"A bunch of American politicians have worked themselves into a right tizzy over something they don't even come close to understanding. In response, they are trying to pass a law saying that they run the Internet. When asked his position on the bill, a senior Senator emitted a series of 1990s-era buzzwords."
Politicians don't write bills. The law doesn't say they run the Internet. But you're right, when asked, 72-year-old sponsoring Senator John Rockefeller was unable to give a coherent summary of how information security works.
So, when you look at something like this, I think you have a choice to make: you can put on the tinfoil hat and concede any relevance you might have to the discussion, or you can recognize the real weaknesses of this bill and the process that is producing it and comment rationally on whether the government is capable of legislating improved security for its own systems when those systems are by necessity constructed from COTS pieces created by unregulated technology companies.
1.
The thing that everyone is going to talk about here is the definition of a "nongovernmental critical information system". The term is defined broadly in this bill: the President designates them. But I think the intent here is pretty clear: private industry operates the E911 system, the cellular phone network, all our financial exchanges, and a good chunk of the power grid.
Most of these systems are in some way connected to public networks: for instance, a generic Cisco VPN vulnerability could get you a telco, which would get you to private leased lines. Before you shrug that off, read up on "Operation Sun Devil", and the state of the art of teenage hacking in 1991.
I think it's hard to say that the NSC, given a secret update that, say, all Cisco IOS versions were vulnerable to a pre-auth generic TCP remote code execution vulnerability, should NOT have the capability to ensure that exposed power grid systems were locked down.
On the other hand, I agree that the wording is overbroad. I'm interested in what HN people think good wording would be for what would qualify as a nongovernmental critical information system.
2.
What sucks about this situation is this:
The broad intention of this bill, to improve "cybersecurity" across all of US industry and government systems, is going to fail. You can't legislate it.
But narrowly, this bill is going to define what it means to work with systems at DOD, law enforcement, and energy. And I don't care that much, except that the existing processes in these areas are arcane, arbitrary, and exclude a lot of talent and ideas. Relative to financial services, DOD does not have excellent security.
But since everyone is going to get ratholed in the meaningless broad intention of the bill, nobody's going to get into the nitty-gritty of secure software accreditation, procurements, certification of personnel, funding for technology and technology grants, and so on. Those topics are boring, but they're more important than whether you can outlaw insecurity.
The reason that broad discretionary powers over many should not be granted to a few has little to do with the intentions of those pushing for the law to be passed (which are presumably honest, if misguided).
Once the law is on the books, the intention of its authors will be forgotten, and the powers the law grants will be used broadly simply because it will be more convenient for an administration to use those powers than to achieve its ends in some other way.
I agree. The language is overbroad. But some kind of legislation is inevitable. What's the narrow capability you think the government should have? Because just repeatedly pointing out that the government sucks at technical legislation is boring. We all know that.
Networks are housed in buildings. There are likely existing laws allowing the state to take over private-sector buildings that are being used criminally. Why not utilize these laws instead of creating buggy new laws that, in their vagueness, invite future abuse?
Dunno. That might be a good point. Or perhaps they're envisioning cases where a cooperating telco could instantly eliminate a threat that could take hours to eliminate physically, or a threat in which taking over a building would disclose something that would damage operational security. We have a lot of secrets in our corner of this industry, most of them boring, almost all of them necessary.
I wouldn't want to give the impression that I'm simply sticking up for the bill. Especially not in its entirety. I agree, I don't see the compelling reason to have a new law allowing the government to disconnect critical infrastructure.
But that's just a tiny portion of what the bill does. Among other things, tt also tries to harmonize the hodgepodge of security measures we already have, revamp procurement standards (a sucking chest wound in current security practice), and it funds academic research into secure programming.
" ... created by unregulated technology companies."
As best I can tell there is not a single company in the US that is not regulated in some way. Whether the regulations are good, bad, sensible, inane, is a different matter, but regulation is as American as apple pie.
I think the meaning of unregulated here is related to the context. The vendors of the off-the-shelf hardware are not regulated with regard to the security of certain critical systems which rely on them.
They may be under numerous safety, employment and financial regulations that apply to the company.
What's dangerous is that people are letting the military, politicians and the cybersecurity industry raise the hype and fear about the online world. That will only feed their budgets and militarize the internet. Remember the hype around Conficker and "cyberwar" in Estonia. Neither, in hindsight, meant anything. Good network security practices for the government? Sure! A secretive government internet security program run by the NSA and DHS and a Pentagon botnet? No, no, no.
Which is why it's disappointing that even the people on these comment threads haven't managed to be more cynical about all the Conficker stories that have been posted over the past several months.
"Probably the most controversial language begins in Section 201, which permits the president to "direct the national response to the cyber threat" if necessary for "the national defense and security." The White House is supposed to engage in "periodic mapping" of private networks deemed to be critical, and those companies "shall share" requested information with the federal government. ("Cyber" is defined as anything having to do with the Internet, telecommunications, computers, or computer networks.)"
"The language has changed but it doesn't contain any real additional limits," EFF's Tien says. "It simply switches the more direct and obvious language they had originally to the more ambiguous (version)...The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There's no provision for any administrative process or review. That's where the problems seem to start. And then you have the amorphous powers that go along with it."
(5) shall direct the periodic mapping of Federal Government and United States critical infrastructure information systems or networks, and shall develop metrics to measure the effectiveness of the mapping process;
Which is to say, the government will have an inventory of its networked assets. Which, if the WaPo ran an expose about how the government didn't have an inventory of their assets (they don't), we'd be writing comments making fun of them about.
The thing that's freaking people out is Sec 23 (3), which says:
(3) FEDERAL GOVERNMENT AND UNITED STATES CRITICAL INFRASTRUCTURE INFORMATION SYSTEMS AND NETWORKS- The term ‘Federal Government and United States critical infrastructure information systems and networks’ includes--
(A) Federal Government information systems and networks; and
3
(B) State, local, and nongovernmental information systems and networks in the United States designated by the President as critical infrastructure information systems and networks.
23 (3) (B) allows the president to designate a "nongovernmental information system" as critical. That's scary until you realize that:
* There clearly are nongovernmental information systems, such as SCADA and nuclear controls facilities, or E911, or GSM towers.
* Those nongovernmental systems are often scarier than the systems this bill is really going to impact, viz. secretary desktops at Interior.
* The other requirements of this bill w/r/t those designated critical systems are so onerous that it's unlikely too many systems will be so designated.
* Those nongovernmental systems are often already under intrusive regulation, for instance NERC/FERC, and this bill is just aiming to harmonize that.
I'm not saying I like the language here. I don't. But it's just a badly written bill. It's not a conspiracy.
I'm no expert. Can anyone think of a set of circumstances under which this power could be reasonably used?
Alternatively, can anyone think of a likely misuse of this power? (I'm not talking black-helicopter stuff here, just standard-issue governmental overreaching).
And CALEA narrowly impacted on the tiny minority of systems that directly worked with voice communications. The tinfoil hat interpretation of this capability would cost hundreds of billions of dollars.
AFIK the President has always had these powers in wartime. The War Powers act allows the gov't to mandate complete control over any of the countries resources, oil, trains, airwaves, etc...
I'd say, look for alternative physical transport layers. I don't know the timeframe until practical deployment on a significant scale, but I fully expect this.
Agree. Ultra-wide-band mesh wireless networking perhaps? I've heard UWB can exist over licensed spectrum without even affecting existing narrow-band reception.
This is part of a pattern. The US state has been making a concentrated effort over the last decade to establish an infrastructure that will protect them from their own citizens (the establishment of Northcom being the foremost example). Why the sudden fear, unless they plan on imposing something they anticipate will be met with widespread resistance?
The government always tries to extend its power. That does not mean that it is engaging in some grand conspiracy, it's just the natural tendency of government to grow.
The natural tendency of government is to extend power and when the power extension efforts suddenly narrow their focus to a certain realm it indicates a trend. Given the resources and coordination needed to fuel a trend in development of a state's security apparatus there is likely a perceived threat behind it.
Cold War efforts, for example, were in anticipation of possible conflict with an external enemy. In this case, as the Pentagon's recent request for authorization to deploy 400,000 troops within the US indicates (http://tr.im/xn5T), the perceived threat is domestic. This begs the question why they are anticipating a domestic threat.
It's true, and the APCs stationed on every block of my neighborhood are damned annoying, as at the Lt. Col's constant requests to quarter soldiers in my house. I'd be fine with it, except they want they beds, and not just the couch. SIC SEMPER TYRANNUS!
Predictable ad-hominem is predictable... I'm still waiting for a reasonable justification for the US military deploying twice the force currently in Iraq domestically.
What I realize about this is that, in the day and age of a global Internet, localized government is becoming rather irrelevant. Laws like this aim to keep the people under control and the government in power.
Has the whole piracy episode taught us nothing? You cannot control the internet. The internet is about the efficient conveyance of information: it's basically a law of physics that nothing can stop information from spreading.
"A bunch of American politicians have worked themselves into a right tizzy over something they don't even come close to understanding. In response, they are trying to pass a law saying that they run the Internet. When asked his position on the bill, a senior Senator emitted a series of 1990s-era buzzwords."