Cybersecurity Bill Backers Insist This Isn't SOPA… But Is It Needed?
from the think-they're-scared? dept
Lots of folks have been waiting on the Senate’s version of the cybersecurity bill that’s been talked about for a while, and what’s clear from the details and the press release put out by the Senate Commerce, Science & Transportation Committee is that the folks behind this bill are bending over backwards to point out that this bill is not like SOPA:
The Senators stressed that the Cybersecurity Act of 2012 in no way resembles the Stop Online Piracy Act or the Protect Intellectual Property Act, which involved the piracy of copyrighted information on the internet. The Cybersecurity Act involves the security of systems that control the essential services that keep our nation running—for instance, power, water, and transportation.
Indeed, the details make it clear that the bill is much more limited than previous versions (or suggestions). For example it has dropped the idea of a “kill switch” (which was already exaggerated) and made it clear that private companies could appeal any security regulations that they fall under. It certainly appears that the bill is designed to be limited by focusing on core “critical infrastructure” — such that it only will apply to those facilities where a disruption “would cause mass death, evacuation, or major damage to the economy, national security, or daily life.” Of course, that could be interpreted broadly. Hell, the MPAA would argue that file sharing created “major damage to the economy,” even if there’s little to no evidence to support that.
A bigger question, however, should be whether there is any empirical evidence that we need this cybersecurity bill. I’m not saying that it’s absolutely not needed — and I’m glad that it appears the backers of the bill are trying to bend over backwards to hear from all concerned parties (and to avoid a SOPA-like situation). But one of the key things that we learned from SOPA is that Congress needs to stop pushing legislation without real evidence of the nature of the problem, and the evidence here remains lacking. The article linked above, by Jerry Brito and Tate Watkins, highlights all of the hype around cybersecurity and the near total lack of evidence of a problem, other than ominous “trust us, it’s a problem!” scare-mongering. They have three suggestions before moving forward with cybersecurity legislation:
- Stop the apocalyptic rhetoric. The alarmist scenarios dominating policy discourse may be good for the cybersecurity-industrial complex, but they aren’t doing real security any favors.
- Declassify evidence relating to cyber threats. Overclassification is a widely acknowledged problem, and declassification would allow the public to verify the threats rather than blindly trusting self-interested officials.
- Disentangle the disparate dangers that have been lumped together under the “cybersecurity” label. This must be done to determine who is best suited to address which threats. In cases of cybercrime and cyberespionage, for instance, private network owners may be best suited and have the best incentives to protect their own valuable data, information, and reputations.
Good luck seeing any of that happen, of course. The big companies pushing this bill are profiting heavily off of the fear, as the government spends billions on “cybersecurity.” This bill would ensure the gravy train continues, even as the evidence suggests that the “hacking” threat may be less and less of an issue. Of course, most of the press loves to just lap up claims of threats and damages without digging into the details. Fear about impending cyberdoom attracts attention. Talking about reality doesn’t.
Of course, who knows if this bill will ever actually get anywhere. Already, many in the Senate are pushing back and asking Senator Harry Reid to slow down with the bill.
Filed Under: cybersecurity, fear, hype, laws, online security, regulations, sopa
Comments on “Cybersecurity Bill Backers Insist This Isn't SOPA… But Is It Needed?”
Ugh, Lieberman again...
and he wonders WHY he’s so hated.
“Quickly, let’s get this bill through Congress before anyone notices.”
Packet Sniffing by Cable Companies Allowed?
Does this bill permit packet sniffing by cable companies in the name of detecting cybersecurity threats? If not, what does the following language in the bill mean?
“Title VII Information
Notwithstanding chapter 119, 121, or 206 of title 18, United States Code, the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), and the Communications Act of 1934 (47 U.S.C. 151 et seq.), any private entity may
(1) monitor information systems of the entity and information that is stored on, processed by, or transiting the information systems for cybersecurity threats;”
(The referenced Title 18 of the United States Code has to do with pen registers and interception of communication. Notwithstanding means in spite of or despite)
Packet Sniffing by Cable Companies Allowed?
It reads like a safe harbor for any ISPs, etc. to monitor in the name of looking for threats.
Trust
I wouldn’t trust the DHS for this…
This is the same group that had Anonymous hack their phone service. The FBI also used a botnet under a court order. Then we have the ICE using the domain seizures. And do I have to mention how the CIA totally screwed up and gave millions to a guy that was scamming them for years? Worse, the CIA promoted the guy who was handling these contracts.
Sorry, the government doesn’t have a leg to stand on here. This isn’t needed and it’s going to make the problem of cybersecurity worse while allowing more backdoors into technology for government abuse.
Packet Sniffing by Cable Companies Allowed?
But they already have that along with retroactive immunity…
Re classified material, it is a truism that there is a lot of overclassification taking place, though my experience regarding same is that almost always it results from a good faith application of classification guidelines established in accordance with longstanding executive orders.
This nothwithstanding, time and time again I have seen extremely sensitive information that by anyone’s definition reveals matters of serious national concerns, the very type of information those inclined to act against our nationat interests would love to have because of the havoc they could wreak.
While perhaps some useful information might be able to be declassified and released, I believe it is clear that the last thing anyone wants to do is expose their vulnerabilities to the other side, and that such information is extensive and detailed.
Moreover, cybersecurity is more than just locking down systems from third party attacks in the conventional sense. It also includes, among many others, what is known as “ruggedizing” to the point that even physical attacks are taken into consideration. This is a quite common term used throughout all aspects of the aerospace industry. both commercial and military.
Is the magnitude of the threat unbelievably large? I honestly do not know. Is it sufficiently real that prudence dictates its being addressed? Almost certainly.
I’m still waiting for some common sense legislation that says “you cannot hook a critical water pump/reactor/turbine/server full of secret documents up to the internet. You have to be on site to access and update certain things.”
You can hook sensors up, you can monitor it from the internet, but the control systems cannot be physically connected to networking devices.
I think that would solve many security problems.
Re: taking it offline
Worked for the Battlestar Galactica.
Pork With Gravy
It is time for the gravy train to get cut up for scrap. Stop funding senator X’s favourite pork projects. One trillion dollars a year in deficit spending cannot go on. The USA is heading for a major reduction in its world economic and political importance. Stop digging the hole deeper, start going in the right direction. The present bunch of Congress critters knows nothing but tax and spend, plus how to get bribes. It is time for a hard reset.
US voters, do your duty.
One problem with this country is that we have way too many laws.
We have laws that regulate laws and even those laws are subject to more laws. It’s a confusing mess really.
The problem
Here is the problem with our system. We keep creating more and more laws. We create more and more criminals as a result. Perhaps it’s time for a one for one exchange. To enact a new law an old law must be abolished.
Incarceration is becoming big business and as we know from the entertainment industry big business has no interest in human welfare.
Re:
As I have called it before, the solution a bright 8 yr old could give them.
The problem
Our current “in-the-box” thinking requires an increase in production (and resulting consumption) for success, and thus the goal becomes increased production, regardless.
Law is a business, an invetion, man-made with f”laws”
After the SOPA/PIPA cluster, where the Congresscritters reveled in their total ignorance of of how the net works, shouldn’t we demand they get a course from an outside group to explain all of these “doomsday scenarios” in real terms?
The media loves to run in circles screaming Anonymous (because only those cyberterrorists could ever do it) took down the CIA web page!!! Intelligent people look at it as, an outward facing website of no great significance or import was knocked offline by some script kiddies. That is the lesson we need to impart to them, that most of these “threats” do not exist and will not be solved by throwing more money at the problem.
One of the most important lessons they should learn is to look at how much money was wasted by DHS/TSA on the tech that was going to answer all of the problems and streamline the process. It is sitting in warehouses, because it does not work and we are still getting the rest of them we paid for. Throwing more money at it will not make them work, the man selling you the magic beans just wants to take your cow… if you can’t figure that one out you should not be making laws.
Obligatory XKCD
http://imgs.xkcd.com/comics/cia.png
Re:
Makes sense
ever study our language…seems fitting
Why they don’t just create a layer and anybody trying to access that layer is subject to those extreme laws leave the rest alone.
Is not that hard.
I believe the government have the tools to harm infra-structure and it is afraid of it, because others can and eventually will figure it out how to, but the first step in any situation is to isolate the problem and contained it, isn’t it?
Create a secure overlay that can only be accessed by critical infra-structure, separate financial institutions from physical controlling ones and use those laws only if somebody somewhere tries to access that.
Those layers can have a lot of extra regulation because they sit outside of the larger internet.
Packet Sniffing by Cable Companies Allowed?
Which means that someone is paying for duplicated laws…
what would solve most internet problems, security related and others, would be to have people that actually know what the hell they’re talking about involved, instead of just self-interested companies and their lackeys!
Simple way for small businesses to be secure
In less than a year you have VERY large firms with large budgets all fail in some way with cybersecurity:
Sony
RSA
Verisign
Steam
In the past the Senate machines were part of an email spam botnet.
How is the “small business” going to be able to protect what they have in an affordable way from cyberattack and the penalties when they fail that a law will bring?
Disconnect from the Internet.
Simple way for small businesses to be secure
In less than a year you have VERY large firms with large budgets all fail in some way with cybersecurity:
Sony
[citation needed]
Sorry I can’t help it. You can not prove they had any security in place, the first, second, third, fourth, fifth, sixth,…., twenty first time they were hit.
http://attrition.org/security/rant/sony_aka_sownage.html
Re:
and keep the grumpy old men from meddling in it.
One has to wonder if StuxNet, or the potential for a StuxNet like attack in the US, would be classified as “a good enough reason”… frankly, as someone that works in an arena this would impact I think this is very much needed, even though it will be a royal pain for me in my regular work.
Re:
StuxNet wouldn’t be stopped by nifty things on the interwebs.
The most likely infection vector was stupid humans, they picked up infected flash drives and stuffed them into the first USB port they found.
These USB ports were attached to machines connected to or cleared to access the isolated system network.
Comedy Ensues.
You can spend millions on making your system hyper secure, but humans are always going to be a failure point.
A “lost” flash drive, the gift of an iThingy to a secretary, email, a polite voice on a phone.
You can write rules, even test them on them… someone will always drop the ball.
And the crazed cybergeddon talk got DHS to claim “hackers” (Russian or Chinese i forget) had access to a critical valve and could have killed everyone by tampering with a water supply. Made headlines everywhere, less covered was the actual site saying… Wait Wot?! LOL! Never happened.
Step 1 to secure your systems… Snap off the damn usb ports.
Re:
You leave Jack Lemmon and Walter Matthau out of this!
Re:
There is one really big problem with this idea that will prevent this from ever happening. The problem is that it is “common sense” and that is not allowed within 100 miles of Washington. I would point you to the restraining order but the politicians had that classified and the court records sealed.
Re:
TAC and AC you are a very odd couple …
Re:
Social engineering is the weapon of choice, look at the HBGary hack, Google getting hacked by china, “click this link” cross site scripting attacks against several federal agencies, etc. Your cybersecurity is only as good as your dumbest employee, to quote George Carlin “think about how stupid the average person is, and then realize that half of ’em are stupider than that.”
This whole cyber security bill will create an agency that will fail. Then it will explain how it was under funded, and fail again. Leading to another round of the same. In the end it will be a 20 billion dollar a year bureaucracy, that is slow to react, ineffective, will arrest script kiddies for the photo-op, and to prove how they are doing something.
“A bigger question, however, should be whether there is any empirical evidence that we need this cybersecurity bill.”
Is there any empirical evidence that says we don’t?
They're pushing for more
I have read elsewhere that Reid is looking to push some language into the bill that indeed are SOPA-like.
A recent bill in the House ? the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011 or PrECISE Act ? also empowers DHS in the event of a cyberattack, but the bill has been criticized by Reid as not giving the agency enough power. PrECISE focuses on strengthening the information sharing component between private corporations and DHS by allowing a limited amount of information to be shared between the two.
Reid favors an approach that would expand DHS authority beyond currently regulated ?critical infrastructure,? such as utilities and financial institutions, to also include Internet service providers and private networks.
Re:
Is there any empirical evidence that says we don’t?
That question, there, is empirical evidence that you don’t have a brain.
Re:
Yep, look outside.
Is the sky falling?
No, do nothing then, there is nothing to be done.
There are no attacks that happened that caused major catastrophic event ever in cyber space why da fuck do you need extreme powers to counter some theoretical that may never come to pass and is better solved by isolating that system from the internet instead of spying on everyone as an excuse to BS claims of terrible claims.
Re:
So, without this law you wouldn’t take the responsibility to secure your network or infrastructure? Good thing I don’t know where you work and hopefully am not served by your company because I fear you don’t care about your customers.
Re:
The comment asks a very fair question. It is repeatedly stated here that legislation is not needed because there is evidence to the contrary. All the individual asks is if there is such evidence.
Re:
In my understanding, Congress usually enacts laws in response to some perceived problem. In this case, the problem is all theoretical/hypothetical without any substantial evidence that this is a problem worth handing more control over private companies to the government. Isn’t the fact that there is no evidence for the need of a new law make the point.
Letsconcentrate on the problems
There are two areas which need immediate attention:
First SCADA systems. They are often connected to the ‘net with little security as a matter of convenience. They should be at least effectively fire walled or better yet not connected at all! Also a lot of the systems have known security vulnerabilities which have not been addressed let alone patched.
Second is the growing problem with RSA encryption. It must be replaced with a system whit is more stable and doesn’t depend on flaky certificate authorities. Unfortunately we will need to go to some other country for the technology due the the anti crypto provisions of the DMCA.
Re:
All of the materials I have read regarding this issue involves private contractors only doing work under USG contracts. The materials also reveal that the companies interested in doing the work are among the most technically advanced…bar none…you will find anywhere.
Would any resulting contract be large in amount? Almost certainly, but then you have to understand that these companies are faced daily with seemingly impossible tasks governed by incredibly complex Statements of Work having technical specifications that push, if not exceed, the current limits of technology. I have no reason to doubt that a contract associated with this issue would make the same demands.
Disclaimer: At one time or another I have served as counsel (in-house and outside) for Martin Marietta, Lockheed Martin, SAIC, and L-3. While this does not lead me to necessarily conclude that the work is a mandatory matter of national security, it does give me insight into the complexity of what they do that gives rise to my comments. For example, it is trivial to develop and manufacture a circuit card suitable for commercial use. How many times, however, has the commercial market ever required such a circuit card to withstand an instantaneous acceleration of over 30 G’s, temperature specs from deep space to extreme heat, data processing speeds that people can only begin to imagine, etc? The first time I ever read a the technical requirements of a government spec my reaction was “You have got to be kidding me!”
Re:
Errata: “30 G’s” should read “at least 3,000 G’s”. The cards were part of a guidance system for a smart munition launched from a 155mm cannon.
Packet Sniffing by Cable Companies Allowed?
Taxpayers? 😉
Re:
I will grant you that there is some sensitive information that ought not be declassified because of security concerns. Though I’d also suggest that the serious baddies, whoever they are, already know about most of it. And are quite capable of wreaking havoc as it is. Mostly what stops them is the the United States is even more able to wreak greater havoc in return.
Including plans and details of ruggerdizing and other steps being taken in that area. Probably not most “terrorist” organiations as none of them are that well organized anymore.
In what passes for the normal world of espionage, yes, there’s a threat. Is it all that big? Who knows. Judging from statements by those in charge of “cyber-defense” it is being overblown by several orders of magnitude which is, sadly, normal in these cases as they’re in there looking for budget space and allocation.
I’d be more concerned with a concentration of contracts between a few large companies to be bidding on and working on security system wide. I agree with Mike that the people who are actually running the networks have more at stake than a third party and are far more likely to pick up something unusual on their network than a brilliantly written bit of software acting as a detection thing-a-ma-jig by people who know little or thing about the network they’re supposedly protecting which is far more likely to yield false alarms than anything usable.
Re:
*headtilt*
are you new?
😀
Re:
At some point the layers have to end until there are a stack of them higher than Mt. Logan. And no one quite knows what any of them do anymore.
The reality with this sort of thing is the same as with virtually anything else. Simpler is better than complex. Simple my look easier to attack but because there are only a few things that can go wrong any attack on one of them is noticed faster and countered. Simple responds faster because there are only so many ways and accesses or ports to break in on that would cause a problem.
Espionage laws are already in place and while there may be a need to slightly modify them there is probably no need to completely rewrite them.
While it may seem confusing to some the reality still is that systems like Linux and the BSDs are more attack resistant than closed source boxes because the security layer or layers, usually no more than two, respond and react quickly to the threats. Even as the attacker knows or can look up every line of code in the operating systems on the server they’re attacking.
All complexity does, and more layers is more complexity, is increase the number of attack vectors and a larger possibility of more weaknesses an attacker can walk through.
Re:
And probably end up with such a complex stack of security layers and other “defenses” that some half way determined cracker will walk right on in, unnoticed, set up shop, collect data for 6 months or so and suddenly Wikileaks reappears!
Meanwhile the “security experts” won’t be able to get to see what happened.
This doesn’t need an agency, it needs people running the networks that half know what they’re doing.
Re:
Then again, as I’ve said before complexity in network defenses leads to vulnerability and simple always works better.
What’s behind the secure barrier can be as complex as it wants to be because it’s not doing the bulk of the security job.
And still, you have employees what will plug in USB keys they got in the bar last night “with the best porn ever” which will turn out to be a rootkit and the system is broadcasting to the world.
The companies you’ve listed are more than aware of the need for network security and have a good record in it. (No one is perfect, after all.) Even if it’s mostly there to protect them from their competitors rather than cyber-espionage. That and they have well trained and motivated employees who aren’t likely to go about inserting unknown USB keys into a computer, open spam or have weak passwords. It’s hard to convince most people to take that much care or to simply not be stupid.
Oh, and yes, your second figure for G force makes much more sense if it’s ordinance fired from a 155mm field gun. (Says the former artilleryman!)
Re:
empirical evidence…
Some terrorists did some horrible things with some planes.
The immediate knee jerk response was to stomp on civil rights, in the name of keeping us safe and free.
When shown how ineffective the system they created was, they gave them more powers and more money.
They keep pouring money into removing the last shreds of dignity citizens have, ripping away civil rights, and using the threat of terrorism to make people be docile sheep.
*Movie Announcer Voice*
From the genius minds that gave us DHS and TSA….
CYBERDEFENSE WARRIORS!!!!!
Decisions made in a bubble outside of reality work horribly in reality.
Re:
i911
Re:
The round fired from the gun is known as Copperhead, a munition employing the same electro-optical system as the Hellfire missile. Of course, the system is just a wee bit more ruggedized (and compact) in Copperhead than in Hellfire.