Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Bill Would Put DHS In Charge of 'Critical' Private Networks

Posted by Soulskill on from the too-big-to-404 dept.

GovTechGuy writes "A new bill unveiled Wednesday by House Homeland Security chairman Bennie Thompson (D-Miss.) would give the Department of Homeland Security the authority to enforce federal cybersecurity standards on private sector companies deemed critical to national security. The Homeland Security Cyber and Physical Infrastructure Protection Act of 2010 authorizes DHS to establish and enforce risk and performance-based cybersecurity standards on federal agencies and private sector companies considered part of the country's critical infrastructure. Such firms include utilities, communications providers and financial institutions."

17 of 193 comments (clear)

  1. What's the alternative by jeffmeden · · Score: 4, Interesting

    Considering how much a lot of those companies rely on their network infrastructure, if there isn't a provision for this then perhaps the alternative is to be prepared to take over the whole organization if/when they are crippled by an attack. I am not one for heavy handed government but someone needs to light the fire under these guys.

    1. Re:What's the alternative by lgw · · Score: 4, Insightful

      Has the DHS demonstrated that they are any smarter than the current crop? Is an enforced monculture somehow better for security than a variety of solutions? Is the DHS going to be immune to carefully chosen campaign contributions at the federal level, resulting an an all-Microsoft infrastructure?

      The way IT for banks is regulated, by creating standards that the banks must comply with but not dictating specific solutions, might work OK here. But I have no faith that that's where "OMG, the government needs more power" is going to end up.

      --
      Socialism: a lie told by totalitarians and believed by fools.
  2. It feels like by Rosco+P.+Coltrane · · Score: 4, Informative

    a deaf man telling others how to sing. Maybe they should get their act together before giving lessons...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  3. I'll sit over here by Megaweapon · · Score: 5, Insightful

    and wait for the Republicans to fight this government intervention tooth and nail. .........

    --
    I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
    1. Re:I'll sit over here by IgnoramusMaximus · · Score: 4, Insightful

      That is due to the tremendous difference between the Democrats and the Republicans:

      During the Republican reign within the last 50 years, the average, inflation-adjusted US worker's income increased -1% and the average CEO's income increased 500%. This stands in great contrast to the Democrats, under whom the average US worker's income increased -1% and that of the CEO mere 400%.

      This shocking difference explains the dire straights your poor, rich corporation is in, thus necessitating further belt-tightening, "shared sacrifices" and other "austerity" measures...

  4. Re:Wording is vague. by Rosco+P.+Coltrane · · Score: 4, Insightful

    If that just means new security standards that companies have to meet, then I can't see the harm in that

    When the standards are defined and enforced by incompetents, they tend to be useless, costly and bad for productivity.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  5. Re:Wording is vague. by chemicaldave · · Score: 4, Insightful

    It's certainly the right idea if standards are all they're pushing. But I agree, the DHS shouldn't be involved in this. I can't see why they are in the first place other than someone used the word "terrorist".

  6. Competence by Anonymous Coward · · Score: 5, Insightful

    Considering that the DHS is probably one of the most dysfunctional, incompetent departments in the entire federal government, I find that more frightening than the terrorists.

  7. What's critical? by girlintraining · · Score: 5, Insightful

    As we saw with anti-terrorism spending, what's deemed critical and what truly is hasn't exactly ever been the same.

    --
    #fuckbeta #iamslashdot #dicemustdie
  8. Lame Duck by MikeB0Lton · · Score: 4, Insightful

    As if they haven't spent enough tax dollars they don't have.

  9. This is the race to facism at its finest. by mr_mischief · · Score: 4, Insightful

    I'm sure "federal cybersecurity guidelines" for a network include having Federal employees shutting down general non-critical access and putting control of the network under FEMA control whenever there's a disaster. That's great for a network owned by the Federal government. It's an abomination against the rights of the people and private companies to do those things to a commercial network on which millions of people rely for their own uses.

    It's called "socialism" when the government takes over industry for the people. It's called "facism" when the government takes over industry to enhance the power of the government. Somehow I just can't see the government taking over control of networks the citizens use as benefiting the people more than the government.

  10. Not necessarily monoculture by bsDaemon · · Score: 4, Insightful

    This move doesn't necessitate a monoculture, it just depends on how they write the law and how those in charge of implementing it end up crafting regulations. As long as they're only enforcing standards and not a standard implementation, then its probably OK, as you stated in the second part of your post. For instance, if the regulation states that networks which have any convergence points with the public internet have, at all crossover points, IDS/IPS systems in place which meet a certain level of ability, then its up to the firm who owns the network to decide whether to go with a solution from Cisco, Juniper, Sourcefire, or another vendor, or to roll something home-grown as long as they can meet the requirements.

    I'm sure most of the organizations which will be affected by this will already have most, if not all, the necessary security mechanisms in place. However, they may be out of date to some degree, not properly monitored, and some smaller organizations may be missing large swaths of helpful security infrastructure and best practices because it just hasn't "been an issue" for them in the past. This is probably a fairly direct result of the Stuxnet work/virus. Whether Federal mandates are actually going to help remains to be seen, but if they follow sane policy frameworks such as those outlined by the NSA IAD and the CNSS then this ought to be fine.

    Since this is Slashdot, I'm sure at least a plurality will focus on the "private" in critical private network, as evidenced by the air quotes around 'Critical' in the lead line of the story, however when we're talking about power, water, and communications systems critical probably isn't strong enough a word to describe them, and their ability to operate is largely a result of government-enforced monopolies and government-enforced easements, so I wouldn't really call them 'private' either.

    1. Re:Not necessarily monoculture by anegg · · Score: 5, Informative

      I have been involved in government IT security for many years now as an employee of a government contractor often hired to perform various parts of the government security process. One of the biggest problems with the government security "standards" and "processes" in place now is that there is practically no cost feedback to the controls. The policies all say that the cost of the controls should be commensurate with the value of the system being protected, but many of the security "approvers" demand gold-plated security, and are often opposed to signing off on anything less. (Hey - you can't be held responsible for a security problem in a system you approved if you simply never approve any systems.) There are numerous government systems operating either "unauthorized" or under "temporary waivers" (for years and years) because the security folks wouldn't sign off the controls.

      These problems are with the government policing the government. I can't imagine it would be any different when they are enforcing the standards on commercial companies. Although private enterprises can and do go underboard with security, government monitors are almost certain to go overboard. I have some (but limited) experience reviewing IT security for commercial entities (financial services firms, oil and gas firms, pharmaceuticals) and they often "get" most of what needs to be done... with a few lapses (like connecting SCADA networks to the regular corporate network, which is also connected to the Internet).

      If the approach is to have a few *simple* rules (like networks over which critical infrastructure communicates must be isolated from corporate networks that are attached to the Internet), then I think some government oversight wouldn't be bad. But if the approach is to require private enterprise to demonstrate compliance with full-blown government IT security C&A with the government doing the certification, I would predict drastic increases in costs, without necessarily dramatically increasing actual security.

    2. Re:Not necessarily monoculture by cayenne8 · · Score: 4, Insightful
      I guess again..I just don't trust them.

      Who's to say WHAT is a critical business infrastructure? Sure, it may start now with financial institutions, the power grid, etc...things I think many people could agree upon. But as with all govt. regulations....you will get scope creep, it is just the nature of the beast.

      Look at the recent discussion here about the move to force many if not most websites to conform to new ADA guidlines?!?!

      In that argument, they said the *MIGHT* not force private, small websites to comply....might not??

      Once the Feds can get into private companies and tell them what to do...it is kinda like the mob, they get more and more and more involved. Once this starts spilling over into small businesses...the cost of regulations will likely knock a lot of the smaller guys off, and close the market to new competition from smaller businesses.

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    3. Re:Not necessarily monoculture by hedwards · · Score: 4, Insightful

      As opposed to the current business practice of bolting on a tin can solution to a gold plated problem? I mean seriously, corporations rarely if ever spend enough on cyber security. A lot of the massive exploits were only accomplished because the corporation that got ripped off wasn't even implementing the most basic policies.

      Having the government threaten to take over their network if they aren't properly secure it would likely go a long ways towards them actually behaving responsibly, even if the government never does it.

  11. Re:What is the determination? by LordLimecat · · Score: 5, Informative

    That has absolutely nothing to do with whats being proposed, according to TFA. This is about setting network security requirements and enforcing them, not shutting down threats of any kind. Grats on not reading the summary tho.

  12. Re:Wording is vague. by locallyunscene · · Score: 4, Insightful

    Thank you. I agree, defining standards are okay, but DHS should be the last one selected to do it. Networks like these need security not security theater.