Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sen. Ron Wyden Says CISA Data Collection Could Put Americans At Risk

Posted by samzenpus on from the all-in-one-place dept.

blottsie writes: In a new interview, Sen. Ron Wyden (D-Ore.) says the Cyber Information Sharing Act of 2015 (CISA) may put more Americans at risk because the U.S. government has failed to learn the right security lessons from the attack on the Office of Personnel Management. He says, in part: "I've been watching as this goes forward—there's this phrase going around the cybersecurity community, 'If you can't protect it, don't collect it.' Now, there is never going to be a system that's 100 percent safe. But what I'm going to start [saying] on the floor as we get to this [CISA debate], is, you give the government a huge new trove of personal information about Americans before you've addressed the problems that were documented all the way back to 2007—those security holes—before you address those, [before] you plug them, that's like responding to a bear attack by stockpiling honey. That's going to be how I open the debate."

16 of 58 comments (clear)

  1. The US gov't is fundamentally incompetent by Anonymous Coward · · Score: 4, Insightful

    No security measure can fix that.

    Hell, OPM handed out root access to "workers" remoting in from China, for fuck's sake. And the clowns who did it are still not in jail.

    It starts at the top, too. Just listen to Hillary! apologists making excuses for her and her classified emails in her fucking basement, all because they - for some strange reason - think Hillary! is on "their team", whatever team that may be.

    1. Re:The US gov't is fundamentally incompetent by allquixotic · · Score: 3, Interesting

      think Hillary! is on "their team", whatever team that may be.

      Their team means someone in Hillary's administration, directly or indirectly, is going to help them advance their career and make more money if they support her.

      Good old fashioned graft.

    2. Re:The US gov't is fundamentally incompetent by Tablizer · · Score: 2

      MOST organizations are lacking in this area. I've seen no evidence that the US government is more lax than private industry. If you have reliable stats on that, please show them.

      If you want a somebody or something to bash, then bash human nature, not government in particular. Organizations of all types and cultures have consistently sucked on info security.

      --
      Table-ized A.I.
    3. Re:The US gov't is fundamentally incompetent by steveg · · Score: 4, Insightful

      The question is not whether an email server at home is less (or more) secure than one hosted by the NSA. It doesn't matter.

      Email is a fscking postcard! nothing of a classified nature should be sent unencrypted, no matter who is hosting it.

      --
      Ignorance killed the cat. Curiosity was framed.
    4. Re:The US gov't is fundamentally incompetent by mrchaotica · · Score: 4, Insightful

      And even that misses the damn point: government communications need to be stored on official servers so that they can be properly supplied in response to FOIA requests. At best, hosting them privately was an attempt to circumvent public oversight, and therefore (IMO) grounds for immediate disqualification for any further public office. That's before even thinking about security issues!

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    5. Re:The US gov't is fundamentally incompetent by pnutjam · · Score: 2

      I call bullshit, This IP, is bulletproof.

      --
      Cheap storage VM.
    6. Re:The US gov't is fundamentally incompetent by Coren22 · · Score: 2

      Come on, I hacked that bastard last week, unfortunately I didn't get anything as my computer started acting wonky right afterwards.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    7. Re:The US gov't is fundamentally incompetent by jd2112 · · Score: 2

      At least she knows what a mail server is, which (sadly) makes her more competent on technological issues (including security) than 99% of our elected officials.

      --
      Any insufficiently advanced magic is indistinguishable from technology.
  2. Priorities by penguinoid · · Score: 3, Interesting

    It doesn't matter if a terrorist gets your data. Terrorists can't vote. It's the citizens you got to watch out for, you need enough data on them to make sure you'll know how they'll vote before the candidates are even announced. This way you also know how to redistrict and which empty promises to make.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  3. Keep the data secure by NOT COLLECTING by Anonymous Coward · · Score: 3, Insightful

    If you aren't collecting it, it's going to be far more secure in the long run.

    These idiots who think putting us all under surveillance, or monetizing our personal information, need to be forced to stop this BS legally.

  4. H's Server (Re:The US gov't is fundamentally incom by Tablizer · · Score: 4, Interesting

    I don't see H's server choice as a security argument. The "regular" office server, the one she should have been using, was not designed for classified info either and there's no evidence it had better general security than her "home" server.

    There are plenty of other reasons to criticize her actions, but "security" is not one of them.

    I suppose one could argue she was more likely to mix up personal and work email, but that can happen regardless. One can mistype the destination on any device or email service. Such an argument is splitting hairs on what kind of typo is most likely, which is probably personality specific such as to make it highly speculative. The kinds of mistakes I make often have a different pattern than those of others. It's one of the reasons I welcome wide feedback on any of my draft UI designs.

    --
    Table-ized A.I.
  5. Re:Can we get a car analogy instead? by TheCarp · · Score: 2

    oooh...responding to your GPS being stolen from your car, by taking all of the valuables in your bank safe deposit box and keeping them on the passenger seat instead.

    --
    "I opened my eyes, and everything went dark again"
  6. Re:And what about after the security is up to snuf by Fire_Wraith · · Score: 4, Informative

    Senator Wyden has been pretty vociferously against mass surveillance, on repeated occasions.

    Some examples:
    http://www.theatlantic.com/pol...
    http://www.huffingtonpost.com/...
    http://www.newsmax.com/Newsfro...

  7. Govt is required to be worse. FOIA, MD5 by raymorris · · Score: 2

    Based on 20 years of experience in both, my experience is that I'd rank private industry 3/10 and government 1/10. The nature of the type of government we seek to have means we often have to balance priorities like openness and fairness against things like efficiency and security.

    For one clear example, consider the "need to know" versus the Freedom of Information Act. A private organization publishes about themselves what they want to publish*. They don't publish anything about their network infrastructure or anything, because they have no reason to. "Need to know"is a fundamental security principle, meaning that it's more secure to avoid spreading any information to anyone who doesn't need that information. In government, any and all records are wide open to the public under FOIA, every email ever sent, every order placed, every network diagram, unless it's specifically declared to do be secret, with appropriate justification. You can see how making all of your documents, your network infrastructure plans, model numbers of security appliances, list of security services, etc. available to the public can give attackers a head start. That doesn't mean FOIA is a BAD thing overall, it just makes them a tad easier to attack.

    Further, the government tends to have private information on EVERYONE legally in the country. A bad hack on a bank might release a million social security numbers. The government databases have all 320 million social security numbers, everybody's tax return, etc. That means they are a) a more attractive target and b) the damage is much worse when they are hacked.

    Also, the bigger an organization is, the slower they are, in general. No private organization is anywhere near the size of the US government. Some government security requirements still REQUIRE the use of MD5. As you may know, MD5 was broken in 2010. We're still required to use it. On one project we fought to be allowed to use a secure algorithm, but the documents require what they require. Maybe they'll be revised in another ten years.

    Along with the last point, at Apple or Google, the CEO (or CSO) can make a decision and send out an email "don't collect any more social security numbers" and within weeks it's done. Making changes to the US government sometimes requires an act of Congress - _and_that_is_a_good_thing_. We WANT changes to the government which controls so much of our lives to be done carefully, thoughtfully, slowly. That's a good thing, but it reduces their ability to respond quickly to emerging threats.

    One last point just to demonstrate that the government isn't just another big organization. What company in the world fires their entire senior management team, the CEO, CIO, CFO, and company president every four years? Nobody. That would be catastrophic. The US government does that. The federal government really is a special case. Not necessarily _bad_ - it's great that changes are up for public debate. And it took more than 20 years to make the decision to change to a different health plan, Hilarycare/Obamacare, plus another 10 years to fully implement it. What company takes 30 years to switch to a different health plan after the executives have decided they want to do so?

    * If corporations sell stock publicly, they do have to release a high-level overview of their financial situation. That summary info is nothing compared to being forced to release all of your emails.

  8. Re:And what about after the security is up to snuf by bigpat · · Score: 2

    The privacy and constitutional issues aside for a bit, I agree it isn't safe to collect all this information. But it never will be.

  9. Re:H's Server (Re:The US gov't is fundamentally in by Tablizer · · Score: 2

    "D" stands for "Defense". It wasn't a defense agency. I'll give you some kudo points if you can show that her agency was subject to DISA STIGs at the time, and more kudo points if you can show that the office server in question passed a review.

    --
    Table-ized A.I.