattack."
  If you read the FAQ the Senate has posted relating to the bill it is clear that no one on the panel has any understanding of what "security" really is. Worse, while the FAQ claims that this bill restricts the powers given to the President under the Communications Act of 1934, I can't help but read into S. 3480 that it is going to involve so much government oversight that we might be swamped simply trying to implement all of the requirements. I hope I'm wrong; I am not a Congress critter, so it's feasible this language might be directed exclusively toward Federal networks.
  The Slashdot summary appears to be incorrect. It appears that the time limit placed upon such measures is 30 days. However, I can't help but think that it can be extended indefinitely. From the bill:
  
  (1) IN GENERAL.--Any emergency measure or action developed under this section shall cease to have effect not later than 30 days after the date on which the President issued the declaration of a national cyber emergency, unless--
  * (A) the Director affirms in writing that the emergency measure or action remains necessary to address the identified national cyber emergency; and
  * (B) the President issues a written order or directive reaffirming the national cyber emergency, the continuing nature of the national cyber emergency, or the need to continue the adoption of the emergency measure or action.
  ** (2) EXTENSIONS.--An emergency measure or action extended in accordance with paragraph (1) may--
  *** (A) remain in effect for not more than 30 days after the date on which the emergency measure or action was to cease to have effect; and
  *** (B) be extended for additional 30-day periods, if the requirements of paragraph (1) and subsection (d) are met.
  I really hope that doesn't imply such an action could be extended indefinitely, but the way I'm reading it sort of suggests that if the President or the director of the office this bill creates d
  
  --
  He who has no .plan has small finger. ~ Confucius on UNIX
Re:not likely to happen by medcalf · 2010-06-25 00:58 · Score: 4, Insightful

Say what? I think you are mistaken. Certainly, nothing in the Constitution seems to give the President that power.
Although, of course, the government simply ignores the Constitution all the time.

--
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
Re:not likely to happen by Pojut · 2010-06-25 00:59 · Score: 3, Insightful

For most people, it's the possibility part that bothers them.
Removing knee-jerk reactions and looking at this objectively, I can understand why the government would need the power to do this...but with all the public attention they've been giving to "cybersecurity" lately, I can completely understand why this makes people very nervous.
Of course, the most common argument (one which I agree with) is why are mission critical systems accessable from the "normal" Internet in the first place? Why aren't they built on an entirely seperate network that sees zero interaction with the "public" Internet, like something akin to a CCTV system?

--
Living With a Nerd
Re:Can someone explain? by Pojut · 2010-06-25 01:01 · Score: 3, Informative

From what I understand, they would shut things down at the ISP level.
"What's the point of a modem noise, if you are unable to connect, Mr. Anderson?" sort of thing.

--
Living With a Nerd
Re:not likely to happen by silentquasar · 2010-06-25 01:01 · Score: 5, Interesting

...as if the U.S. Government actually follows the Constitution anyway. (I'm lookin' at you, 10th Amendment) I have little faith that anything can really hold the U.S. federal government back from doing whatever the heck it wants to do.
Re:Can someone explain? by ZDRuX · 2010-06-25 01:04 · Score: 4, Insightful

This will be done at the ISP level. All ISPs in America will have to comply or face fines and other charger I'm guessing. Sort of like having your own remote-controlled kill-switch box at every ISP.

I don't see how anybody in America will be able to use the internet to get news or communicate with other Americans in a time of emergency if this should ever go into effect.

--
The magical number is: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Good idea in theory... by Nautical+Insanity · 2010-06-25 01:09 · Score: 5, Interesting

I'm probably crusin' for a brusin' by saying this, but there probably should be some form of last defense for computer systems throughout the nation. In the event of a highly-destructive fast-spreading virus, being able to shut off all connection at the ISP level would buy enough time for security researchers to find a way to negate the threat.
That said, I have qualms about the implementation. Some proposals:
1) The killswitch needs to be an all-or-nothing proposition. Either all ISPs are mandated to shut down or none. The economic magnitude of such a decision would force any internet shutdown to be only used in the face of an even worse threat.
2) The requirements for activating the shutdown need to be more specific than "an emergency." Japan was able to spend itself into debt by repeated use of "emergency" spending. The requirements for a shutdown of the internet should be a clear and widespread danger to computer systems.
3) 120 days is far too long of a time to have before the decision should come up for review. Four months without computer-to-computer communication that has become integral to the economy is far to long to be granted without oversight.
I have not yet had a chance to read the PROPOSED bill. Note that this story is about the bill making it out of committee, not becoming law. Does anyone have a link to the text of the proposed bill?
1. Re:Good idea in theory... by Pojut · 2010-06-25 01:23 · Score: 5, Informative
  
  Does anyone have a link to the text of the proposed bill?
  Ask, and ye shall receive. Note: PDF link
  I found it at this page.
  
  --
  Living With a Nerd
2. Re:Good idea in theory... by Manip · 2010-06-25 01:26 · Score: 4, Insightful
  
  Much like the old guys at the Whitehouse I think you've been watching too many Hollywood movies. The destructive power of this kill switch is ironically the only thing dangerous enough to warrant even having a kill switch. Even if there was some kind of "super virus" that was taking out routing on the internet, shutting the internet seems about as effective as killing the patient to save their leg.
  I'm really yet to read any scenario that makes sense where having this would be useful. I can think of many cases where the government could happily abuse it for political reasons - particularly if they had the power to shutdown political opposition in order to "protect the public from terrorism."
Re:habeus corpus by colinrichardday · 2010-06-25 01:12 · Score: 4, Insightful

The power to suspend habeas corpus is stated in Article I of the Constitution, which mean that Congress, not the President, has that authority. Lincoln simply ignored the ruling.
http://en.wikipedia.org/wiki/Ex_parte_Merryman
An 'emergency' could be something like.... by ch-chuck · 2010-06-25 01:25 · Score: 3, Interesting

A new Disney flick leaked - if not stopped immediately that could cause irreparable hard to the entertainment economy.

--
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Actual use by halcyon1234 · 2010-06-25 01:44 · Score: 5, Funny

Michelle: Are you coming to bed?
Barrak: I can't. This is important.
Michelle: What?
Barrak: Someone is wrong on the Internet.
Michelle: Oh, for the love of-- {pushes button}

--
UTF-8: There and Back Again
Re:not likely to happen by ciphertext · 2010-06-25 02:06 · Score: 3, Insightful

They do, for the most part, and for most of the agencies (DOD, FBI, CIA, DHS, etc...). They have redundant network capabilities served both by wired and wireless means (micro-wave and satellite transmission capabilities). The "business" apps at those agencies do not necessarily have a private network. The terminals that serve you the internet at a great many of these agencies also have access to these other applications that interact with the "shadow" networks. Also, the same network providers that provide you and me with our "pipe" (AT&T, Verizon, Quest, etc...) also provide the "pipes" to the other, "shadow" networks. Should the systems at those installations become targets for malicious assault, then it could shut down entire sectors of the economy. The NASDAQ is one such "highly available" system that could be harmed, even though they have their own network. The financial networks that carry SWIFT, Cirrus, Visa, and ATM transactions would be susceptible even though they are on private networks. I'm not sure how turning "off" the internet will help. Wouldn't removing access to the internet have the same effect as a DDOS attack? The outcomes are the same aren't they (i.e. loss of connectivity)? The real goal of cyber attack is either one or both of the following:
Gain Access
Deny Access
If I were a cyber-assassin bent on disabling large networks for the purpose of disrupting an economy, I now would have two tactics available to me. I could launch my DDOS against a financial network or sufficiently large commercial target and hope to disrupt their capabilities. The other tactic would be to launch the assault and wait for the "kill" switch to be engaged. The outcome in both of those scenarios is favorable to the attacker.

--
To know is to have knowledge....to understand is to be enlightened.
Re:not likely to happen by b4dc0d3r · 2010-06-25 02:31 · Score: 3, Insightful

Since you understand why the government would need the power to do this can you explain it to me? If a company is compromised, either the company or the the upstream provider could yank it offline. In most cases the upstream also has an upstream, all the way to the backbone connections.
Wouldn't it be better for the administration to simply communicate with the backbone providers? If the backbone is compromised, they should have their own kill switches - or else the governmnet can't order them to do anything anyway. I don't see what this adds, the ability is already in here.
If the administration calls up a backbone and says there is a cyberattack going on and you need to shut things down, let's think about what this means. The administrative arm of the governmnet knows something is happening and the backbone has NO IDEA? That's not possible. The backbone would learn via SANS or CERT or whatever else just like the backbone would, and if the gov knows before the backbone there is serious mismanagement going on.
Shutting it down would become a goal for the terrorists. Let's MAKE THEM TURN OFF THEIR OWN INTERNET. It worked with the WTC attacks, they hate our freedoms so we took them away ourselves. This will be no different. To turn it up to 11, anyone who is for this law is helping terrorists and qualifies for treason.
Why the internet? by elucido · 2010-06-25 02:33 · Score: 3, Insightful

Why would they only shut down the internet? They aren't talking about shutting off radio, telephone, or TV. It's only the internet because the internet is the last free speech zone left in this world. To shut down the internet for any reason is to kill free speech, I cannot think of any logical reason where shutting down the internet makes sense.
A civil war situation? even if there were a civil war we'd need open communication just to know whats going on and whos winning. Who exactly benefits if theres no communication? The citizens certainly wont. And I'm talking the ordinary citizens here not the slashdot types who are sophisticated enough to figure out how to communicate by radio or other devices. Shutting down the internet hurts individuals who get all their news, all their information and do all their communications on the internet.
Honestly most of us would rather take a virus than shut down our computer.