Cybersecurity Bill Fails Today In US Senate

wiredmikey writes "A development following the recently posted story Senate Cybersecurity Bill Stalled By Ridiculous Amendments — The Cybersecurity Act of 2012 failed to advance in the US Senate on Thursday. The measure was blocked amid opposition from an unusual coalition of civil libertarians — who feared it could allow too much government snooping — and conservatives who said it would create a new bureaucracy. The bill needed 60 votes in the 100-member Senate to advance under rules in the chamber, but got only 52. The failure came despite pleas from Obama and top US defense officials. The US Chamber of Commerce argued that the bill 'could actually impede US cybersecurity by shifting businesses' resources away from implementing robust and effective security measures and toward meeting government mandates.'"

we already got a thread

[ganjadude]

on this issue... http://politics.slashdot.org/story/12/08/02/1437240/senate-cybersecurity-bill-stalled-by-ridiculous-amendments I mean its still on the front page even.

Re:we already got a thread

[dwillden]

Well to be honest this thread still makes sense, as the prior post was about all the amendments. Whereas this one is about it dying.

Re:we already got a thread

[Jeremiah+Cornelius]

It does nothing to enforce real security. Instead, it enshrines another layer of surveillance and privacy-reduction in law - with an enforcement arm that will be rewarded by stopping "cyber-threats" like using a UK proxy to watch the Olympics online. Then, like under the DMCA you can be treated like a terrorist.

https://www.eff.org/deeplinks/2012/03/dangerously-vague-cybersecurity-legislation

Re:we already got a thread

[dgatwood]

Did you actually expect the government to improve security? These are the same people who keep telling us that the TSA makes us safer. For the most part, congresspeople don't even understand the most basic aspects of meatspace security. How could they possibly understand cybersecurity, which is orders of magnitude more complex? If you asked all of the U.S. Congress what a buffer overflow is, you would probably have fewer than twenty people who could answer the question, and I would not be entirely surprised if not a single one of them could answer it. And I can just about guarantee that none of them could construct even the most basic threat assessment for even the most simple network protocol.

No, Congress will create an organization whose job it is to understand it, but they'll give it a mission statement that is entirely perpendicular to anything that would actually improve cybersecurity. Then, when things don't improve, they'll say that it needs more funding. All the while, they'll be siphoning off hundreds of millions of dollars to overpriced contractors in their districts so that when they leave the public sector, they'll have cushy consulting jobs waiting for them. Sadly, this is the way Congress usually does things. They don't take the time to understand the issues, and instead let a bunch of lobbyists write laws that almost invariably only serve to make the problem worse.

For this reason, government is almost never the answer to this sort of thing. Industry standards bodies are. Until our congresspeople are clueful enough to understand that cybersecurity is fundamentally a problem caused by bugs in software, not a social problem caused by evil, malicious "hackers", they cannot possibly do anything but cause harm. Improving cybersecurity by trying to catch the hackers is like protecting a chicken coop by trying to catch all the wolves in the country. There will always be more wolves. What the coop needs is not traps, but rather walls and fences. Similarly, the only way government can usefully improve cybersecurity is by hiring computer security experts to serve as a cybersecurity swat team that does nothing but review code and software designs upon request from government agencies, private businesses, and open source projects. That level of scrutiny is useful. Anything else is a waste of time, money, and civil liberties, with no hope whatsoever of positively affecting our nation's cybersecurity.

Re:we already got a thread

[Shifty0x88]

Actually not only are their bugs in software which let hackers in, but have you heard of social engineering??? That is the social problem that lets hackers in, people trust them too much.

As for this quote: "The US Chamber of Commerce argued that the bill 'could actually impede US cybersecurity by shifting businesses' resources away from implementing robust and effective security measures and toward meeting government mandates."

Oh, is that why everyone is getting hacked, because they are putting resources into security? HA, HA, HAHAHA. Yeah right.

That is exactly the problem, we trust these companies to secure our private data (SSNs, Credit Card Numbers, etc.) and most of them cannot even do that right. I am not saying the government is the answer, but we need to make companies want to secure their data and web site, and to tell employees there that they need to be vigilant when it comes to security.

Re:we already got a thread

[dgatwood]

Actually not only are their bugs in software which let hackers in, but have you heard of social engineering??? That is the social problem that lets hackers in, people trust them too much.

Social engineering is, indeed, a social problem, but it isn't specific to cybersecurity. You can do social engineering just as easily by postal mail as email, just as easily by telephone as by IM, etc. The only way to solve it is by convincing people that they need to think before they disclose information.

More importantly, the most damaging social engineering risks, at least as far as cybersecurity is concerned, can usually be thoroughly mitigated by proper design. For example, the old "I'm from your ISP. Could you verify your password?" trick fails completely if you require a physical token in addition to a PIN. To the extent that social engineering attacks are still successful, it almost always points to fundamental failures in the design, like requiring the user to keep something secret that the user doesn't perceive as having any importance.

Oh, is that why everyone is getting hacked, because they are putting resources into security?

First, not everybody is getting hacked. Second, my proposed solution, making government-paid security pros available to audit and scrutinize businesses would solve those problems. It might be beneficial to add laws to make those audits mandatory whenever companies over a certain size or with certain pieces of information roll out major redesigns or something, but just having the resources available without huge costs associated with using them would be a great first step.

Either way, no amount of network surveillance could possibly prevent any cyber attacks other than the most trivial denial of service attacks. In order to detect that bad requests are bad, you have to know that the flaw exists. Otherwise, you'll end up blocking legitimate requests. There's no reason I shouldn't be allowed to have "dgatwood'; drop table users" as my username, and unless you know that you have a quoting problem in your handling of usernames, there's no legitimate reason to disallow it. For that matter, if you treat such patterns as suspicious, I wouldn't be able to post this comment, so legitimate security discourse would be impossible.

You don't prevent attacks by trying to chase after the bad guys. Period. That can't ever be effective because there are simply too many people outside the reach of U.S. law that have reasons to want to compromise our security, whether to steal money, pirate software, steal credit card numbers, or whatever. The only thing you can do is to try to make those systems as robust against attack as possible, and you can't do that through surveillance; you can only do it through actual code hardening, design hardening, etc.

Re:Don't forget Healthcare, Infrastructure, et al.

[Reverand+Dave]

it had horrible anti-tons of shit tacked onto it targeting tons of shit. It's not like the gun provision alone is what made or broke it. I'm not sad to see it die at any rate.

I'm so sick

[nrasch]

I'm so very very very very sick of our govt doing their damnedest to turn us into a police state.

This law like so many others is just a pathetic attempt to force ridiculous and unnecessary controls on us while giving the govt the ability to do anything they wish.

I truly wish someone knew how to wake up the majority people who live in this country, because this sort of nonsense needs to come to an abrupt halt.

Re:*sigh*

[Bigby]

How would one do that? And before you say "you can't have two bullet points in one bill", what about bills that provide a service and a tax to pay for it. Should they be separate? Should there be a vote on each service individually?

Re:Dont forget gun measures slipped in

[Urza9814]

It had ATTEMPTS to get horrible anti-gun measures slipped in, along with a metric fuckton of other absurd amendments. I don't believe any of them were actually passed and added on to the bill though. Big difference.

Re:Not unusual to to blocked by anyone

[MickyTheIdiot]

If you think conservatives are civil libertarians then I have no idea what to say to you.

Today's conservatives believe for absolute freedom of corporations that that's it. They have absolutely no care for any other freedoms save MAYBE the 2nd amendment. They don't care about any individuals rights... just whatever gets their corporate buddies a bit more money.

Re:The free market will fix it

Just keep the government out of the way and the companies themselves will take care of it. No need for worries.

Yes!

We should have let:

Enron take over energy policy,
Madoff take over social security,
Lehman Brothers take over mortgages,
and so on

The free market is perfect and always optimizes (someone's wallet).

Re:Not unusual to to blocked by anyone

[Urza9814]

They care about more than just corporations. They also care about things like banning free speech to "fight terrorism" and banning abortions to "protect a right to life" while encouraging an increasing number of deaths at the hands of our police and military...

Re:Not unusual to to blocked by anyone

[Microlith]

Conservatives are currently the ONLY civil libertarians left in government

Conservatives? You need to get specific, as currently the Republican party lays claim to that term and they are ANYTHING but "civil libertarians."

the mass of Democrats voting in lock-step.

Hilarious. The diversity of opinions in the Democratic party is one of the reasons they've had a hard time pushing past Republican stonewalling. If you want lock-step voting, look at the Republican party.

as long as it means less intrusive government

You will not see this from anyone currently in DC.

consider picking for the other offices you vote for the most conservative candidate possible

Again, define "conservative." The most "conservative" candidates today seem to be religious fundamentalists who are all too happy to cater to corporate interests.

for the candidates that at least say they want to reduce the power and scope of the federal government.

They at least "say" that, but then do so by attacking useful bits of the government in favor of the corporations stuffing money in their pockets.

Re:The free market will fix it

[JBMcB]

Enron take over energy policy,

You assume we need one, big, monolithic "energy policy." As though a single entity could create an effective policy of that magnitude and complexity.

Madoff take over social security,

Well, it *is* a Ponzi scheme to begin with:

Where do social security surpluses go? To buy treasury bonds
Who gets the money from the sale of treasury bonds? The federal government
What does the federal government do with that money? Spend it
When the social security administration cashes in those bonds, who has to pay them? The federal government
Where is the federal government going to get the money to reimburse social security? Good question, any guesses? :)

The free market is perfect and always optimizes (someone's wallet).

The free market is not perfect, but if a good or service is poor allows for alternatives that might be better. When the government has a monopoly on something, there ARE no alternatives. You better hope it's run damn well, because with a bureaucracy that large, you aren't going to change it.

Misleading Vote

[Jah-Wren+Ryel]

The bill needed 60 votes in the 100-member Senate to advance under rules in the chamber, but got only 52.

That is one of those technically true but exceptionally misleading statements.

Senate bills normally only require a majority vote to pass. But what started in the 80s and has increased markedly since the last presidential election is the abuse of the filibuster. Nowadays a bill can pass in the senate with only a majority vote if the minority party - the GOP - supports it. But if the GOP leadership is opposed to it, they filibuster it such that 60 votes are required, which is generally impossible because of the intense partisanship. So despite the senate being slightly majority democrat, they only tend to pass things that are favored by the GOP.

What's worse is that it doesn't take an actual filibuster, only the threat of one. And even when an actual filibuster is invoked, it doesn't require that the senators stand on the floor and engage in ongoing debate or speechifying like the way us non-politicians would expect.

Re:Not unusual to to blocked by anyone

[dryeo]

This is what is weird about American politics (disclaimer, I'm not American). You've managed to totally warp language.
Conservative basically means someone who wants to go back to the old days. The old days varies but is usually some imaginary time when things were perfect for their kind of people.
Progressive is the opposite, they want to go forward to some imaginary time where things are perfect for their type.
Liberal means freedom so by definition liberals want freedom, so are the opposite of authoritarian.
The right wing is the branch of government that supports the aristocracy, which usually means authoritarian as by their very nature the aristocracy wants to keep their station in life and will use authoritarian means to keep it.
The left wing is the branch of the government that represents the common person and often respond to authoritarianism with their own authoritarianism or being nice people get hijacked by authoritarianism types.
Personally I've always been anti-conservative as I've always believed in freedom, equality and keeping the government out of my life. Having watched the conservatives actual actions for 40 odd years I haven't seen any reason to change my mind even though they always do say the opposite of what they do.
You seem to have totally flipped the meanings of these words, claiming liberals want to unite business and government when as usual the right wing is full of business men (and women, yea for progress) who want to use government to further their business agenda and the left wing seems to have been banished sometime in the early 20th century so now you have 2 branches of the right arguing that they are actually for the people yet both act almost the same except for a little bit of lip service.