Obama Talks Toxic Clouds And Runaway Trains, But The Real Cybersecurity Solution Is Still Simple And Obvious

from the and-what's-blocking-that-now? dept

Even as we're encouraged by the direction of the latest cybersecurity bill (with significant caveats), lots of folks have been asking from the beginning for two things: an end to "Hollywood-style" FUD claims of planes falling from the skies, and a clear statement on what existing laws make the kind of information sharing the government desires impossible today. President Barack Obama took to the Wall Street Journal Op-Ed pages today to explain why we need cybersecurity legislation... and unfortunately he failed on both accounts. The opening part is positively cinematic:
Last month I convened an emergency meeting of my cabinet and top homeland security, intelligence and defense officials. Across the country trains had derailed, including one carrying industrial chemicals that exploded into a toxic cloud. Water treatment plants in several states had shut down, contaminating drinking water and causing Americans to fall ill.

Our nation, it appeared, was under cyber attack. Unknown hackers, perhaps a world away, had inserted malicious software into the computer networks of private-sector companies that operate most of our transportation, water and other critical infrastructure systems.
He goes on to point out that some of the things mentioned have "already happened," except that's not quite true. It is true that some hackers accessed systems they shouldn't have had access to, but it's not clear if they were ever able to actually do any damage. Here's Obama's summary of the details:
Last year, a water plant in Texas disconnected its control system from the Internet after a hacker posted pictures of the facility's internal controls. More recently, hackers penetrated the networks of companies that operate our natural-gas pipelines
What's amusing is that the story in Texas came about because a hacker was trying to show that the feds were ignoring and downplaying threats to critical infrastructure. From the details, it looks like the system was vulnerable because of poor password choices, and the stupid decision to connect the system to the internet. So the fact is that "disconnect its control system from the Internet" is the solution. Not more laws. Meanwhile, the story about targeting natural-gas pipelines involved some basic social engineering (spear phishing) rather than any technical hackery. In both cases, the issue appears to be the same: critical infrastructure like that which controls the functioning of water treatment plants and gas pipelines shouldn't be connected to the internet.

But do we need a 211-page law to share information just to recognize that?

The bigger problem is that while the President's Op-Ed highlights how we want to avoid the cinematic story he tells at the beginning, where it fails is that it never explains why the kind of information sharing he's talking about is blocked today. Which rules and regulations are blocking that from happening? No one seems to want to say. Instead, we get legislation that just assumes there must be regulations blocking information sharing and wipes them all away.

We appreciate that Obama says that he'll veto any bill that doesn't include strong privacy and civil liberties protections, but we should never be passing legislation based on made up scary stories.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Ninja (profile), Jul 20th, 2012 @ 12:39pm

    That introductory scenario Obama described was me trying to teach my mom to use her notebook. Sorry guys.

    Ahem.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Ninja (profile), Jul 20th, 2012 @ 12:44pm

      Re:

      Dang, hit submit by mistake.

      So back on topic, the US is a pretty fcked up country if their companies security is so lax that a script kiddie can derail trains nation wide.

      I'm not sure if the Govt realizes it but they are attesting their infra-structure setup incompetence if this scenario is likely to happen.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    ComputerAddict (profile), Jul 20th, 2012 @ 12:40pm

    I can write that law in once sentence

    Law to prevent this scenario from happening.

    "All critical systems related to the power grid, distribution of energy, or pertains to life safety shall not be allowed to connect their respective control systems to the internet, or share hardware that is connected to the internet."

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Eric Jaffa (profile), Jul 20th, 2012 @ 1:00pm

    The bill will be used against whistleblowers.

    ==============
    The Cybersecurity Act of 2012

    SEC. 702. VOLUNTARY DISCLOSURE OF CYBERSECURITY
    THREAT INDICATORS AMONG PRIVATE ENTI3
    TIES.
    (a) AUTHORITY TO DISCLOSE. Notwithstanding any
    other provision of law, any private entity may disclose law
    fully obtained cybersecurity threat indicators to any other
    private entity in accordance with this section.
    ==============

    A newspaper publishes a story about illegal activity by a corporation. Then the corporation can contact the email-provider of the journalist who wrote the story, and say the information in the article was based on unauthorized computer access, and therefore they need to read the journalist's emails to find out who contacted him. Then the corporation can fire the whistleblower and may even press charges against the whistleblower.

    The law removes all privacy protection with the phrase "Notwithstanding any
    other provision of law." Emails, passwords, and medical records can all be distributed under it without the users permission, and without the user ever being told.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 20th, 2012 @ 1:01pm

    And yet, the legislation Obama endorses STILL does not require businesses of any kind to do anything to improve their cyber security to protect themselves from cyber attacks. All it does is lay out some voluntary guide lines.

    Can anyone who thinks we NEED CISPA or something like it explain how CISPA can protect our electric companies and other critical infrastructure from cyber attacks if private businesses running said critical infrastructure are allowed to continue to leave access to the nations power grid and other stuff accessible on the Internet with zero password protection or other basic security measures?

    Without requirements that businesses must follow to protect themselves from cyber attacks the whole thing is just for show to make politicians look like they're doing SOMETHING and taking a security issue seriously.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Casey, Jul 20th, 2012 @ 1:17pm

    Short and Sweet

    There are so many good editors at this site and yet your words mean nothing.

    Where can we read, edit and comment on the 211-pages?

    Our government is obviously broken and needs help from the people.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jul 20th, 2012 @ 5:31pm

      Re: Short and Sweet

      Your government is broken because it wants nothing to do with the people that does not involve spying on and policing them. Corporations often not being people in this respect.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 20th, 2012 @ 1:26pm

    From what I hear current cybersecurity bills are dead in the water. Still it's obvious that Obama isn't being paid off, rather he just doesn't understand the internet, and copyright law. He understands everything else just fine.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 20th, 2012 @ 1:28pm

    I read all of the comments for the presidents OpEd piece.
    Nearly all were condemnation of Obama's hidden agenda, critical thinking ability and past record.

    And then I realized, the target audience is typically (Not always, I know.) well read, educated and better than average awareness of national issues. These were the majority of those lambasting him for a shallow diatribe on how the US needs to enforce cyber security.

    I am not really clear on what the president is trying to accomplish. To be honest, I do not trust him and that affects my view of him and his motives.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Atkray (profile), Jul 20th, 2012 @ 7:55pm

      Re:

      He posts an op-ed in the WSJ knowing the unwashed masses will not read it, or the comments. What he counts on is the lazy reporters around the country who need a few more lines of text to publish or a few more seconds of dribble to broadcast seizing the first bit and running with it.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 20th, 2012 @ 2:22pm

    Unknown hackers, perhaps a world away

    Mars, perhaps?

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    gorehound (profile), Jul 20th, 2012 @ 3:10pm

    I do not trust Obama nor do I trust the majority of Politicians in either of the two parties.They will continue to assault our Freedom one way or the other.We have been watching this happen and it is not going to stop.
    Fear Mongering will sell their BS to the uninformed masses.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Kyle Reynolds Conway (profile), Jul 20th, 2012 @ 3:33pm

    Perhaps he should, once again, focus on "hope," rather than "fear."

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 20th, 2012 @ 4:17pm

    "Last month I convened an emergency meeting of myLast month I convened an emergency meeting of my cabinet and top homeland security, intelligence and defense officials. Across the country trains had derailed, including one carrying industrial chemicals that exploded into a toxic cloud. Water treatment plants in several states had shut down, contaminating drinking water and causing Americans to fall ill. . Across the country trains had derailed, including one carrying industrial chemicals that exploded into a toxic cloud. Water treatment plants in several states had shut down, contaminating drinking water and causing Americans to fall ill."

    Should have been followed by:

    "I then fired my cabinet and top homeland security, intelligence and defense officials for being stupid enough to allow anyone to connect this shit to the fucking Internet."

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jul 20th, 2012 @ 5:36pm

      Re:

      This should not have surprised anyone after I fired my fast and scurious AG, told the DoJ/ICE to stop whoring themselves for their music and movie pals, that civil liability is not criminal, but that laundering money for terrorists is, and sent them all to go put cuffs on some banksters.

      Great things Obama will never say #2

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 20th, 2012 @ 6:23pm

    Well he certainly has a flare for the melodramatic.

    Hey Prez Obama, why such a drama llama?

    Hope you feel less hysterical tomorrow.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    alternatives(), Jul 20th, 2012 @ 6:43pm

    3 big cyberattacks

    the story about targeting natural-gas pipelines involved some basic social engineering (spear phishing) rather than any technical hackery.

    Perhaps the US Government understands what is possible because it is alleged to be behind 3 of the biggest attacks?

    Gas Pipeline - http://www.zdnet.com/us-software-blew-up-russian-gas-pipeline-3039147917/
    Software supplied to run a Russian pipeline was deliberately planned to go haywire, causing the biggest non-nuclear explosion the world had ever seen, says a book published today

    Then you have Stuxnet and Flame - both have had parties claim the US has had a hand in them.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 20th, 2012 @ 8:30pm

    The only thing that scares me, Is the fact they told everyone after it happened not during.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    FatBigot, Jul 23rd, 2012 @ 5:52am

    To all the armchair industrial control experts out there

    To all the armchair industrial control experts out there
    Given the two options:

    1. Connect your instrumentation to the corporate network & internet. Be able to check status and diagnose from your office desktop. Find it trivially easy to fix issues before they lead to production stops.

    Or

    2. Make a 400 mile round trip everytime you or a production manager suspects that there is an issue with your kit. Face hostile questions about your expenses and the need to travel at all.

    What would you rather do ? Note that in all cases management are far more concerned with immediate costs than future risks.

    It is very easy to say "keep your industrial control gear off the internet", rather harder in practice.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Yesing (profile), Sep 1st, 2012 @ 12:00pm

    But do we need a 211-page law? of course not, but some people believe it

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This