Sen. Bond Disses Internet 'Kill Switch' Bill

GovTechGuy writes "Sen. Kit Bond (R-Mo.) has introduced his own cybersecurity legislation with Sen. Orrin Hatch, and he had some harsh words for a competing bill sponsored by the Senate Committee on Homeland Security. Bond said that bill, which has been criticized for allegedly giving the president a 'kill switch' over the Internet, weighs down the private sector with mandates and puts too much on the plate of the already overburdened Department of Homeland Security. Sen. Bond's bill would create a new position in the Pentagon, reporting directly to the president, in charge of coordinating all civilian cybersecurity. Any private-sector involvement would be voluntary and free from legal challenge, rather than mandated."

Stop that task in the name of the law!

[LostCluster]

We don't need a military-like "big red button" in the boss's office that shuts down all Internet systems... that would open us up to even worse problems. (Did anybody watch the recent CNN special "We Were Warned: Cyber Shockwave" about this situation exactly? If you shut down all civilian communications, how are you going to tell workers where they're needed? A simple attack somewhere along the power grid, and nobody will know where the fault is to repair it.)

But, there is something we should give over in this area. The ability to kill programs that are causing damage to other systems or the Internet structure. Basically, if food has a problem, we recall what had the problem, not all food. If MS-SQL has a problem, we have an Internet outage... what if Microsoft was able to say "You must patch to version 7.3.43... we've got a security problem with 7.3.42." Basically, if you're running a "wrong" version of an application, you shouldn't be allowed to expose that to the Internet... you're just going to spread the worm of the day once you get caught by the bad guys. Can we have some good guys shut you down first?

The difference is clear... you don't shut down the whole Internet when things go bad, you shut down the bad application. SysAdmins will notice their service is down, and hopefully will get a nice clear message that they've put off the patches for too long, and if their server wasn't already spreading the worm, it was about to before the kill switch got in the way.

This is much like the college solution where if their honeypot detects that you've sent out a worm packet, they tell the nearest network switch to cut you off. You notice your IM client can't connect and neither can your web browser, and call IT. The Internet isn't down... you're down for the safety of the computers around you. Bring your machine to IT, pay for the cleanup service and a free copy of the college's favorite anti-virus, and while you carry your machine back to the dorm they turn your port back on.

This is just basic cyber-defense. You're totally secure if you unplug everything... but then you also lose the services which are the point of having the server. We need to use the good servers to keep some level of communication going... and spread the word that the bad servers need the patch that was released a few months ago! When things go wrong, you don't throw the whole thing out without trying to fix it first!

Re:Stop that task in the name of the law!

[imthesponge]

Under this system, of course Bittorrent would end up being classified as a "bad application".

Re:Stop that task in the name of the law!

[bky1701]

How about the extremely common situation that an older version of software (often firmware) allows something the company did not intend, like jailbreaking? I don't want to allow companies to legally force people to update, that gives far too much power to greedy companies like Apple, who would love nothing more than that power. What is to stop them from releasing a "new" version of something which breaks the device as soon as they have a new model ready to sell?

Nothing.

Government is fine. Keep CORPORATIONS out of my bedroom. They have no reason to be there.

Re:Stop that task in the name of the law!

[FeepingCreature]

And of course that would stop them once the technology is in place.

For all of ten seconds.

Re:Stop that task in the name of the law!

I'm not worried about CORPORATIONS--they only want my money. Government wants my money and my LIFE.

Re:Stop that task in the name of the law!

[bky1701]

They'll both happily take your life, as is shown by slavery and the horrible working conditions that were common until very recently. It just happens that the government currently keeps the corporations from taking it. Funny how that is, isn't it?

Re:Stop that task in the name of the law!

Who decides what is the 'correct' software?

Is it a whitelist or blacklist?

How is it enforced, what if I have it lie?

What technical implementation does this need?

Do we begin licensing programmers?

Do we install TPM in everyone's computer, effectively ending innovation and free speech?

Too many people are eager for a benevolent king.

Re:Stop that task in the name of the law!

[icebraining]

Once you understand that they're all controlled by the same people, you'll feel much better.

Re:Stop that task in the name of the law!

[Jurily]

s/Bittorrent/every fucking application that The Authorities didn't approve/

The only system I can imagine where this might work, is if the creator of the software was the only one with the power to blacklist a version of it, and nobody for Free Software. And of course they can only blacklist something if an upgrade is available for free.

Now for the fun part: how do you decide whether you're talking to a good version, a bad one, or a really bad one saying it's good?

Re:Stop that task in the name of the law!

[Man+On+Pink+Corner]

Sigh. No, it's just that not every argument against Big Government can be dispelled conveniently by invoking Sinclair Lewis.

Re:Stop that task in the name of the law!

The difference is clear... you don't shut down the whole Internet when things go bad, you shut down the bad application. SysAdmins will notice their service is down, and hopefully will get a nice clear message that they've put off the patches for too long, and if their server wasn't already spreading the worm, it was about to before the kill switch got in the way.

Both solutions are equally flawed, and at the heart of the flaw lies the nature of the way government works, or should we say the way most government employees work. Think for a moment about who exactly is going to be making these kinds of decisions. The US president isn't exactly going to be bothered with Honest Johns Plumbing Service's Apache server, and even if he would be, he would basically follow the advice of someone responsible for the whole service. That someone responsible has several division heads beneath him, that receive reports from several more levels of bureaucracy, until we finally get to the tech that somehow (we'll leave how exactly as an exercise to the reader for now).

Now, this tech isn't going to be a networking genius. After all, if he was, he would most likely be employed in the private sector, doing a more interesting job than writing up reports on badly configured Apache servers. So at some point in time, big red letters appear on his screen "Apache 2.0.31, vulnerable to EXPLOIT 134-384-X1-394 (see database, threat level: oh god bees)" . The tech has spent his last couple of hours writing reports, is tired, looks at his clock "Oh goody, almost 5PM, time to go home" and clicks "Report IP for vulnerability". Little does the tech know that EXPLOIT 134-384-X1-394 is actually an exploit that requires a pretty specific configuration, loading the little used mod_bees into Apache, and configuring it to allow to work together with mod_nest and mod_honey and mod_hungrybear. Who cares, right? An exploit is an exploit, and the bureaucracy must be served. The mouse pointer inches its way to the "Submit" button, and thus at 4:59:59 PM exactly the tech shuts down his PC, gets his coat, and whistles while he walks on his way to the car.

The next morning, the supervisor opens his mailbox: 349 new threats on the internet! He immidiately notices the "threat level: oh god bees", marks it for approval since that one is quite severe, and gets his morning coffee. Now, once we get past this point, there's no chance in hell that anyone with any further technical knowledge is going to get into contact with it. The tickets escalate into the bureaucracy, all the way up to some regional district manager of the Federal Bureau of Killswitching, who logs on in the morning, clicks the OK button, and then spends the rest of the day in MS Excel managing budgets, staff allocation, attending meetings, and playing Simcity 4.

The next morning Honest John notices that his server has been blocked. This is a major problem for Honest John, since his calendar is stored on the server side. He calls his Friendly IT-Guy, but Friendly IT-Guy is on vacation right now, exploring the Sahara desert in a world record attempt to count the most grains of sand in 1 months time. So honest John does the next best thing: call the colocation company. These guys don't know Honest John though, and basically tell him to go to hell (or rather, go to the hell of being put on hold for 3 hours with the same voice interrupting the music with "please hold the line").

So at this point Honest John is losing money. His plumbing business is going down the drain, and his competitor ePlumber 2.0 is stealing most of his customers as we speak. When Friendly IT-Guy returns from the Sahara with a notable entry in the Guiness Book of Records for being the man with the most sand in his underpants ever, he discovers the Honest John is very upset. In fact, he's suing for damages using words such as "incompetent fool", "government service block" and "die in a fire". Honest John discovers that his server was blocked from the internet for an exploit t

International concerns?

[strayant]

So, what about the impact on all the other countries?

How about this...

[Darkness404]

How about this? A 20 year moratorium on introducing any new rules/regulations on the internet.

Its a rarity if government regulation actually helps, and even when it does "help" it either creates larger problems down the road or fixes something else the government did.

Other than the initial creation of the internet, it has been largely a private affair and that is responsible for the majority of its growth.

Re:How about this...

[bky1701]

As much as I don't want a kill switch on the internet, I also don't want that same kill switch to exist in the hands of private companies. Without some government regulation, what is to stop the media cartels (which own the majority of ISPs) from banding together against sites they dislike? Google seems pretty unpopular among media companies these days. Who is going to make sure that we can still access Youtube 5 years from now? Net neutrality is not something to scoff at.

I also wouldn't object to forcing ISPs with threat of law to actually PROVIDE what they market. If they say it's unlimited, it should be unlimited, NOT "unlimited to a point."

But government is the source of all evil, right? Hand it over to Time Warner, Comcast, and Verizon... they'll take good care of your rights! /s

Re:How about this...

[Darkness404]

Look back in the past, how did Comcast/Verizon/Time Warner/etc get so large? They basically stole your tax dollars to provide internet access and "modernize" America (and in the case of Verizon they got lots of infrastructure from the breakup of AT&T). Without governments screwing with the free market we can make sure that the corporations serve us rather than the other way around. We need a government to prevent force and fraud, as you pointed out, the majority of ISPs/Cell Companies use fraud in their marketing and should be forced to either provide what they market or provide compensation.

What we need is a definition of the internet to include all of the internet to start out. Secondly we need to stop handouts to private companies all of them to prevent this from happening in the future. Eventually, our current infrastructure will be obsolete and Comcast/Time Warner/Verizon will be as laughable of companies as Atari and AOL is today. But in the meantime, simply allow for more competition in the ISP market, allow for true free market systems where if one corporation can use public land to lay cable though any ISP who wants to should be able to within a certain window. When we solve the inequalities there, it fixes itself. If an ISP blocks YouTube and there is a choice, everyone will switch. The problem is our government has limited the choices.

Re:How about this...

[vrmlguy]

Why, oh why, isn't there a "+/-1 Libertarian" modifier? (The +/- would be viewer selectable, of course.)

Re:How about this...

[Toonol]

The financial sector IS still highly regulated, one of the most regulated sectors of the economy. It was never deregulated; only the nature of the regulations changed, and that wasn't to promote freedom or capitalism, but to benefit certain people.

The deregulation of the net, of course, is the fundamental reason for it's rapid growth and incredible utility.

Re:How about this...

[hedwards]

O Really? So basically the financial markets are highly regulated, except when there not. The fact that the portion of the entire market that was regulated is dwarfed by the ginormous amount of money represented by completely unregulated instruments, is the sign of a highly regulated market.

Sorry, I must not get it, because I'd think that it would be the other way around, that a highly regulated industry would be mostly dealing with regulated items, rather than mostly dealing with unregulated items.

Re:How about this...

[Darkness404]

Ok, name me something that has been truly "solved" by the government not relating to prevention of force and fraud that hasn't had free-market solutions that blow the government system out of the water.

Lets see here:

The USPS is a complete and utter mess filled with idiot workers and BS policies for no reason whatsoever and ever-increasing rates. Nearly always Fed-Ex or UPS does a better job of doing, well just about everything.

Etc.

Re:How about this...

[Curunir_wolf]

The root of the problem is that we have a meaningless currency based on absolutely nothing, with that comes insane inflation. Every country on the planet has currency based on nothing other than the word of the government. So to say that's the cause of the problem is a silly and pointless exercise in mental masturbation.

Not at all. In fact, it's the reason that every country in the world was dragged into a financial crisis caused entirely by the US and its central bank.

Now we've all seen your e-peen and know it's lacking. Move on to actual issues, rather than some personal preference for the gold standard or whatever you'd like currency to be based off. Though we had plenty of inflation when we were on the gold standard, so don't let facts get in the way of your insane rants.

Unfortunately, the "facts" you are spouting are not facts at all. Inflation in a gold standard exists because gold can be mined, so the supply can increase. But that's caused by actual labor, so it has a natural limit. Not so with fiat currency, the creators of which have no limits and suffer no consequences for inflicting inflation on those further downstream. Throughout history, the most ruinous and damaging inflation has always occurred in a fiat system, never in a natural value system.

Re:Hmmmm

[mmcxii]

Why is it such a shame that it's a Republican?

You have to think like assholes

How could I abuse this if I were a terrorist (or an advertising exec)

If it can potentially cause more damage by being tripped, don't put it there in the first place. And that's the case with having an Internet "kill switch".

The real answer is don't be so fucking cheap and stop running mission critical stuff over the Internet.

it swings both ways

[p51d007]

Those that want a "kill" switch regardless of party better not get what you wish for. If a liberal is in charge of a kill switch, killing off conservative websites just remember that politics is like a circle, what goes around comes around. Personally, I wish a hands off approach to the internet under purely 1st amendment grounds. "Congress shall make no law..." what part of that do those pinheads not understand. With the good, comes the bad. 3/4 of the crap on tv, radio, internet, magazines I don't care for, but I'd rather it be left to the market to figure out, instead of some idiot politician to say if it should be banned.

Re:it swings both ways

[Mashiki]

Personally, I wish a hands off approach to the internet under purely 1st amendment grounds. "Congress shall make no law..." what part of that do those pinheads not understand

Well the majority of liberals believe that the constitution is a living, breathing document, as such open to all sorts of wild interpretation. The majority of conservatives believe that the intent of the document is as it's stated. Now if you get into the politics, you'll find that most incumbents are just screwed up and can't think of it in either way; rather the only way they can maintain their job.

I blame people who don't have a clue about politics, and aren't interested.

Trucks and tubes.

[roman_mir]

The entire thing stinks to high heaven. These guys still think of the Internet as of tubes and trucks and who the hell knows what else, but it doesn't matter. The important thing is that this series of tubes and trucks is bothering them something awful.

They can't control dissemination of information on it like they do on TV. Anybody can just start a blog or a forum and discuss policy and worse, they can share actual information, the kind that government prefers you not to pay attention to... here is something shiny for you.

They need a kill switch, and when they say that, they likely mean a kill, as in Minigun type of kill switch.

Take this new cybersecurity bill, add the Trusted Security in Cyberspace proposal, involve the DHS, factor in Gitmo and rendition, multiply by Secret Service getting an 'upgrade' (from the same Lieberman ideas by the way), you are going to have a very neat 'kill switch'.

This 'cybersecurity' nonsense is supposed to be able to expire 120 days after execution, well, just make the emergency last longer, have the president sign an order or whatever it takes. Actually 120 days is enough to push through any kind of agenda if there are no opposing voices at all, and TV opposes nothing (except for clowns, but who listens to clowns, right?

They just want to stop you from being able to get and discuss any information that may end up hurting their agenda, and they have plenty of agenda.

Re:Princes of Darkness

[Inf0phreak]

If I could vote you up, I would. Any proposal even remotely technology-related co-sponsored by Orrin "Big Media's Puppet" Hatch cannot possibly be good. Sure the "Kill switch" proposal is terrible too, but whatever Orrin Hatch is thinking of is guaranteed to be worse.

Jealous of his own game?

[damn_registrars]

So our previous POTUS created the Dept of Homeland Security (DHS) which is often cited as one of the largest bureaucracies ever. Then we suggest further expanding DHS while under the term of a new POTUS, and someone of the same party as the previous complains that the proposal

puts too much on the plate of the already overburdened Department of Homeland Security

Uh-huh. Like we already knew; say hello to the new boss, same as the old boss.

This is still a bad idea

[Edmund+Blackadder]

Let us not be confused by suggestions that just because Sen. Kit Bond criticised the previous proposal, his proposal is any good.

IMO there is absolutely no reason to put a cyber security czar in the pentagon.

In America, as in any free country the military should do nothing but armed conflict with other nations, and civilian agencies should provide internal security.

But hopefully the existence of multitude of bills will result in no bill being passed, which would probably be the best outcome.

Is anyone really saying...

[iamacat]

... that government shouldn't have emergency powers over Internet, or power grid or industries or transportation? If so, I think we need a new government, not a total repudiation of the concept of a government. Yes, enforcement should be practical, keep up to date with technology, not go overboard and be safeguarded against broad witch hunts for real or imaginary non-emergency wrong doing. But if we are under a massive cyberattack by a foreign government or terrorist organization, we do want the government to be able to shut down all channels for malicious traffic to affect critical utility/information/medical/commercial infrastructure - or try to as much as technologically possible to implement without serious hardship to legitimate users.

That's the end of freedom

[OeLeWaPpErKe]

And of course that would stop them once the technology is in place.

For all of ten seconds.

It wouldn't just do that. Think about the enforcement mechanism that would be required to make this operate : all computers in the world would need to answer to a single, global command authority. This authority would immediately be used to "end piracy", for obvious reasons. Even unconnected operation would have to be subject to government approval (or else you could use that to sabotage the system when it gets reconnected).

And given that unless this is implemented globally, it would be a financial disaster. If the US implements this but China doesn't, that gives anyone else 2 major advantages : all spam income would go to them, all spam costs would go to the US. Furthermore, get 1 spy close to the kill switch, and ... And God forbid we try to get other countries to cooperate with this. What will it take ? A global "the taiwanese king cannot be criticized" policy would seem to be required. And what about the "islam requires women cannot access the internet", a Saudi and Egyptian policy ? Doubtless the UN would consider that entirely reasonable and demand we become "culturally tolerant", you know just like you can no longer say that it was muslims who massacred americans in 2001, for the sole reason that "islam demands it", according to the terrorists themselves (and quite frankly when a barbarian is swinging an axe into your face shouting "you shouldn't have insulted ...", you can generally assume he's not lying. The only correct reaction, of course, is to swing a bigger axe into his face)

And that's ignoring what happens when the first politician realizes he can hide that pesky little detail about him that he raped 3 girls a few years back (and 5 more since, but the FBI doesn't yet have that on record) ...