Slashdot Mirror
New Bill Would Put DHS In Charge of 'Critical' Private Networks
GovTechGuy writes "A new bill unveiled Wednesday by House Homeland Security chairman Bennie Thompson (D-Miss.) would give the Department of Homeland Security the authority to enforce federal cybersecurity standards on private sector companies deemed critical to national security. The Homeland Security Cyber and Physical Infrastructure Protection Act of 2010 authorizes DHS to establish and enforce risk and performance-based cybersecurity standards on federal agencies and private sector companies considered part of the country's critical infrastructure. Such firms include utilities, communications providers and financial institutions."
Considering how much a lot of those companies rely on their network infrastructure, if there isn't a provision for this then perhaps the alternative is to be prepared to take over the whole organization if/when they are crippled by an attack. I am not one for heavy handed government but someone needs to light the fire under these guys.
I'll assume they can designate any forum they don't like as critical to national security due to terrorists using it to communicate.
Hmmm witty sig or funny sig? Maybe elitest techy sig!
a deaf man telling others how to sing. Maybe they should get their act together before giving lessons...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
and wait for the Republicans to fight this government intervention tooth and nail. .........
I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
If this passes, does it mean I have to have the "new" patdown, or can I opt for the "classic", before I can enter the server room? And, if I can only bring in four ounces of soda, my productivity is gonna go to hell.
Why, without your clothes, you're naked, Miss Dudley!
If that just means new security standards that companies have to meet, then I can't see the harm in that
Demanding exclusive admin access? Now it's complicated.
Stop spending Tax, giving yourself more powers. You should have rules in place for internal departments and for any company that is THAT important, surely any contract set up would require some terms and conditions.
great. like we don't have enough regulation in this area as it is.
Why do I have a sneaking suspicion that this law will be applied WAY more often to fight torrent sites than it will ever be used to fight actual terrorists?
SJW: Someone who has run out of real oppression, and has to fake it.
Considering that the DHS is probably one of the most dysfunctional, incompetent departments in the entire federal government, I find that more frightening than the terrorists.
Only TERRORISTAS would be concerned. Are you concerned? You are a TERRORISTA !!
As we saw with anti-terrorism spending, what's deemed critical and what truly is hasn't exactly ever been the same.
#fuckbeta #iamslashdot #dicemustdie
As if they haven't spent enough tax dollars they don't have.
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety
I'm sure "federal cybersecurity guidelines" for a network include having Federal employees shutting down general non-critical access and putting control of the network under FEMA control whenever there's a disaster. That's great for a network owned by the Federal government. It's an abomination against the rights of the people and private companies to do those things to a commercial network on which millions of people rely for their own uses.
It's called "socialism" when the government takes over industry for the people. It's called "facism" when the government takes over industry to enhance the power of the government. Somehow I just can't see the government taking over control of networks the citizens use as benefiting the people more than the government.
What's surprising is that this bill is coming from someone thought to be a Democrat.
This move doesn't necessitate a monoculture, it just depends on how they write the law and how those in charge of implementing it end up crafting regulations. As long as they're only enforcing standards and not a standard implementation, then its probably OK, as you stated in the second part of your post. For instance, if the regulation states that networks which have any convergence points with the public internet have, at all crossover points, IDS/IPS systems in place which meet a certain level of ability, then its up to the firm who owns the network to decide whether to go with a solution from Cisco, Juniper, Sourcefire, or another vendor, or to roll something home-grown as long as they can meet the requirements.
I'm sure most of the organizations which will be affected by this will already have most, if not all, the necessary security mechanisms in place. However, they may be out of date to some degree, not properly monitored, and some smaller organizations may be missing large swaths of helpful security infrastructure and best practices because it just hasn't "been an issue" for them in the past. This is probably a fairly direct result of the Stuxnet work/virus. Whether Federal mandates are actually going to help remains to be seen, but if they follow sane policy frameworks such as those outlined by the NSA IAD and the CNSS then this ought to be fine.
Since this is Slashdot, I'm sure at least a plurality will focus on the "private" in critical private network, as evidenced by the air quotes around 'Critical' in the lead line of the story, however when we're talking about power, water, and communications systems critical probably isn't strong enough a word to describe them, and their ability to operate is largely a result of government-enforced monopolies and government-enforced easements, so I wouldn't really call them 'private' either.
remind me why it wouldn't be such a great idea to give them a say in this process?
All employees accessing sensitive networks must now remove their shoes...
I hope they don't require a genital pat down to use the Internet.
So if they do this like their other wonderful policies I cringe to think of what will happen...
.ru connection.
Those companies will see their mail servers flooding the net with botnet spam. Their websites will be littered with porn pop-ups. The and all of their secure transactions will no doubt authenticate via a
You obviously haven't thought this through. Remember, torrent sites steal billions of dollars from hard-working cinematographers. Where do you think that money is going if not to tiny camps in inaccessible parts of distant countries in order to wreak damage and destruction in the heartland of America? Honestly, this stuff is so basic that any junior congressman could understand it...
Or we could ban software companies lobbying to lower security standards and we could push for changing government pay grade scales for security experts so gov't actually has a chance of competing for talent with the private sector.
choices, choices
do we want to be "too big to let fail" or "not critical to national security"
every day http://en.wikipedia.org/wiki/Special:Random
No.
Somebody should get those Diebold ATMs off the public internet and back on a WAN like they should be.
If this is done in a similar manner as PCI compliance for handling credit card information then I wholeheartedly welcome this addition. I see no reason not to have the government set a baseline of security for crucial infrastructure (everything patched, firewall in place, no open relay mail servers, etc).
I think this is one of those situations where the devil is in the details. This could be a good or bad thing but it all comes down to the implementation and enforcement of such a program. I'm as worried as the next guy to have DHS poking around in my systems but that's not necessarily what this entails.
If you want to send any enterprise down the tubes, start by giving one group the authority and another the responsibility. DHS wants to dictate standards but when the next big blackout occurs will DHS rush to accept the blame?
Have we considered the risk of self-inflicted damage caused by ill-conceived government-mandated software?
You don't need to be a libertarian to see that this is insanity.
Vader says...
He who knows best knows how little he knows. - Thomas Jefferson
private sector companies considered part of the country's critical infrastructure.
*Insert Jeopardy music here*
"When information is power, privacy is freedom" - Jah-Wren Ryel
DHS has been given authority to ensure critical networks are up to federal security standards. Apart from the discussion of if this will be useful, this does not, in any way, put them "In Charge" of the networks.
Before you go ranting and accusing the government of fascism, maybe you could actually, you know, READ the proposed legislation, and then cite the passage where you have found this provision?
I work IT for FEMA, I can tell you first hand that DHS's network is one of the most hosed up messes I have ever seen... this is the last thing we need.
as useful as PCI (Payment Card Industry) standards. a great idea with loads of rules to keep things on the right track, but no real punishment for repeat offenders or major breeches. in short: just another meeting on my calendar.
Good people go to bed earlier.
DNS moving from the hands of Verisign and into the hands of the government? Sounds like "Out of the frying pan and into the fire" to me.
Joy! Beautiful spark of the gods!
This post rings the bells of justice and enlightenment
First, the bill to censor internet and get ahold of any domain name, with a court order
now, the ability for a single department of u.s. government, without requiring a court order, to control private networks,
Couple these two with the draconian and stupid copyright/patent laws in usa, and you can see that it wont take a few months after this for u.n. or eu to come up with an alternative, international or european authority to govern domain names and ip numbers.
way to go, u.s., cutting the leg you are standing on. any other country would cut its own real legs (metaphorically) rather than risk losing the de facto control of internet.
maybe it was high time.
Read radical news here
A DHS uniformed guy on a folding chair in front of the server closet in the 4-member IT dept of a small company that is, among other things, a defense contractor. This uniformed guy checks the sysadmin's badge each of the 20-50 times a day he goes into the server closet. The rest of the time he sits there doing search-a-word puzzles or watching a portable tv or whatever. I'm as horrified by this image as I am amused by it.
-fb Everything not expressly forbidden is now mandatory.
you will have to forget before doing that, the fact that ACTA was initiated, prepared and cooked and started being pushed around in republican term in congress, senate and admn., before 2006. at 2006, it was already during international negotiations stage, first by being pushed to canadians.
Read radical news here
I worked in the security industry for many years and we had contracts with a number of government departments, major ISPs, and enterprise businesses. Our talks with the DHS ended when they suggested making a Windows-based version of our Linux-based network security server. The conversation went something like this:
Us: "Sure we could do it, but it would cost more, be slower, and have poorer performance because we wouldn't be able to modify the OS directly to support what we need. You'd need a significant number more machines to do the same task, each machine would cost more, and the project would be delayed at least a year while we developed it and went through the security certification process again. Additionally, the security would be weaker and these should be high security systems as they have access to all the traffic running through your network and are already managing the traffic."
DHS Security Guy: "I think that's the way we want to go."
Us: "Do you mind if we ask why?"
DHS Security Guy: "I don't like managing non-Windows systems."
Maybe things have changed over there in the last few years but... dear god! They were some of the most incompetent Microsoft loving fuckwits ever. We had a contract with Microsoft at the time and they were cool with our Linux based solution and were even considering installing custom Linux systems of their own design to supplement the limitations of their Juniper routers with regard to network traffic management and security.
If this is anything like the DoD or rest of the governments security policies it will drastically reduce the productivity of those using these 'critical networks'. And of course lets not forget the all the post-it notes with passwords on them this will create!
How would this benefit Rep. Thompson's campaign & PAC funding? "Defense Electronics" firms are the #3 contributor to his campaign & leadership PAC for 2009-2010. "Computers/Internet" were #3 for the 2008 campaign.
http://www.opensecrets.org/politicians/summary.php?cid=N00003288
Senator Palpatine will protect us!
So we'll have the same policy for fliers as packets? Deep, humiliating inspections?
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
Representative Thompson is my congressman. He'll be getting a letter from me expressing my opposition to this measure.
Why does the DHS think they have a better solution to this than the private companies?
From what I know all the smart people go to the private companies, NOT the government in order to get better pay.
A simpler solution is to keep your executables and data separate and don't allow write access to the executables - simples ;)
Instead of mandating what should be deployed, stick to testing the defences of the companies.
Fine them if the DHS crackers can gain access.
As a side benefit, it would discourage the monoculture. Different companies would deploy different systems and that would make it almost impossible for a single attack to crack them all.
I think this begs the question, why does anyone believe that government goons would be more capable at managing a network than the private IT goons who built it?
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
... I welcome our fondling overlords.
Have gnu, will travel.
The Department of the Interior is the worst government entity. DHS - who gives us the TSA - is a close second.
...that is, I've seen this bull before. At least twice, previously phrased as an "internet kill switch". Unfortunately, the problem with bad ideas is they're almost certainly to eventually become law.
I have no problem with contractors agreeing to some sort of security standard as a condition of doing business with the government. At least they are going in to their relationship with their eyes open. But what constitutes a 'critical' network? And can the feds put my system on the list without my input?
If I offer some goods or services and one day, a customer walks in my front door with a GSA credit card, does that make me a vendor to the government? If they say 'we simply must have your product/service to perform our function' does that make it critical? Can I throw them out the door?
Have gnu, will travel.
Let's get some outsiders who are totally unfamiliar with what we do to fix our problems for us in emergencies.
DHS is taking over everything.
Gov mandated stuff, along with allowing just totally insane lawsuits to go forward with decades old equipment, well above what is really required, has driven the cost of a new cessna 172 to HALF A MILLION DOLLARS. This should be like 50 grand new by now with modern manufacturing techniques, etc. This model is the most produced airplane ever, it works, etc. So instead of people being able to use a brand new plane, they are forced to try and keep old rattle traps flying that should have been (and would have been) scrapped years ago, because it is the only affordable way to own a small plane today for most people.
So expect compliance and so forth in other areas to see similar price hikes. Not to mention the dotgov "owning" everything, a worrying trend.
The US by original design was supposed to be different from all other nations, people were supposed to deal a lot more with their own security in exchange for a lot more freedom.
As a side note, Ron Paul has introduced legislation to kill off all that TSA nonsense in the airports now.
Man I wish he had gotten elected instead of mclame or obummer. Perople just will never learn that if they elect the media picked for you "front runner" candidates they brainwash people into supporting it is the same old shit after the elections, and it never fails. I've watched this happen over and over again for decades now.
If RP had gotten in, the wars would be over, he as in CinC would have just ordered them all home, those stupid too big to fail banks would have gone bankrupt and those toxic derivatives destroyed like they deserve to be, GM would have been busted up and some new blood and new ideas would have taken over their factories and be producing real innovative transportation products, the Fed would have been taken down several notches and the treasury put back up to create new money without charging ourselves interest, the explosive growth of gov mc jobs that pay way more than they should would have ended, and a host of other freedom and economic "makes sense" measures at least brought to the forefront for debate.
I have no idea how shitty things have to get to get the herd to realize this either. Doing the same thing over and over again and expecting different results is mega cuckoo.
Lets just put the TSA in charge, maybe they can grope each packet.
That will keep us safe.
they clearly aren't doing it themselves, and there is no market choice in these situations.
The Kruger Dunning explains most post on
Engineers and programmers have the answer to these questions, if only we apply our various understandings.
Do you want to be given the task of designing and implementing a real-time control system for an open system, that is, a system which has major inputs that are not under your control?
Programming for an open system is a conceptual oxymoron. Can't be done.
Even before considering the human/social system, which always leads to the regulators being taken over by the regulatees, and before we realize that the response times of legislation and regulators is orders of magnitude slower than the environment being regulated, regulations don't work because they are trying to do the impossible.
You can't point to regulations that 'work' at a system-level. The FDA is a fine example : a very simple mandate "rules and regulations to make food and medicines safe", yet it has become protection from competition for the few remaining drug companies, drugs are still remarkably unsafe, very few new drugs are developed, the costs of drugs are very high, and the drug companies have thus become one of the major owners of our government. We continue to die because we can't afford the drugs, because they are unsafe and because the needed drugs have not been developed because of the very high costs.
It seems to me that the only laws that make sense are ones that require honesty : In any exchange of value, both sides must disclose all the information needed by the other side to make an intelligent judgment and must check that the other party has indeed understood that information, and this requirement is proportional to the value being exchanged.
Clearly, the regulatory model has not worked. Clearly, it cannot work, based on elementary understanding of mathematical chaos, computational complexity and the emergent properties of systems.
This
"The Constitution, the WHOLE Constitution, and nothing but the CONSTITUTION."
Fiction is becoming reality.
I disagree. What they have done now by not allowing them to fail is to further put all of us at risk for an even worse catstrophic failure in the future. Those quadrillion dollar bets on bets on bets on bets need to go! They are absolutely NOT critical for an international economy, they exist only to further enrich those massive economic skimmers called "central banks". It's a con game and they used threats and extortion to get bailed out when they did fail.
Bankruptcy exists for one good reason, to eliminate failed business models. Those goons have WAY to much power and influence over the entire rest of the REAL economy, and needed to be eliminated and reduced in size and worth to what they are really worth, which is most definitely *not* QUADRILLIONS of dollars like the latest estimates of all their toxic derivatives are allegedly worth..
Too big to fail should mean too big to exist in the first place.
captcha ="nicking" or stealing. How appropriate.
This is the sort of idea that gets the Libertarians and other radical right-wing types all up in arms, screaming about socialism, government power grabs, and the need to throw the whole bunch out and put in toll roads and pay-as-you-go government.
They're still wackadoodles, and still marginalized, but this is their bread and butter.
A stupid idea, unless, of course, you are willing to cede to the federal government both responsibility and authority to run the country directly. Not just govern, but operate.
Me? I'm opposed to it on these grounds:
1. The apparent assumption is that private industry can't be trusted to do this. As a rebuttal, consider that private industry has more to lose on their own than if DHS takes over. Beyond that, is DHS demonstrably better at security than private industry has been, at least in these scnearios?
2. Despite the obvious security concerns, and the potential harm to our nation, how did government get appointed to the position of protecting us from ourselves? Is this a Constitutional exercise of power? I propose it is UNConstitutional on its face.
3. Regulation, perhaps, is a better path. The Clean Air and Clean Water acts offer some experience with the government dictating how things should be done. Yes, we are better off. Does the same apply to industrial network security? Well, maybe not.
Let's get on the phones and kill this, so we don't have to wait for another election cycle to convince the retards in Washington that we are not at all amused. Ok?
deleting the extra space after periods so i can stay relevant, yeah.
If anyone is going to do this, it should be the NSA, not DHS. Why, you ask, would I trust a military agency over DHS?
1) The NSA is regulated by DoD regulations which prevent it from working as a domestic law enforcement agency.
2) The NSA can very rarely share information with law enforcement because its methods are not legally admissible in most court cases (and they're not supposed to be, since the NSA's purpose is to support the military and operations abroad where civilian courts don't even have jurisdiction in many scenarios).
3) The NSA actually knows what it's doing with its own infosec, unlike DHS.
Am I the only one who finds similarities with how the DHS is getting more and more control over things, just like FEMA did in the first Deus Ex game? That didn't end well...
~Syberz
Firstly, one does not eat, drive, watch or otherwise consume "income". It's obvious that both American workers and CEOs now consume more, of better stuff, receive better medical care with treatments that were not dreamed of 50 years ago, casually use communication services that only super-rich could afford 50 years ago, etc.
Some of us think this happened because politicians of the US ruling parties did not overly concern themselves with how much people *should* be, in their view, paid for everything they do. In the countries where ruling parties ran their economies so that no one profited overmuch, life mostly sucked for most of the people.
And yeah, I was born in one of these, called the "USSR". Look for it on the map. Salary caps, price controls, and other "wealth redistribution" worked really well for it.
4chan.
Such firms include utilities, communications providers and financial institutions.
Thus giving DHS full regulatory authority to, though that "enforce" word, monitor your ISP and your bank real-time (something the NSA was never allowed to do legally).
And once again Big Brother's tendrils are set to grow.
Everybody gets what the majority deserves.
I just had another look at Article One, Section Eight of our Constitution, and do not see anything that could grant this type of authority - am I missing something?
A clear conscience is usually the sign of a bad memory.
That's because software for the most part isn't required to have a warranty. Change that, that it must be free from glaring defects and suitable for purpose, the same as any other "product" that can get patents, and overnight they will take software and the internet WAY more seriously with regards security.
This bill doesn't put DHS in charge of anything at all, any more than the IRS is in charge of your finances just because you have to report income, or the SEC runs private companies because they have to comply with certain regulations to maintain transparency. What it does is mandate a NIST 800-53-based approach to securing the networks. That approach actually works pretty well, but it's a fair amount of work since you end up looking at groups of systems in terms of the processes they perform together (like a specfic database server, the middleware server that accesses it for a specific application, and the web server that provides a presentation layer for the middleware) when thinking about security.
The problem with this bill isn't the standards that it mandates, or that DHS would be the entity yelling at companies for failing to comply...it's that "Critical Infrastructure" industries, in legislative terms, refers to 17 different industries, which in combination are an ENORMOUS amount of our economy. One of them, for example, is the IT sector. Dropping a regulatory requirement like this on all of them at once, simultaneously, will be very good for people who do security consulting for a living (like me) but will be hell on the thousands of companies that will have to scramble to get into compliance.
For your security, this post has been encrypted with ROT-13, twice.
The good news is you can probably hollow out a laptop battery and remove all that perfectly legal explosive Thermite-like Lithium-Ion stuff and replace it with illegal contraband Mountain Dew. But think of the CHILDREN, man!
"Natehoy sets a high score by an unprecedented margin in the Slashdot Defeat Airport Security Championships with astronomical Irony points! AND THE CROWD GOES WIIIILLLD!" *AHHHHHHHHHHH*
"Unbelievable! It's gonna take one hell of a performance to top this one Tom! We've just witnessed history in the making!"
"When information is power, privacy is freedom" - Jah-Wren Ryel
The basic intent of the bill was to wipe out the competition. All the problems with the food supply so far have been traced back to the big operators. And yet we see: "Outreach to food industry sectors.."
This poll (probably fairly accurate) shows 12% supporting the bill. Clearly it must pass :-/ Bad democrats! This is another trophy on the mantle for the republicans if they ever wanted to play it right.
More info
This is like health "care" "reform" for food. A bureaucratic wonderland to create a culture that could put us in danger of a real famine. Eh, time to cull the population, I guess. Drown 'em in paperwork. It's madness, I tell ya.. Madness!
From what I can gather from the amendment is that it only delays enforcement on small and "very small" business for one and two years respectively.
It's a very horrible bill, as toxic as anything that has passed over the last ten years, giving the feds permission to march onto your farm on any pretext of "food safety". You can bet this "cyber security" bill is no different in the draconian powers this gives to the government.
For justice, we must go to Don Corleone
I know some of the top ppl that went into DHS. They were F'ing IDIOTS. Hell, just look at what they consider Secured. They get cracked REGULARLY themselves. Yet, they are going to secure the USA private network?
This absolutely should the NSA that does this, not the idiots from DHS.
Rightly so. After all torrent sites ARE thieving millions and billions from content creators that deserve to be paid.
I like how you completely ignored my original point. Where did ANY of that bill include DHS being able to seize networks in the event of a disaster? I did read it (hence my original challenge.) A provision like that is NOWHERE in there. At all. Not even close.
Your summary is that of a 100% bog-standard regulatory bill. You could have substituted the word "meatpacking plant", "stock brokerage", "bank", "electric utility", "airline", "insurance company", "monopoly", or "drug manufacturer" for "private network" in your summary and you would have summarized just about every U.S. regulatory bill written any time starting around the beginning of the 20th century. One of the functions of government is to regulate many different classes of private commerce. The constitution says they can do so, and pretty much every government outside of Somalia does this (or at least pretends to.)
Oh, and the one bullet you didn't include a cite for: "the operator of the private network must pay to certify that they meet the criteria." Looked for that in the bill, and I can see why you didn't include a cite. It's not there. (I searched for pay, cost, costs, and certify.) Did you just make it up? Just like the evil plot to sieze the networks in an emergency?