Slashdot Mirror
Will It Take a 'Cyber Pearl Harbor' To Break Congressional Deadlock?
Hugh Pickens writes "For years lawmakers had heard warnings about holes in corporate and government systems that imperil U.S. economic and national security. Now Ward Carroll writes that in the face of what most experts label as a potential 'Cyber Pearl Harbor' threat, Republicans have stalled the Cybersecurity Act of 2012 with a Senate vote of 51–47 against the legislation. This drew a quick response from the staff of Secretary of Defense Leon Panetta: 'The U.S. defense strategy calls for greater investments in cybersecurity measures, and we will continue to explore ways to defend the nation against cyber threats,' says DoD spokesman George Little. 'If the Congress neglects to address this security problem urgently, the consequences could be devastating.' Many Senate Republicans took their cues from the U.S. Chamber of Commerce and businesses that framed the debate not as a matter of national security, but rather as a battle between free enterprise and an overreaching government. They wanted to let companies determine whether it would be more cost effective — absent liability laws around cyber attacks — to invest in the hardware, software, and manpower required to effectively prevent cyber attacks, or to simply weather attacks and fix what breaks afterwards. 'Until someone can argue both the national security and the economic parts of it, you're going to have these dividing forces,' says Melissa Hathaway, a White House cyber official in the Bush and Obama administrations. 'Most likely, big industry is going to win because at the end of the day our economy is still in trouble.'"
Yes, when cyborgs attack Pearl Harbor, congress will probably do something about it.
How many burn victims will we have to compensate, versus this 25 cent piece we'll have to put on 1,000,000 cars?
A "cyber-Pearl Harbor" would break congressional deadlock in only one sense: You'd get the online equivalent of the Patriot Act. Politicians only seem to be able to agree on conceding civil liberties for the fake perception of security.
While the internet had its roots in DARPA, the reality is that the "public infrastructure" is privately owned. Critical government systems should not be on it. Critical privately owned and operated services (power, telecom, etc.) should be hardened to the extent that the provider desires or the contracts that they signed with various municipalities require.
I've worked contract gigs with the armed services and I have a lot of respect for the technical skills they have, but that's irrelevant. Companies and businesses should be able to make their own decisions and benefit from their good decision making or suffer from their poor decision making. Anywhere that government intersects with private industry, it's on the government to make sure their contracts properly spell out their requirements. End of story.
The problem with legislating "security" is that you end up with "compliance" instead. The companies get a checklist and fill it in with the cheapest "solutions" possible that will allow them to check off each item.
It's a start. Right now, most companies have no idea how to handle anything other than "run anti-virus software" on as many machines as can be conveniently handled.
It isn't deadlock every time a bill is voted down. Sometimes it's just a bad bill and SHOULD be voted down.
"First they came for the slanderers and i said nothing."
...the Congress is guaranteed to make the wrong decision, in response.
The Pentagon wants its Internet back, and Central Planning works -- just look at how efficiently it drained the Aral Sea. I think a nice Star topology could work very well for the great tubes.
Forward! -- Emperor Norton, 2012
I guess we didn't learn anything from when 9-11 happened and we created the TSA, a group of intrusive busybodies at best and molestors at worst.
Or organized all federal law enforcement under the DHS without actually thinking about how it would coordinate things so we have another layer of government that is busy trying to justify their existence by going after random stuff. I hear they do copyright enforcement now?
I suppose we are set to see a Cybersecurity Agency with powers to monitor everything and permaban people from the internet based on anonymous accusations like the no-flight lists? What's the worst that could happen?
That's how politicians work.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
It's the Lagislature.
A feeling of having made the same mistake before: Deja Foobar
Really. What is next? Legislation for locked doors?
Hate to break it to ya, AC, but...
http://www.allbusiness.com/glossaries/attractive-nuisance/4949344-1.html
Yea, some places are that fucked up.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
" absent liability laws around cyber attacks "
Not only do they not want to have security they don't want to be held liable when someone gets all the users personal information.
Don't want that law? Fine.
You get fined $100,000 or 1% of your revenue(which ever is lower) for each breach, and you must pay each user whose information was compromise 10,000 dollars.
You bet you ASS corporate security would tighten up, and corporation would put pressure on MS to improve their security.
The Kruger Dunning explains most post on
'Most likely, big industry is going to win because at the end of the day our economy is still in trouble.'
Is "our economy is still in trouble" the new "we are at WAR with terror"? Mr Pickens is accurate and timely but this line just feels a little too canned. Are we going to have to spend the next 5 to 7 years hearing "butbutbut RECESSION!" any time something hard to swallow makes a headline?
Republicans have stalled the Cybersecurity Act of 2012 with a Senate vote of 51-47 against the legislation
So, I am not an expert on politics, but in the current congress, there 51 democratic senators, 47 republican senators, and 2 independents (both of whom caucus with the democrats). By my count, if every single senate republican voted against this, that still only comes to 47 votes. That means that the other 4 would have had to break ranks with the democratic party. So, just who is at fault here?
Just saying.
"Critical infustructure" has always been vulnerable to attack... countless thousands of miles of unguarded rail, transmission lines, hundreds of thousands of square miles of unguarded lands with easy access to aquifers, Ignition hazards around all manner of unguarded hydrocarbon storage facilities. Little furry creatures enjoying unfettered access to carry out suicide missions inside of transmission facilities. Construction operators and sailors accidently knocking out communications to entire cities and countries.
If you just follow common sense and keep your control shit off the net then external state actors who wish to damage your critical infustructure will need to try just a little bit harder than some made for TV scheme you heard about on 24 and therefore assume must be real.
Operational security against insider stupidity and bad actors is always a good thing but only in as much as it is done in the context of realization security of a system is only as good as its weakest link.
At the end of the day infustructure protection is a physical issue not a cyberspace issue and it does not deserve special attention above and beyond the considerations made for physical infustructure.
Any cyber doomsday scenarios by coordinated takeover of command and control can be avoided by keeping shit offline and using local interlocks which do not answer to C&C..hey that thing aint phase matched I don't think I will connect it up just yet... hey I'm overheating...I think I'll just shut down rather than melt into a pile of goo...tanks full...I'm going to stop pumping now... shit that should exist anyway and would go a long way to saving critical infustructure from the accident prone humans who operate it regardless of their intentions.
Is jut easier to do it the attack and blame whoever in the world, as it all digital and at the reach of any owned computer anywhere. Even to build up the vulnerability to get attacked and be sure that it affects something in a visible way, if wasn't available before.
Its time for the TSA to extend its reach to go from just the people that board planes in US, to the entire world. They already proved how trustable are.
The US has not passed a proper federal budget since NINETEEN-FUCKING-NINETY-SEVEN. We sit on the edge of a "fiscal cliff" not because the government can't work together today to undo the one functionally useful compromise they made last year, but rather, because they haven't managet to work together in decades.
Yes, eventually a foreign enemy will take advantage of our weak stance on cybersecurity. Yes, it will take a "Pearl Harbor" moment to make anyone recognize the problem (to which they'll respond by enacting tougher copyright laws, of course). But cybersecurity falls so far down the list of real problems we face as a country that, even as an IT professional, I honestly can't get all that worked up about it.
When we have our house in order; when we have a balanced budget; when we stop fighting our grandfathers' wars; when we stop worrying about legislating in time with the "news cycle"; when we have a stable economy and don't wonder what our tax rates next year will look like; when the losers in Washington start acting in the public interest instead of demanding we buy chastity belts for all our generals - Then perhaps we can worry about beefing up our national network security.
Until then - Quit bailing with teaspoons and grab a godamned bucket!
We don't need a digital Reichstag Fire false-flag attack to justify surrendering our freedoms for security.
Yeah. When it doesn't need to be "false flag".
Collateral damage to your own industrial infrastructure is enough to make the risk of escalating "cyber warfare" a lose-lose proposition.
Cyber Weapon Friendly Fire: Chevron Stuxnet Fallout
In the end, this will be used as the basis to kill your free Internet, that with all its warts and pitfalls, is far more valuable than the heavily-policed alternatives.
That sub-genius Richard Clarke has been squawking this kind of lame bullshit since Clinton was not having-sex-with-that-woman. :-)
"Flyin' in just a sweet place,
Never been known to fail..."
There's no "basic assumption", it's just the only real good way we know how to do these things. The industry, as a rule, is only interested in information security if they are forced to. In my experience, 99% of organisation won't lift a finger about security without a legal threat, ideally backed by a big fine in case of non-compliance. We are far, far away from any hope of seeing the industry self-regulate over something like this.
Republicans have stalled the Cybersecurity Act of 2012 with a Senate vote of 51–47 against the legislation.
Last I heard, the democrats had a majority (and the tie-break vote) in the senate. Why blame this on the republicans?
Many Senate Republicans took their cues from the U.S. Chamber of Commerce and businesses that framed the debate not as a matter of national security, but rather as a battle between free enterprise and an overreaching government. They wanted to let companies determine whether it would be more cost effective — absent liability laws around cyber attacks — to invest in the hardware, software, and manpower required to effectively prevent cyber attacks, or to simply weather attacks and fix what breaks afterwards.
Not that I advocate waiting can cleaning up the mess later, I fear that all we would be doing is creating a safe harbor for companies by the proposed approach (basically I did the government recommendations, still got hacked, no problem). It would be much better to clarify what companies would be liable for and how much. I think better tradeoffs could be made rather than with a proscriptive government approach. See Section 706 of the bill: http://www.govtrack.us/congress/bills/112/s2105/text .
Even if this doesn't pass, for federal infrastructure and infrastructure deemed important to national security, Obama can unilateral impose most of these things as an Executive order for government entities and contractors.
As written the bill attempts to force IT that causes the interruption of life-sustaining services, catastrophic economic damage (vs just severe degradation of national security or national security capabilities) which is a much wider scope. You might argue as written, this bill is so vague that could be construed to apply to Amazon, or Google, or even a small airline or bus or telephone company that has the only service for an isolated area. Also as with many bills, it comes with its share of government overhead (appropriations for national education and awareness programs, recruiting for various government agencies, etc)...
I guess it's still divided government, and very few people want to write a good bill, but just try to force their bill and blame the other side for not being able to pass them... Sigh...
In case you truly don't know and are not trolling, the U.S. Senate has filibuster procedure [http://en.wikipedia.org/wiki/Filibuster]. It allows a minority to hold any legislation hostage. It requires super-majority of 60 votes to break filibuster [http://en.wikipedia.org/wiki/Supermajority#Three-fifths_majority]. Filibuster used to be an exception, but republicans made it mainstream in the last two decades blocking many Democratic legislations.
So yes, "Republicans have stalled the Cybersecurity Act of 2012 (using or threatening to use filibuster) with a Senate vote of 51-47 against the legislation".
Define "proper federal budget", because they have passed federal budgets since then - mind you the last time a budget was passed by both houses of congress was 2009 (the democrat controlled senate has refused to pass a budget since then)
I mean passing an actual, complete federal budget. The 2009 "budget" only contained an omnibus spending bill, not an actual budget.
You may call that picking nits, but it has both a constitutional and a practical basis. Constitutional, because Article I requires congress to enact a federal budget. Practical, for the same reason you make a personal budget - And the federal government has much more complicated finances than you or I do.
I'm involved with teaching cybersecurity for DHS. Our network, that we use to develop cybersecurity classes, is about as secure as the "lock" on a bathroom stall. But we sure are in compliance with a lot of regulations! A coworker and I were just discussing the fact that agency "security" regulations prevent us from making things secure. Example "anything hashed must be hashed with MD5". MD5 is broken, so we were going to use SHA-256, but regulations don't allow SHA-256. The other end refuses to use MD5 since it's broken, so we have to send the data in clear. With no"security" regulation it would be SHA-256 hashed. To comply with the "security" rules, we have to send it in the clear, out in the open. Such is government regulation.
I know there are a lot of people who make their livings out fear mongering and over-hyping threats. And like Y2K, cyber attacks is one of them. So stop it.
Schwarzenegger will save us.
Exactly.
When government itself can't even harden its own systems and air-gap critical systems from the wild and woolly web, putting them in charge of controlling the internet in general is simply the TSA all over again.
The Cyber Security act was and is simultaneously too broad and to toothless. It would be necessary to prop it up with all sorts of invasive regulations. It would inevitably lead to internet police, and digital pat-downs of every aspect of internet usage.
I wish people would stop couching things in Republican/Democrat terms and actually LOOK at the legislation.
Sig Battery depleted. Reverting to safe mode.
"For years lawmakers had heard warnings about holes in corporate and government systems that imperil U.S. economic and national security"
AccountKiller
What is sad is an attack by Iran or anonymous will be needed and government intervention because the PHBs are stupid and retarded with their internet enabled report generations from the marketing videos.
PLCs and not website hacking is the biggest threat in which Iran wants to do out or revenge for Stuxnet.
http://saveie6.com/
As has been pointed out many times on Slashdot, computers that control critical infrastructure are connected to the Internet more often than not, due to factors ranging from operator's creating unauthorized connections for personal convenience, to management wanting flashy real time reports to government regulations requiring offsite backup of process parameter data history.
Those PLCs on unpatched XP boxes are not secured on purpose due to retarded management. Sadly we need laws and an attack on the US wont be on websites but by these PLCs from the likes of Iran or someone else.
http://saveie6.com/
How much of this is legitimate worry and how much of it is the military industrial complex kicking up fear in order to get more money?
or else!
:)
The attack on Perl Harbor is now in phase 5.16.2, see our live coverage on CPAN.
I've never been able to grok this 'Pearl Harbor' metaphor thing, it is used to point out something no one could have possibly foreseen before it happens, which is a form of fore-seeing so whatever is being discussed could not ever later have been un-foreseen. Does that make any fore-sense?
Not to mention that unlike the ThisGATE ThatGATE AnythingGATE headline absurdity which is for fun and entertainment purposes only -- during the Pearl Harbor attack many men died defending their country and to a certain extent casual banal use of the term -- especially for things that are no-brainer fore-seeable, dishonors their memories.
<blink>down the rabbit hole</blink>
The US has not passed a proper federal budget since NINETEEN-FUCKING-NINETY-SEVEN.
Ooh, yeah, I like the fact that wars have managed to stay off the budget completely. What's up with emergency supplemental appropriations bills that funded Iraq/Afganistan? Where were the budget-conservative Republicans when those passed?
(I know that both parties are the same, blah blah... but Republicans _are_ running on "no more taxes/no more debt" platform)