Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

New Legislation Would Federalize Cybersecurity

Posted by samzenpus on Wed Apr 01, 2009 11:27 PM
from the big-brother-security dept.
Security Government Politics News
Hugh Pickens writes "Senators Jay Rockefeller and Olympia J. Snowe are pushing to dramatically escalate US defenses against cyberattacks, crafting proposals in Senate legislation that could be introduced as early as today, that would empower the government to set and enforce security standards for private industry for the first time. The legislation would broaden the focus of the government's cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. 'People say this is a military or intelligence concern, but it's a lot more than that,' says Rockefeller, a former intelligence committee chairman. 'It suddenly gets into the realm of traffic lights and rail networks and water and electricity.' The bill, containing many of the recommendations of the landmark study 'Securing Cyberspace for the 44th Presidency' (PDF) by the Center for Strategic and International Studies, would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. The legislation calls for the appointment of a White House cybersecurity 'czar' with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway. It would require the National Institute of Standards and Technology to establish 'measurable and auditable cybersecurity standards' that would apply to private companies as well as the government. The legislation also would require licensing and certification of cybersecurity professionals."
+ -
story

Related Stories

Submission: New Legislation Would Federalize Cybersecurity by pickens (49171)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

New Legislation Would Federalize Cybersecurity 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • Standardized KeYing NETwork.

  • Not such a good idea (Score:5, Interesting)

    by Bruce Perens (3872) * <bruce@pe[ ]s.com ['ren' in gap]> on Wednesday April 01 2009, @11:35PM (#27426943) Homepage Journal
    I don't tremendously trust the government to:
    • Maintain competence in a technical topic undistorted by political agendas.
    • Be free of influence from deep-pockets technical companies to the disadvantage of smaller and disruptive players.
    • Be platform-indepependent in their requirements and certification process.
    • Segregate the power to turn off segments of the network to manage attacks vs. turning them off to manage other issues such as some mis-guided concept of "piracy", etc.

    I side with Vinge in believing that segmentation of the network is a sure indicator of a government going feral.

    Bruce

    • Re:Not such a good idea (Score:5, Insightful)

      by rackserverdeals (1503561) on Thursday April 02 2009, @12:04AM (#27427087) Homepage Journal

      Yeah but what can we do? We're just a bunch of people that bitch and moan on slashdot.

      If only there was some respected, well known figures in the tech world that could try and get the ear of people that mattered.

      If only there was someone that already had advised the Obama administration, other national governments and even spoke at the UN that could raise the concerns with people that matter. :)

      • Re: (Score:3, Insightful)

        by fferret (58662)
        Speak for yourself. I'm a /.er who bitches, moans, and runs two private networks, the one at work, and the one at home. I agree that the government cannot be trusted to be impartial, but I also agree that cooperative action must be taken to forestall a network issue. Perhaps the best way to handle this would be a mutual cooperation agreement between the upstream ISP, and the private network admin. That would be sufficient for most problems. Since the Internet is non-deterministic, anything widespread e

      • Re: (Score:3, Interesting)

        by Bruce Perens (3872) *
        Yes, if I work really hard at it I can get admitted to see the policy analysts for various politicians. It's not like they drop everything to talk to me. If I want to do this I'm going to have to start collecting donations (again) because it is otherwise a pretty fast path to being broke, with the days out of work for travel and meetings, paying for flights, etc.

        Bruce

    •   * Appoint people who know how to do all of the above, or who will listen to people who would give them good advice.

      SB

    • Re:Not such a good idea (Score:5, Insightful)

      by phantomfive (622387) on Thursday April 02 2009, @12:32AM (#27427209) Homepage Journal
      Optimist! :)

      Personally I don't trust government to:
      • Maintain competence. Period.
      • Be free of influence from deep-pocket companies. Period.
      • Come up with any sort of sane requirements. Period.
      • Manage power in any way that doesn't attempt to increase their own.

      In choosing democracy we've (wisely) given up some effectiveness in government in order to avoid having dictators. However this current government seems to have gone off the deep end, insanely grabbing power, and then not knowing what to do with it once they have it.

      On the bright side, after the coming mass-inflation, they essentially won't have any power due to the fact that they'll have no money (at least, no money that's worth anything). On the depressed realistic side, how can we reasonably expect our representative government to manage money/things when half the population is incapable?

      • Re:Not such a good idea (Score:4, Insightful)

        by jandersen (462034) on Thursday April 02 2009, @03:20AM (#27427707)

        I know it is a national pastime in America to be as negative about government and politicians as possible, and unfortunately it isn't all unjustified. But if you can't see anything good or positive even in your worst enemy, you are seriously blinkered; and what is worse, you cut yourself off from the possibility to communicate from a common basis and thus from any chance of exerting any influence. Isn't this what keeps all the stupid regional wars going for generations? The Middle East, Sri Lanka, Northern Ireland until recently, much of Africa etc etc.

        Your all-out, negative attitude actually plays into the hands of lousy politicians - they want you to think it is hopeless to try to change things, so they can't go on and line their own pockets they way they know best.

        • Re:Not such a good idea (Score:5, Insightful)

          by phantomfive (622387) on Thursday April 02 2009, @02:43AM (#27427587) Homepage Journal

          How so? Attaching some strings to the tax money they pump into failed businesses?

          You clearly haven't been paying attention. Apart from trying to tax bonuses with unconstitutional laws, they've bailed out some companies while letting others fail with no clear motive, they've bailed out companies when letting them fall into bankruptcy would likely be a better option, they've spent a lot of money on projects that won't particularly help the economy all that much, they've spent so much money that inflation will be hard to avoid in the near future (and you REALLY don't want inflation during a recession), they've sent unclear messages about what they are trying to accomplish (some have speculated that Bernanke's ultimate goal is to never be accused of not spending enough), and on top of it they've proposed a budget that will triple the national debt in 10 years, and double it in five. If you want to go back a little farther, we can talk about starting two wars, not a great idea to begin with, but more importantly they were waged with clear incompetence from the beginning.

          As for the new cyber-security initiative being flawed, compared to what? The baseline is: nothing.

          I don't know if you are trolling here, or if you just haven't read the article, but they want the power to shut down any network they want. This is significantly worse than nothing, for reasons pointed out by Bruce above.

          Sometimes it is better to do nothing. As the saying goes, "Don't just do something, stand there!"

            • Re: (Score:3, Insightful)

              by hrvatska (790627)

              they've bailed out some companies while letting others fail with no clear motive

              Actually, the motive is very clear, at least in the case of General Motors. It's spelled "Labor Unions".

              Pretty simplistic view of a complex situation. It might also be spelled "saving one of the last major US owned industrial companies". Or maybe it's spelled "preventing the uncontrolled and disastrous collapse of economies of Michigan and Ohio." What's it spelled when both the UAW and bond holders of GM are told by the Obama administration they both need to make major concessions or GM will go bankrupt? Or what's the spelling of the cost of sorting out the pension mess would exceed the amount we've loane

    • "a government gone feral"

      I argue that it's an inevitable outcome of ecological diversification of information and the Internet. It's not just occurring in the United States. The internet is "speciating", evolving differentiation in order to limit infectious memes.

      http://www.realmeme.com/roller/page/realmeme?entry=global_differentiation [realmeme.com]

      Is our government nuts?
      Well, yes.
      But that's a separate issue.

    • Re:Not such a good idea (Score:5, Informative)

      by clarkkent09 (1104833) on Thursday April 02 2009, @01:09AM (#27427329)
      Missed an important one:

      - Not abuse access to data held by said companies

      Let me get this straight, NSA (the agency recommended for the job according to tfa) will conduct "ongoing audits" of private networks owned by the utilities (telecoms too?) and nowhere does it say that this does not include access mountains of data held by those utilities on just about every person in the US

      • Re: (Score:3, Insightful)

        by Toonol (1057698)
        For every positive what if, I can construct a negative one, and it's more likely to come true. We want the government that governs least; that's the best (to paraphrase). When any action from the government is likely to make the problem worse (evidence: I point to the economy), the best course is to forbid it from meddling at all.

      • Re:Not such a good idea (Score:4, Insightful)

        by drinkypoo (153816) <martin.espinoza@gmail.com> on Thursday April 02 2009, @06:59AM (#27428383) Homepage Journal

        I think that the government needs to have a hand in every industry that profits off of people's misfortunes.

        Wow. I mean, just mega-wow. Are you serious?

        The government is already involved in every industry that profits off of people's misfortunes. The automotive insurance industry exists in its current form because it was able to purchase legislation which mandates its use. The medical insurance agency, big pharma, the banks that mushroomed all these mortgages all out of proportion to what they should have been (besides which, while I do believe in caveat emptor I also believe that of all things you should be able to trust that a bank will act conservatively most of the time) and the RIAA all function under bought-and-paid-for legislation.

        If you think more government intervention in these things is going to improve them, think again.

  • Rockefeller and Snowe? (Score:4, Interesting)

    by cusco (717999) <brian,bixby&gmail,com> on Wednesday April 01 2009, @11:35PM (#27426945)
    Do either of them have any clue about what they're legislating? Hope they've got someone on their staffs who know the difference between a SCADA system and a server farm, because I'm quite sure they don't. The alternative is that they've let the intel agencies and the security industry write the legislation, which is just about the worst possible alternative.

  • Cybersecurity 'Standards" (Score:5, Insightful)

    by actionbastard (1206160) on Wednesday April 01 2009, @11:47PM (#27427001)
    "measurable and auditable cybersecurity standards" that would apply to private companies as well as the government.

    Until your elected representatives fully understand that any public infrastructure networks should not be connected to the 'Internet' -for any reason- any discussion of 'cybersecurity' is simply wasted words. WTF does it take for these 'public officials' to realize that critical infrastructure networks need to be completely isolated and secured from the hostile environment that the 'Internet' has become?

    • Re:Cybersecurity 'Standards" (Score:5, Insightful)

      by jofny (540291) on Thursday April 02 2009, @12:00AM (#27427067) Homepage
      "Public Officials" have absolutely -nothing- to do with where "public infrastructure" networks are connected since this "public infrastructure" is almost exclusively -privately- owned. You really, really don't want the federal government making these decisions. Really.

      • Actually they do (Score:5, Insightful)

        by actionbastard (1206160) on Thursday April 02 2009, @12:08AM (#27427101)
        'Public officials' are responsible for making sure that infrastructure like traffic lights, water systems, sewage systems, and the like, are completely secure and isolated from any 'public' network like the 'Internet'. If the control systems for these critical systems are connected to the 'Internet', every citizen should be outraged at the complete disregard for the security -or lack thereof- for these systems.
        • 1. The people who own those assets are responsible for it, at the end of the day. In many cases, they're private companies which are free to figure out how to run their own businesses as they see fit. In some cases, it's a sort of mixed situation where they're owned by local municipalities with some of the same constraints (and sometimes additional constraints) as privately owned utilities. Finally, some are nationally regulated.

          2. It would have been nice to never have connected these utilities to the in

    • Re: (Score:3, Informative)

      by jofny (540291)
      As an aside, if you do actually want to get educated on current efforts, start here: http://www.dhs.gov/xprevprot/programs/editorial_0827.shtm [dhs.gov]
      • Common sense approaches to system security tell me that if I was in charge of these systems they would be secured by every means possible. There is absolutely no excuse for exposing critical infrastructure to attack by every thirteen year old Romanian hacker on the planet because I was not familiar with the latest means to secure my networks. This is, after all, the 21st Century.
        • You obviously do need an education here. Go check out the actual reality of the situation, how about? As I said, read the NIPP. Then HSPD-7 which generated it. Then look at the sector specific plans. Then check out the archives of SCADASEC for some asset-owner perspectives. Maybe you'll come away with a better idea of the grey, in-progress state it's in, the progress that's been (or not) made, and what the financial and operational constraints are. Some of it sucks. Some of it's good. Mostly, it's an evolv

    • Banking?

      The same story applies. Your bank account details are so precious that they should never be exposed on the internet. And yet you do use online banking. The benefit in convenience outweighs the security risk.

      The same convenience applies to water, electricity, traffic lights and other parts of the public infrastructure. If we can manage the risk through security protocols, then using the public internet for remote management makes for increased efficiency.

      Increased efficiency is a good goal. If the on

  • Right! (Score:5, Insightful)

    by koterica (981373) on Wednesday April 01 2009, @11:48PM (#27427011) Journal
    Because US government officials ALWAYS make good technical decisions. Because the placement of officials is NEVER based on politics rather than skill.

    Maybe we could legislate some openness instead.

  • Never was the "It's a Trap" Tag More Appropriate (Score:5, Interesting)

    by Anonymous Coward on Wednesday April 01 2009, @11:50PM (#27427023)

    Large vendors are behind this. With all the extra security certifications and processes that small businesses (or independent/open source developers) will be required to apply because of "security" open source would be closed out of the market by this.

    Please watch this very carefully. Red Hat and free software companies actually large enough to have lawyers, please, please, please sniff out the rats.

  • The April Fools crap is over now? It's a silly day anyway.

  • ...trying to get under the wire, then please just fucking shoot me.

  • Enforcing compliance... (Score:5, Interesting)

    by gillbates (106458) on Thursday April 02 2009, @12:15AM (#27427143) Homepage Journal

    If passed, this could have the effect of a de-facto outlawing of Linux. For example, consider the typical business small business owner's plight: he uses Windows mostly on the desktop, but has a few Linux servers handling things like mail and print services.

    1. Government inspector pays a visit.
    2. Government inspector verifies the desktops have the latest Microsoft patches and antivirus installed.
    3. Inspector then moves on to the server room, where Linux is installed. Inspector can't determine that "latest Microsoft patches are installed", so machines are marked as non-compliant.
    4. The business owner has 15 days to rectify the "non-compliant" situation. His IT guy tries to explain to the government inspector that Linux is its own operating system; that it doesn't need patches from Microsoft, indeed, that it can't even run said patches...
    5. Goverment inspector's response: "You have to install the latest patches from Microsoft. If your software doesn't support the latest patches, you have to upgrade."
    6. Small business has no choice but to move their servers to Windows so that Government inspector will sign off on compliance certificate. Score one for Microsoft, scratch one Linux installation.

    I understand the government wants to ensure "cyber security" - whatever that means - but they, of all organizations, are the least qualified to implement it. The conflict of interest between big business and government interests is just too great for this to be anything but a tremendous waste of time and money.

    And this without even considering the larger question of why the government should have any control over the software private users run on their own computers.

    • In the name of cyber-security, you will be required to run government-approved software. Which, if it isn't outright insecure in the first place (I'm looking at you Microsoft!) will provide a convenient avenue for the government to insert its own backdoors for spying on the public at large.
    • While were at it, why not use OS hooks to cap the user's bandwidth so they *cannot* download more than the large telecomms think they should.
    • Oh, and what a convenient way to stop piracy. Look! this government required security software reports back to the studios when a filesharing client is installed.
    • Why bother knocking down the door, when the Virtual Search Warrant (TM - Microsoft) will allow the police to keep us all "safer" by allowing law enforcement to check our computers for illegal content...

    • The only possible path from:

      1 Government forces all businesses to use standarized crap software.

      is:

      2 Standarized crap software is thoroughly raped and even infants can enter any complying business.
      3 Businesses remove crap software.

    • Re:Enforcing compliance... (Score:4, Informative)

      by rennerik (1256370) on Thursday April 02 2009, @01:55AM (#27427445)

      I'm pretty sure the government and military also runs Linux/BSD/Unix in certain applications, so it would be silly to assume that they wouldn't write legislation in such a way that such OSes would be included.

      I imagine something of a "security certification requirements" that the ruling body of each OS would put forth (i.e., each Linux distro would put forward a list, as well as Microsoft for Windows, Apple for OS X, etc). This list would be submitted to the government/whatever authority, and they would use this list in testing whether or not individual IT installations are complicit. The list, if implemented, would also have to assure that the OS's operation would meet the government's "cyber-security requirements".

      In other words, I don't imagine the government would completely ignore Linux to give a leg-up on Microsoft. Not only would that fall in the face of the whole anti-trust suit with MS, but also the government would have to shut down its own systems running non-MS operating systems. That approach doesn't appear to make any sense.

  • Haven't we already been under attack for a while? Granted, I'm no expert in this field but haven't foreign nations been attacking the US for a while? Wasn't there a story a couple of days ago about GhostNet?

    I heard a lot of tin foil hat people talking about an "i-Patriot Act" but I thought it was a lot of nonsense. When the government tries things like this and says they will work in a way as to try and not infringe on privacy, how many actually believe them.

    The biggest concern I have would be the power

  • Capability based security (Score:3, Interesting)

    by ka9dgx (72702) * on Thursday April 02 2009, @12:30AM (#27427199) Homepage Journal

    Until we get operating systems that can run code without having to trust it, we're going to keep getting the same crap, over and over.

    Linux isn't the answer. Hell, even SElinux isn't the answer.

    Start reading up on Eros, Keykos and Capros to see about systems that might actually solve the security issues once and for all.

    • Re: (Score:3, Insightful)

      by jhantin (252660)

      +1. Problem is, current CPUs themselves are buggy and exploitable, so you still need a verifier, and if you need that you may as well have a VM and a JIT. Unfortunately the major VMs that have the building blocks to be capability-secure -- such as CLR and JVM -- threw it all away with their standard library designs.

      There's also a hidden side of capability security: preventing data, or more generally causality, from leaking in or out of a given piece of code. If there's an API exposed to untrusted code th

  • I sure hope there is some mention of a court order before shutting down anything, whether public or private. Even if it is in such a way where they do it first, then get the court order within like 72 hours.

  • Because the one thing we've learned from having software mono-culture is that its a Good Thing(tm).

    Now we're attempting to fix the problem by having federally mandated mono-culture? Please!

    And as someone who has worked for companies that have developed government specs, I can assure you that the process will be corrupted as to bias towards certain vendors. Any required feature that can be patented will be, and any open-source implementation will be sued out of existence.

  • I think lobbying is afoot! (Score:4, Insightful)

    by TheLeopardsAreComing (1206632) on Thursday April 02 2009, @12:47AM (#27427265)
    1.) Instead of a Czar, I like "Commissioner Of The Internets" 2.)Issues like this make me question where these senators get their information. They obviously do not know the current technology well enough to create laws involving it... maybe we should focus more on the lobbyist groups that funded their campaigns and figure out who benefits the most from this!

  • It creates a czar, so I'm against it (Score:3, Insightful)

    by carlzum (832868) on Thursday April 02 2009, @12:55AM (#27427291)
    Anything involving a new "czar" invariably fails to achieve its objectives and shows disregard for our rights. Joe Biden is credited with coining the term "Drug Czar" and was a vocal proponent of making it a cabinet level appointment. Ironically, the current administration has downgraded the post to a non-cabinet level position. I hate the term and wish it would go away, it sounds anti-democratic and seems to act accordingly.

    • Re: (Score:2, Insightful)

      by TrueRecord (1101681)

      it sounds anti-democratic

      What if it sounded pro-democratic? Would be better?
      Imo, It does not matter how it sounds. It IS anti-democratic.
      I mean that's against people.

  • And then (Score:3, Funny)

    by Amazing Quantum Man (458715) on Thursday April 02 2009, @01:21AM (#27427357) Homepage

    the terrorists build a CIP device, and then storm the White House, and then they get bioweapons in DC.

  • as in, the legislators, not the day

          • I think it's "+1 Underrated"

            To smite the mod, be a metamod.

            • Underrated? A whole five words, that nonetheless manages to be inane and pointless? I disagree vehemently.

              Your comment about smiting mods is rather non sequitur; as of now there has not been any moderation on that comment. Also, there's nothing 'meta' about the moderation these days: a lamentable change in policy.

    • Re: (Score:3, Insightful)

      by DigiShaman (671371)

      Misery loves company. That's why many Statists will drag the rest of society down to their level. We must all suffer together so we may be bonded together with a closer kinship they say. Ya, right. Uh huh. Sure....

      And people wonder how the horrors of Communism rears its ugly head throughout the world.

    • Re:Last one out.... (Score:5, Interesting)

      by Z00L00K (682162) on Thursday April 02 2009, @01:07AM (#27427323) Homepage

      This may be a late April fools joke by government standard, but it sure contains plausible concerns.

      Concerning the document, I would say that it isn't a joke, but you may have to express some concerns about if the proposed methods are causing more problems than they are solving.

      If you shut down a whole network, then you also cut off the owners of possible infected computers from the services that may help them to clean them up. This has been tried before within larger companies which just ended in a deadlock, nothing was done at all until the network was up again. In effect - you got an ultimate D.o.S attack!

      If anything - put more effort into hunting down and apprehending the perpetrators. This will give a much better result in the long term. In effect - follow the money.

      Another approach would be to put more effort into hardening of operating systems and tools for operating system management. SELinux is one good example, but unfortunately this only works to some extent and it only covers one area of security measures.

      One detail that also is cause for concern is ISP:s that migrates from several routed segments to a large segment where switches are used instead. It makes sense from an economic perspective, but it's not making sense from a security perspective. This means that more computers can be joined into dark nets using private IP addresses for internal communication, which in turn can make attacks even better coordinated.

      Large switched segments where private IP addresses propagates can also result in new intriguing ways of obscuring file sharing traffic and other traffic that is to be masked. This can result in the funny effect of making a whole town suspected of possession of child pornography.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.