Slashdot Mirror
New Bill Would Put DHS In Charge of 'Critical' Private Networks
GovTechGuy writes "A new bill unveiled Wednesday by House Homeland Security chairman Bennie Thompson (D-Miss.) would give the Department of Homeland Security the authority to enforce federal cybersecurity standards on private sector companies deemed critical to national security. The Homeland Security Cyber and Physical Infrastructure Protection Act of 2010 authorizes DHS to establish and enforce risk and performance-based cybersecurity standards on federal agencies and private sector companies considered part of the country's critical infrastructure. Such firms include utilities, communications providers and financial institutions."
Considering how much a lot of those companies rely on their network infrastructure, if there isn't a provision for this then perhaps the alternative is to be prepared to take over the whole organization if/when they are crippled by an attack. I am not one for heavy handed government but someone needs to light the fire under these guys.
I'll assume they can designate any forum they don't like as critical to national security due to terrorists using it to communicate.
Hmmm witty sig or funny sig? Maybe elitest techy sig!
a deaf man telling others how to sing. Maybe they should get their act together before giving lessons...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
and wait for the Republicans to fight this government intervention tooth and nail. .........
I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
If this passes, does it mean I have to have the "new" patdown, or can I opt for the "classic", before I can enter the server room? And, if I can only bring in four ounces of soda, my productivity is gonna go to hell.
Why, without your clothes, you're naked, Miss Dudley!
If that just means new security standards that companies have to meet, then I can't see the harm in that
Demanding exclusive admin access? Now it's complicated.
Stop spending Tax, giving yourself more powers. You should have rules in place for internal departments and for any company that is THAT important, surely any contract set up would require some terms and conditions.
great. like we don't have enough regulation in this area as it is.
Why do I have a sneaking suspicion that this law will be applied WAY more often to fight torrent sites than it will ever be used to fight actual terrorists?
SJW: Someone who has run out of real oppression, and has to fake it.
Considering that the DHS is probably one of the most dysfunctional, incompetent departments in the entire federal government, I find that more frightening than the terrorists.
As we saw with anti-terrorism spending, what's deemed critical and what truly is hasn't exactly ever been the same.
#fuckbeta #iamslashdot #dicemustdie
As if they haven't spent enough tax dollars they don't have.
I'm sure "federal cybersecurity guidelines" for a network include having Federal employees shutting down general non-critical access and putting control of the network under FEMA control whenever there's a disaster. That's great for a network owned by the Federal government. It's an abomination against the rights of the people and private companies to do those things to a commercial network on which millions of people rely for their own uses.
It's called "socialism" when the government takes over industry for the people. It's called "facism" when the government takes over industry to enhance the power of the government. Somehow I just can't see the government taking over control of networks the citizens use as benefiting the people more than the government.
This move doesn't necessitate a monoculture, it just depends on how they write the law and how those in charge of implementing it end up crafting regulations. As long as they're only enforcing standards and not a standard implementation, then its probably OK, as you stated in the second part of your post. For instance, if the regulation states that networks which have any convergence points with the public internet have, at all crossover points, IDS/IPS systems in place which meet a certain level of ability, then its up to the firm who owns the network to decide whether to go with a solution from Cisco, Juniper, Sourcefire, or another vendor, or to roll something home-grown as long as they can meet the requirements.
I'm sure most of the organizations which will be affected by this will already have most, if not all, the necessary security mechanisms in place. However, they may be out of date to some degree, not properly monitored, and some smaller organizations may be missing large swaths of helpful security infrastructure and best practices because it just hasn't "been an issue" for them in the past. This is probably a fairly direct result of the Stuxnet work/virus. Whether Federal mandates are actually going to help remains to be seen, but if they follow sane policy frameworks such as those outlined by the NSA IAD and the CNSS then this ought to be fine.
Since this is Slashdot, I'm sure at least a plurality will focus on the "private" in critical private network, as evidenced by the air quotes around 'Critical' in the lead line of the story, however when we're talking about power, water, and communications systems critical probably isn't strong enough a word to describe them, and their ability to operate is largely a result of government-enforced monopolies and government-enforced easements, so I wouldn't really call them 'private' either.
I hope they don't require a genital pat down to use the Internet.
So if they do this like their other wonderful policies I cringe to think of what will happen...
.ru connection.
Those companies will see their mail servers flooding the net with botnet spam. Their websites will be littered with porn pop-ups. The and all of their secure transactions will no doubt authenticate via a
You obviously haven't thought this through. Remember, torrent sites steal billions of dollars from hard-working cinematographers. Where do you think that money is going if not to tiny camps in inaccessible parts of distant countries in order to wreak damage and destruction in the heartland of America? Honestly, this stuff is so basic that any junior congressman could understand it...
Or we could ban software companies lobbying to lower security standards and we could push for changing government pay grade scales for security experts so gov't actually has a chance of competing for talent with the private sector.
choices, choices
do we want to be "too big to let fail" or "not critical to national security"
every day http://en.wikipedia.org/wiki/Special:Random
No.
Somebody should get those Diebold ATMs off the public internet and back on a WAN like they should be.
If you want to send any enterprise down the tubes, start by giving one group the authority and another the responsibility. DHS wants to dictate standards but when the next big blackout occurs will DHS rush to accept the blame?
Have we considered the risk of self-inflicted damage caused by ill-conceived government-mandated software?
You don't need to be a libertarian to see that this is insanity.
Vader says...
He who knows best knows how little he knows. - Thomas Jefferson
private sector companies considered part of the country's critical infrastructure.
*Insert Jeopardy music here*
"When information is power, privacy is freedom" - Jah-Wren Ryel
DHS has been given authority to ensure critical networks are up to federal security standards. Apart from the discussion of if this will be useful, this does not, in any way, put them "In Charge" of the networks.
Why is that surprising?
The truth is that all men having power ought to be mistrusted. James Madison
Before you go ranting and accusing the government of fascism, maybe you could actually, you know, READ the proposed legislation, and then cite the passage where you have found this provision?
It's becoming clearer to you now, isn't it?
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
as useful as PCI (Payment Card Industry) standards. a great idea with loads of rules to keep things on the right track, but no real punishment for repeat offenders or major breeches. in short: just another meeting on my calendar.
Good people go to bed earlier.
DNS moving from the hands of Verisign and into the hands of the government? Sounds like "Out of the frying pan and into the fire" to me.
Joy! Beautiful spark of the gods!
First, the bill to censor internet and get ahold of any domain name, with a court order
now, the ability for a single department of u.s. government, without requiring a court order, to control private networks,
Couple these two with the draconian and stupid copyright/patent laws in usa, and you can see that it wont take a few months after this for u.n. or eu to come up with an alternative, international or european authority to govern domain names and ip numbers.
way to go, u.s., cutting the leg you are standing on. any other country would cut its own real legs (metaphorically) rather than risk losing the de facto control of internet.
maybe it was high time.
Read radical news here
A DHS uniformed guy on a folding chair in front of the server closet in the 4-member IT dept of a small company that is, among other things, a defense contractor. This uniformed guy checks the sysadmin's badge each of the 20-50 times a day he goes into the server closet. The rest of the time he sits there doing search-a-word puzzles or watching a portable tv or whatever. I'm as horrified by this image as I am amused by it.
-fb Everything not expressly forbidden is now mandatory.
you will have to forget before doing that, the fact that ACTA was initiated, prepared and cooked and started being pushed around in republican term in congress, senate and admn., before 2006. at 2006, it was already during international negotiations stage, first by being pushed to canadians.
Read radical news here
I worked in the security industry for many years and we had contracts with a number of government departments, major ISPs, and enterprise businesses. Our talks with the DHS ended when they suggested making a Windows-based version of our Linux-based network security server. The conversation went something like this:
Us: "Sure we could do it, but it would cost more, be slower, and have poorer performance because we wouldn't be able to modify the OS directly to support what we need. You'd need a significant number more machines to do the same task, each machine would cost more, and the project would be delayed at least a year while we developed it and went through the security certification process again. Additionally, the security would be weaker and these should be high security systems as they have access to all the traffic running through your network and are already managing the traffic."
DHS Security Guy: "I think that's the way we want to go."
Us: "Do you mind if we ask why?"
DHS Security Guy: "I don't like managing non-Windows systems."
Maybe things have changed over there in the last few years but... dear god! They were some of the most incompetent Microsoft loving fuckwits ever. We had a contract with Microsoft at the time and they were cool with our Linux based solution and were even considering installing custom Linux systems of their own design to supplement the limitations of their Juniper routers with regard to network traffic management and security.
There is no political party that has exclusive claims on the ability to seize power and wield it.
How would this benefit Rep. Thompson's campaign & PAC funding? "Defense Electronics" firms are the #3 contributor to his campaign & leadership PAC for 2009-2010. "Computers/Internet" were #3 for the 2008 campaign.
http://www.opensecrets.org/politicians/summary.php?cid=N00003288
Senator Palpatine will protect us!
So we'll have the same policy for fliers as packets? Deep, humiliating inspections?
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
Representative Thompson is my congressman. He'll be getting a letter from me expressing my opposition to this measure.
Instead of mandating what should be deployed, stick to testing the defences of the companies.
Fine them if the DHS crackers can gain access.
As a side benefit, it would discourage the monoculture. Different companies would deploy different systems and that would make it almost impossible for a single attack to crack them all.
I think this begs the question, why does anyone believe that government goons would be more capable at managing a network than the private IT goons who built it?
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
... I welcome our fondling overlords.
Have gnu, will travel.
...that is, I've seen this bull before. At least twice, previously phrased as an "internet kill switch". Unfortunately, the problem with bad ideas is they're almost certainly to eventually become law.
I have no problem with contractors agreeing to some sort of security standard as a condition of doing business with the government. At least they are going in to their relationship with their eyes open. But what constitutes a 'critical' network? And can the feds put my system on the list without my input?
If I offer some goods or services and one day, a customer walks in my front door with a GSA credit card, does that make me a vendor to the government? If they say 'we simply must have your product/service to perform our function' does that make it critical? Can I throw them out the door?
Have gnu, will travel.
Let's get some outsiders who are totally unfamiliar with what we do to fix our problems for us in emergencies.
they clearly aren't doing it themselves, and there is no market choice in these situations.
The Kruger Dunning explains most post on
Engineers and programmers have the answer to these questions, if only we apply our various understandings.
Do you want to be given the task of designing and implementing a real-time control system for an open system, that is, a system which has major inputs that are not under your control?
Programming for an open system is a conceptual oxymoron. Can't be done.
Even before considering the human/social system, which always leads to the regulators being taken over by the regulatees, and before we realize that the response times of legislation and regulators is orders of magnitude slower than the environment being regulated, regulations don't work because they are trying to do the impossible.
You can't point to regulations that 'work' at a system-level. The FDA is a fine example : a very simple mandate "rules and regulations to make food and medicines safe", yet it has become protection from competition for the few remaining drug companies, drugs are still remarkably unsafe, very few new drugs are developed, the costs of drugs are very high, and the drug companies have thus become one of the major owners of our government. We continue to die because we can't afford the drugs, because they are unsafe and because the needed drugs have not been developed because of the very high costs.
It seems to me that the only laws that make sense are ones that require honesty : In any exchange of value, both sides must disclose all the information needed by the other side to make an intelligent judgment and must check that the other party has indeed understood that information, and this requirement is proportional to the value being exchanged.
Clearly, the regulatory model has not worked. Clearly, it cannot work, based on elementary understanding of mathematical chaos, computational complexity and the emergent properties of systems.
This
"The Constitution, the WHOLE Constitution, and nothing but the CONSTITUTION."
Fiction is becoming reality.
This is the sort of idea that gets the Libertarians and other radical right-wing types all up in arms, screaming about socialism, government power grabs, and the need to throw the whole bunch out and put in toll roads and pay-as-you-go government.
They're still wackadoodles, and still marginalized, but this is their bread and butter.
A stupid idea, unless, of course, you are willing to cede to the federal government both responsibility and authority to run the country directly. Not just govern, but operate.
Me? I'm opposed to it on these grounds:
1. The apparent assumption is that private industry can't be trusted to do this. As a rebuttal, consider that private industry has more to lose on their own than if DHS takes over. Beyond that, is DHS demonstrably better at security than private industry has been, at least in these scnearios?
2. Despite the obvious security concerns, and the potential harm to our nation, how did government get appointed to the position of protecting us from ourselves? Is this a Constitutional exercise of power? I propose it is UNConstitutional on its face.
3. Regulation, perhaps, is a better path. The Clean Air and Clean Water acts offer some experience with the government dictating how things should be done. Yes, we are better off. Does the same apply to industrial network security? Well, maybe not.
Let's get on the phones and kill this, so we don't have to wait for another election cycle to convince the retards in Washington that we are not at all amused. Ok?
deleting the extra space after periods so i can stay relevant, yeah.
If anyone is going to do this, it should be the NSA, not DHS. Why, you ask, would I trust a military agency over DHS?
1) The NSA is regulated by DoD regulations which prevent it from working as a domestic law enforcement agency.
2) The NSA can very rarely share information with law enforcement because its methods are not legally admissible in most court cases (and they're not supposed to be, since the NSA's purpose is to support the military and operations abroad where civilian courts don't even have jurisdiction in many scenarios).
3) The NSA actually knows what it's doing with its own infosec, unlike DHS.
Am I the only one who finds similarities with how the DHS is getting more and more control over things, just like FEMA did in the first Deus Ex game? That didn't end well...
~Syberz
4chan.
Such firms include utilities, communications providers and financial institutions.
Thus giving DHS full regulatory authority to, though that "enforce" word, monitor your ISP and your bank real-time (something the NSA was never allowed to do legally).
And once again Big Brother's tendrils are set to grow.
Everybody gets what the majority deserves.
Except, of course, the inevitability and the "better" nature of the "stuff" is in the eye of the beholder. That is, would this "stuff" be unavailable in any other scenario and does it actually improve lives? The answer is "no" to both questions for much of this "stuff". Today a typical household leads a far more hectic and slavish life-style than mere 50 years ago: both parents must work to support the family, while 50 years back a single-income household was the norm and not only could one parent afford to stay at home but that one income allowed for the house and everything in it (and even the car) to be fully paid for. Today this is a fantasy, nearly 90% of American households have negative net worth, that is everything they "own" actually belongs to the bank. That is not what I would call an "improvement", unless you are a banker or a member of the super-rich aristocracy who owns the banks of course.
So I find your method of measurement of "progress" in piles of disposable plastic crap from China and $90 bucks a month cable-TV full of brain-destroying "contents", coupled with $20,000 balances on 25% interest credit cards to be rather suspect. Also I am rather confident that contrary to what you appear to believe, civilization would have somehow managed to grind on without Twitter and Facebook.
I find smug bragging by the believers in the "free market" about how inferior, deficient and ill-conceived the Soviet economic system was and how that lead to its inevitable collapse, whilst in the middle of the collapse of the oh-so-superior capitalist "free market" economies to be rather pathetically amusing. Next thing I am expecting to hear is how the West is not "really" "free market" and how it wasn't "pure" enough ... at which point some communists will probably cut in with the exact same tune except with Marxism as the lyrics.
In actuality both share the same core problem: a small group of individuals managed to pervert the entire thing at everybody else's expense because both systems turned out to be helpless against powerful thieves and because accumulation of wealth and power is self-accelerating. And if the crooks are called "commissars" and "comrades" or "CEOs" and "bankers" makes very little difference in the end.
As said by an anonymous coward. Nice job.
Government is not reason; it is not eloquent; it is force. Like fire, it is a dangerous servant and a fearful master.
I just had another look at Article One, Section Eight of our Constitution, and do not see anything that could grant this type of authority - am I missing something?
A clear conscience is usually the sign of a bad memory.
This bill doesn't put DHS in charge of anything at all, any more than the IRS is in charge of your finances just because you have to report income, or the SEC runs private companies because they have to comply with certain regulations to maintain transparency. What it does is mandate a NIST 800-53-based approach to securing the networks. That approach actually works pretty well, but it's a fair amount of work since you end up looking at groups of systems in terms of the processes they perform together (like a specfic database server, the middleware server that accesses it for a specific application, and the web server that provides a presentation layer for the middleware) when thinking about security.
The problem with this bill isn't the standards that it mandates, or that DHS would be the entity yelling at companies for failing to comply...it's that "Critical Infrastructure" industries, in legislative terms, refers to 17 different industries, which in combination are an ENORMOUS amount of our economy. One of them, for example, is the IT sector. Dropping a regulatory requirement like this on all of them at once, simultaneously, will be very good for people who do security consulting for a living (like me) but will be hell on the thousands of companies that will have to scramble to get into compliance.
For your security, this post has been encrypted with ROT-13, twice.
Don't know why you posted AC. That is, IMHO, one of the most insightful posts I've seen in a long while. Well said.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
The good news is you can probably hollow out a laptop battery and remove all that perfectly legal explosive Thermite-like Lithium-Ion stuff and replace it with illegal contraband Mountain Dew. But think of the CHILDREN, man!
"Natehoy sets a high score by an unprecedented margin in the Slashdot Defeat Airport Security Championships with astronomical Irony points! AND THE CROWD GOES WIIIILLLD!" *AHHHHHHHHHHH*
"Unbelievable! It's gonna take one hell of a performance to top this one Tom! We've just witnessed history in the making!"
"When information is power, privacy is freedom" - Jah-Wren Ryel
The basic intent of the bill was to wipe out the competition. All the problems with the food supply so far have been traced back to the big operators. And yet we see: "Outreach to food industry sectors.."
This poll (probably fairly accurate) shows 12% supporting the bill. Clearly it must pass :-/ Bad democrats! This is another trophy on the mantle for the republicans if they ever wanted to play it right.
More info
This is like health "care" "reform" for food. A bureaucratic wonderland to create a culture that could put us in danger of a real famine. Eh, time to cull the population, I guess. Drown 'em in paperwork. It's madness, I tell ya.. Madness!
From what I can gather from the amendment is that it only delays enforcement on small and "very small" business for one and two years respectively.
It's a very horrible bill, as toxic as anything that has passed over the last ten years, giving the feds permission to march onto your farm on any pretext of "food safety". You can bet this "cyber security" bill is no different in the draconian powers this gives to the government.
For justice, we must go to Don Corleone
I like how you completely ignored my original point. Where did ANY of that bill include DHS being able to seize networks in the event of a disaster? I did read it (hence my original challenge.) A provision like that is NOWHERE in there. At all. Not even close.
Your summary is that of a 100% bog-standard regulatory bill. You could have substituted the word "meatpacking plant", "stock brokerage", "bank", "electric utility", "airline", "insurance company", "monopoly", or "drug manufacturer" for "private network" in your summary and you would have summarized just about every U.S. regulatory bill written any time starting around the beginning of the 20th century. One of the functions of government is to regulate many different classes of private commerce. The constitution says they can do so, and pretty much every government outside of Somalia does this (or at least pretends to.)
Oh, and the one bullet you didn't include a cite for: "the operator of the private network must pay to certify that they meet the criteria." Looked for that in the bill, and I can see why you didn't include a cite. It's not there. (I searched for pay, cost, costs, and certify.) Did you just make it up? Just like the evil plot to sieze the networks in an emergency?
Indeed. And bad as life might have been under Stalin or Mao, life under their predecessors was considerably worse. One need look no further than Cuba, and compare the lot of the average Cuban over the last 60 years with that of the average Guatemalan or Colombian over that same time period to see that capitalism doesn't automatically lead to a better life.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Quite so. It never ceases to amaze me that all "true believers" in the religion of capitalism never get this point: the communist revolution would not have happened and succeeded if the crony capitalists of the day did not organize these nations into hell-holes where rare, glittering palaces of thieving capitalist aristocracy peppered the land surrounded by a sea of starvation and abject poverty. A great majority of Russians and Chinese saw communist ideology, with all of its warts, as a vast improvement. It was only many decades later when mindless consumerism managed to topple the ponderous state-capitalist order (they actually never got as far as communism in practice) but not before the former penniless peasant slaves had all of their kids university educated and feeling indignantly entitled to Levi's Jeans and Sony color TVs.
Actually, it is not that all of the capitalism-or-bust priests do not get it, some studiously pretend not to see it because a tiny island of astronomical wealth amongst a sea of poverty is what their "ideal", dog-eat-dog, "Darwinian" world looks like: after all where would all the slavish, trembling chamber maids to do the laundry and polish one's precious Ming Dynasty vases come from otherwise?