Obama Talks Toxic Clouds And Runaway Trains, But The Real Cybersecurity Solution Is Still Simple And Obvious
from the and-what's-blocking-that-now? dept
Even as we’re encouraged by the direction of the latest cybersecurity bill (with significant caveats), lots of folks have been asking from the beginning for two things: an end to “Hollywood-style” FUD claims of planes falling from the skies, and a clear statement on what existing laws make the kind of information sharing the government desires impossible today. President Barack Obama took to the Wall Street Journal Op-Ed pages today to explain why we need cybersecurity legislation… and unfortunately he failed on both accounts. The opening part is positively cinematic:
Last month I convened an emergency meeting of my cabinet and top homeland security, intelligence and defense officials. Across the country trains had derailed, including one carrying industrial chemicals that exploded into a toxic cloud. Water treatment plants in several states had shut down, contaminating drinking water and causing Americans to fall ill.
Our nation, it appeared, was under cyber attack. Unknown hackers, perhaps a world away, had inserted malicious software into the computer networks of private-sector companies that operate most of our transportation, water and other critical infrastructure systems.
He goes on to point out that some of the things mentioned have “already happened,” except that’s not quite true. It is true that some hackers accessed systems they shouldn’t have had access to, but it’s not clear if they were ever able to actually do any damage. Here’s Obama’s summary of the details:
Last year, a water plant in Texas disconnected its control system from the Internet after a hacker posted pictures of the facility’s internal controls. More recently, hackers penetrated the networks of companies that operate our natural-gas pipelines
What’s amusing is that the story in Texas came about because a hacker was trying to show that the feds were ignoring and downplaying threats to critical infrastructure. From the details, it looks like the system was vulnerable because of poor password choices, and the stupid decision to connect the system to the internet. So the fact is that “disconnect its control system from the Internet” is the solution. Not more laws. Meanwhile, the story about targeting natural-gas pipelines involved some basic social engineering (spear phishing) rather than any technical hackery. In both cases, the issue appears to be the same: critical infrastructure like that which controls the functioning of water treatment plants and gas pipelines shouldn’t be connected to the internet.
But do we need a 211-page law to share information just to recognize that?
The bigger problem is that while the President’s Op-Ed highlights how we want to avoid the cinematic story he tells at the beginning, where it fails is that it never explains why the kind of information sharing he’s talking about is blocked today. Which rules and regulations are blocking that from happening? No one seems to want to say. Instead, we get legislation that just assumes there must be regulations blocking information sharing and wipes them all away.
We appreciate that Obama says that he’ll veto any bill that doesn’t include strong privacy and civil liberties protections, but we should never be passing legislation based on made up scary stories.