New Legislation Would Federalize Cybersecurity 194
Hugh Pickens writes "Senators Jay Rockefeller and Olympia J. Snowe are pushing to dramatically escalate US defenses against cyberattacks, crafting proposals in Senate legislation that could be introduced as early as today, that would empower the government to set and enforce security standards for private industry for the first time. The legislation would broaden the focus of the government's cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. 'People say this is a military or intelligence concern, but it's a lot more than that,' says Rockefeller, a former intelligence committee chairman. 'It suddenly gets into the realm of traffic lights and rail networks and water and electricity.' The bill, containing many of the recommendations of the landmark study 'Securing Cyberspace for the 44th Presidency' (PDF) by the Center for Strategic and International Studies, would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. The legislation calls for the appointment of a White House cybersecurity 'czar' with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway. It would require the National Institute of Standards and Technology to establish 'measurable and auditable cybersecurity standards' that would apply to private companies as well as the government. The legislation also would require licensing and certification of cybersecurity professionals."
Not such a good idea (Score:5, Interesting)
I side with Vinge in believing that segmentation of the network is a sure indicator of a government going feral.
Bruce
Rockefeller and Snowe? (Score:4, Interesting)
Never was the "It's a Trap" Tag More Appropriate (Score:5, Interesting)
Large vendors are behind this. With all the extra security certifications and processes that small businesses (or independent/open source developers) will be required to apply because of "security" open source would be closed out of the market by this.
Please watch this very carefully. Red Hat and free software companies actually large enough to have lawyers, please, please, please sniff out the rats.
I don't need no education (Score:3, Interesting)
Enforcing compliance... (Score:5, Interesting)
If passed, this could have the effect of a de-facto outlawing of Linux. For example, consider the typical business small business owner's plight: he uses Windows mostly on the desktop, but has a few Linux servers handling things like mail and print services.
I understand the government wants to ensure "cyber security" - whatever that means - but they, of all organizations, are the least qualified to implement it. The conflict of interest between big business and government interests is just too great for this to be anything but a tremendous waste of time and money.
And this without even considering the larger question of why the government should have any control over the software private users run on their own computers.
Capability based security (Score:3, Interesting)
Until we get operating systems that can run code without having to trust it, we're going to keep getting the same crap, over and over.
Linux isn't the answer. Hell, even SElinux isn't the answer.
Start reading up on Eros, Keykos and Capros to see about systems that might actually solve the security issues once and for all.
Re:Last one out.... (Score:5, Interesting)
This may be a late April fools joke by government standard, but it sure contains plausible concerns.
Concerning the document, I would say that it isn't a joke, but you may have to express some concerns about if the proposed methods are causing more problems than they are solving.
If you shut down a whole network, then you also cut off the owners of possible infected computers from the services that may help them to clean them up. This has been tried before within larger companies which just ended in a deadlock, nothing was done at all until the network was up again. In effect - you got an ultimate D.o.S attack!
If anything - put more effort into hunting down and apprehending the perpetrators. This will give a much better result in the long term. In effect - follow the money.
Another approach would be to put more effort into hardening of operating systems and tools for operating system management. SELinux is one good example, but unfortunately this only works to some extent and it only covers one area of security measures.
One detail that also is cause for concern is ISP:s that migrates from several routed segments to a large segment where switches are used instead. It makes sense from an economic perspective, but it's not making sense from a security perspective. This means that more computers can be joined into dark nets using private IP addresses for internal communication, which in turn can make attacks even better coordinated.
Large switched segments where private IP addresses propagates can also result in new intriguing ways of obscuring file sharing traffic and other traffic that is to be masked. This can result in the funny effect of making a whole town suspected of possession of child pornography.
Re:Not such a good idea (Score:2, Interesting)
I think that this is a great idea.
I think that the government needs to have a hand in every industry that profits off of people's misfortunes.
Medical companies have no financial incentive to keep people healthy the same way that infosec companies have no financial incentive to secure the nation's infrastructure. Instead of research scientists working for cures we have greedy corporations that have risen up, trying to sell the antidote of the day.
What if, instead of hoarding 0day and designing proprietary crypto, the National Security Agency actually published their research publicly? What if their research allowed Americans to make secure phone calls with each other, instead of finding new ways to wiretap us? What if, with all their unlimited funding, they released their static analysis methods to the public and actually made America a more secure place?
Effective laws? (Score:2, Interesting)
While I applaud the Senators' efforts to assist in securing cyberspace, historical efforts to legislate cyber-security have not proven effective. (that was tough to say with a straight face) To wit, examine the Government's own record: Currently all federal agencies are required to follow strict guidelines/policy, yet the average info-security grade given by OMB, for FY2007 was a C-. How far would you get in life if your average grade was a C-? I'd guess the average Slashdotter had better than a 1.7 average.
Further, they seem to think that if NIST establishes "measurable and auditable cybersecurity standards", then all will be right with the world. NEWSFLASH - The Fed already has that for the entire GOV, and while many agencies have improved it has not shown to be the panacea they intended. According to OMB's report out 3 weeks ago [whitehouse.gov](go to page 9), the DOD, the agency with the most important security concerns and highest risk (and consequently the most stringent InfoSecurity program) is failing miserably.
Funny, if you read the FISMA top page [nist.gov], it refers to 'cost-effective' security programs, but nowhere does it mention effective programs...
New legislation is not the answer - holding people accountable is. [to keep this relatively short I'm not going to expand on this - you know how to find the laws]
As one previous poster noted, a bunch of us posting here is not going to change anything. So, I will end this with a call to action for all Slashdotters - write a letter to your Senator and Congressman and let them know (using clear, thoughtful words) that this is an f'ing stupid idea and that they should not support it.
Find your congressman [house.gov]
Find your senator [senate.gov]
Re:Enforcing compliance... (Score:1, Interesting)
I don't think the poster is nuts. I've seen them do it.
They come in, scan the network, any given machine is labeled "blessed" or "other". "Blessed" means "Windows at a certain patch level".
The also scan the computers physically (HD scan) and use a similar criteria for continued operation.
I've literally seen government security scanning teams go through a shop with sheets of red and blue stars, sticking them on the front of computers. Red means you can't power it on.
All of the computers may have proper accreditation and approval, with a paper trail, including Linux systems, but they still grade the shop using their own PASS/FAIL report. Meaning the shop looks better in the overall report if it's all patched Windows ("100% PASS") with no odd paperwork or allowances.
It's worth remembering how bills are written in the USA. It's not based on any particular rationale; it's based on lobbyist requests.
All the lobbyists W/R/T compute infrastructure basically work for Microsoft or some network scanning company. They are looking to make a lot of money if their proprietary toolkit becomes mandatory at all government or infrastructure sites.
And it's not "Democrat" or "Republican". When it comes to pork or political favors for some powerful or wealthy constituency, the party affiliation of any given politician is about as meaningful as the color of a whore's shoes.
China also has the max of the death penalty for ha (Score:3, Interesting)
China also has the max of the death penalty for hacking. Russia does not care about hackers going after the us and taking our money Likely a kick back kind of thing in Russia.
Re:Not such a good idea (Score:3, Interesting)
Bruce