Cybersecurity Bill Backers Insist This Isn't SOPA... But Is It Needed?
from the think-they're-scared? dept
Lots of folks have been waiting on the Senate's version of the cybersecurity bill that's been talked about for a while, and what's clear from the details and the press release put out by the Senate Commerce, Science & Transportation Committee is that the folks behind this bill are bending over backwards to point out that this bill is not like SOPA:The Senators stressed that the Cybersecurity Act of 2012 in no way resembles the Stop Online Piracy Act or the Protect Intellectual Property Act, which involved the piracy of copyrighted information on the internet. The Cybersecurity Act involves the security of systems that control the essential services that keep our nation running—for instance, power, water, and transportation.Indeed, the details make it clear that the bill is much more limited than previous versions (or suggestions). For example it has dropped the idea of a "kill switch" (which was already exaggerated) and made it clear that private companies could appeal any security regulations that they fall under. It certainly appears that the bill is designed to be limited by focusing on core "critical infrastructure" -- such that it only will apply to those facilities where a disruption "would cause mass death, evacuation, or major damage to the economy, national security, or daily life." Of course, that could be interpreted broadly. Hell, the MPAA would argue that file sharing created "major damage to the economy," even if there's little to no evidence to support that.
A bigger question, however, should be whether there is any empirical evidence that we need this cybersecurity bill. I'm not saying that it's absolutely not needed -- and I'm glad that it appears the backers of the bill are trying to bend over backwards to hear from all concerned parties (and to avoid a SOPA-like situation). But one of the key things that we learned from SOPA is that Congress needs to stop pushing legislation without real evidence of the nature of the problem, and the evidence here remains lacking. The article linked above, by Jerry Brito and Tate Watkins, highlights all of the hype around cybersecurity and the near total lack of evidence of a problem, other than ominous "trust us, it's a problem!" scare-mongering. They have three suggestions before moving forward with cybersecurity legislation:
- Stop the apocalyptic rhetoric. The alarmist scenarios dominating policy discourse may be good for the cybersecurity-industrial complex, but they aren’t doing real security any favors.
- Declassify evidence relating to cyber threats. Overclassification is a widely acknowledged problem, and declassification would allow the public to verify the threats rather than blindly trusting self-interested officials.
- Disentangle the disparate dangers that have been lumped together under the “cybersecurity” label. This must be done to determine who is best suited to address which threats. In cases of cybercrime and cyberespionage, for instance, private network owners may be best suited and have the best incentives to protect their own valuable data, information, and reputations.
Of course, who knows if this bill will ever actually get anywhere. Already, many in the Senate are pushing back and asking Senator Harry Reid to slow down with the bill.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, fear, hype, laws, online security, regulations, sopa
Reader Comments
Subscribe: RSS
View by: Time | Thread
Ugh, Lieberman again...
"Quickly, let's get this bill through Congress before anyone notices."
[ link to this | view in chronology ]
Packet Sniffing by Cable Companies Allowed?
"Title VII Information
Notwithstanding chapter 119, 121, or 206 of title 18, United States Code, the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), and the Communications Act of 1934 (47 U.S.C. 151 et seq.), any private entity may
(1) monitor information systems of the entity and information that is stored on, processed by, or transiting the information systems for cybersecurity threats;"
(The referenced Title 18 of the United States Code has to do with pen registers and interception of communication. Notwithstanding means in spite of or despite)
[ link to this | view in chronology ]
Re: Packet Sniffing by Cable Companies Allowed?
[ link to this | view in chronology ]
Re: Re: Packet Sniffing by Cable Companies Allowed?
[ link to this | view in chronology ]
Re: Re: Re: Packet Sniffing by Cable Companies Allowed?
[ link to this | view in chronology ]
Re: Re: Re: Re: Packet Sniffing by Cable Companies Allowed?
[ link to this | view in chronology ]
Trust
This is the same group that had Anonymous hack their phone service. The FBI also used a botnet under a court order. Then we have the ICE using the domain seizures. And do I have to mention how the CIA totally screwed up and gave millions to a guy that was scamming them for years? Worse, the CIA promoted the guy who was handling these contracts.
Sorry, the government doesn't have a leg to stand on here. This isn't needed and it's going to make the problem of cybersecurity worse while allowing more backdoors into technology for government abuse.
[ link to this | view in chronology ]
This nothwithstanding, time and time again I have seen extremely sensitive information that by anyone's definition reveals matters of serious national concerns, the very type of information those inclined to act against our nationat interests would love to have because of the havoc they could wreak.
While perhaps some useful information might be able to be declassified and released, I believe it is clear that the last thing anyone wants to do is expose their vulnerabilities to the other side, and that such information is extensive and detailed.
Moreover, cybersecurity is more than just locking down systems from third party attacks in the conventional sense. It also includes, among many others, what is known as "ruggedizing" to the point that even physical attacks are taken into consideration. This is a quite common term used throughout all aspects of the aerospace industry. both commercial and military.
Is the magnitude of the threat unbelievably large? I honestly do not know. Is it sufficiently real that prudence dictates its being addressed? Almost certainly.
[ link to this | view in chronology ]
Re:
Including plans and details of ruggerdizing and other steps being taken in that area. Probably not most "terrorist" organiations as none of them are that well organized anymore.
In what passes for the normal world of espionage, yes, there's a threat. Is it all that big? Who knows. Judging from statements by those in charge of "cyber-defense" it is being overblown by several orders of magnitude which is, sadly, normal in these cases as they're in there looking for budget space and allocation.
I'd be more concerned with a concentration of contracts between a few large companies to be bidding on and working on security system wide. I agree with Mike that the people who are actually running the networks have more at stake than a third party and are far more likely to pick up something unusual on their network than a brilliantly written bit of software acting as a detection thing-a-ma-jig by people who know little or thing about the network they're supposedly protecting which is far more likely to yield false alarms than anything usable.
[ link to this | view in chronology ]
You can hook sensors up, you can monitor it from the internet, but the control systems cannot be physically connected to networking devices.
I think that would solve many security problems.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: taking it offline
[ link to this | view in chronology ]
Pork With Gravy
US voters, do your duty.
[ link to this | view in chronology ]
We have laws that regulate laws and even those laws are subject to more laws. It's a confusing mess really.
[ link to this | view in chronology ]
Re:
ever study our language...seems fitting
[ link to this | view in chronology ]
The problem
Incarceration is becoming big business and as we know from the entertainment industry big business has no interest in human welfare.
[ link to this | view in chronology ]
Re: The problem
Law is a business, an invetion, man-made with f"laws"
[ link to this | view in chronology ]
The media loves to run in circles screaming Anonymous (because only those cyberterrorists could ever do it) took down the CIA web page!!! Intelligent people look at it as, an outward facing website of no great significance or import was knocked offline by some script kiddies. That is the lesson we need to impart to them, that most of these "threats" do not exist and will not be solved by throwing more money at the problem.
One of the most important lessons they should learn is to look at how much money was wasted by DHS/TSA on the tech that was going to answer all of the problems and streamline the process. It is sitting in warehouses, because it does not work and we are still getting the rest of them we paid for. Throwing more money at it will not make them work, the man selling you the magic beans just wants to take your cow... if you can't figure that one out you should not be making laws.
Obligatory XKCD
http://imgs.xkcd.com/comics/cia.png
[ link to this | view in chronology ]
Is not that hard.
I believe the government have the tools to harm infra-structure and it is afraid of it, because others can and eventually will figure it out how to, but the first step in any situation is to isolate the problem and contained it, isn't it?
Create a secure overlay that can only be accessed by critical infra-structure, separate financial institutions from physical controlling ones and use those laws only if somebody somewhere tries to access that.
Those layers can have a lot of extra regulation because they sit outside of the larger internet.
[ link to this | view in chronology ]
Re:
The reality with this sort of thing is the same as with virtually anything else. Simpler is better than complex. Simple my look easier to attack but because there are only a few things that can go wrong any attack on one of them is noticed faster and countered. Simple responds faster because there are only so many ways and accesses or ports to break in on that would cause a problem.
Espionage laws are already in place and while there may be a need to slightly modify them there is probably no need to completely rewrite them.
While it may seem confusing to some the reality still is that systems like Linux and the BSDs are more attack resistant than closed source boxes because the security layer or layers, usually no more than two, respond and react quickly to the threats. Even as the attacker knows or can look up every line of code in the operating systems on the server they're attacking.
All complexity does, and more layers is more complexity, is increase the number of attack vectors and a larger possibility of more weaknesses an attacker can walk through.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
are you new?
:D
[ link to this | view in chronology ]
Simple way for small businesses to be secure
Sony
RSA
Verisign
Steam
In the past the Senate machines were part of an email spam botnet.
How is the "small business" going to be able to protect what they have in an affordable way from cyberattack and the penalties when they fail that a law will bring?
Disconnect from the Internet.
[ link to this | view in chronology ]
Re: Simple way for small businesses to be secure
Sony
[citation needed]
Sorry I can't help it. You can not prove they had any security in place, the first, second, third, fourth, fifth, sixth,...., twenty first time they were hit.
http://attrition.org/security/rant/sony_aka_sownage.html
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The most likely infection vector was stupid humans, they picked up infected flash drives and stuffed them into the first USB port they found.
These USB ports were attached to machines connected to or cleared to access the isolated system network.
Comedy Ensues.
You can spend millions on making your system hyper secure, but humans are always going to be a failure point.
A "lost" flash drive, the gift of an iThingy to a secretary, email, a polite voice on a phone.
You can write rules, even test them on them... someone will always drop the ball.
And the crazed cybergeddon talk got DHS to claim "hackers" (Russian or Chinese i forget) had access to a critical valve and could have killed everyone by tampering with a water supply. Made headlines everywhere, less covered was the actual site saying... Wait Wot?! LOL! Never happened.
Step 1 to secure your systems... Snap off the damn usb ports.
[ link to this | view in chronology ]
Re: Re:
This whole cyber security bill will create an agency that will fail. Then it will explain how it was under funded, and fail again. Leading to another round of the same. In the end it will be a 20 billion dollar a year bureaucracy, that is slow to react, ineffective, will arrest script kiddies for the photo-op, and to prove how they are doing something.
[ link to this | view in chronology ]
Re: Re: Re:
Meanwhile the "security experts" won't be able to get to see what happened.
This doesn't need an agency, it needs people running the networks that half know what they're doing.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Is there any empirical evidence that says we don't?
[ link to this | view in chronology ]
Re:
That question, there, is empirical evidence that you don't have a brain.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Would any resulting contract be large in amount? Almost certainly, but then you have to understand that these companies are faced daily with seemingly impossible tasks governed by incredibly complex Statements of Work having technical specifications that push, if not exceed, the current limits of technology. I have no reason to doubt that a contract associated with this issue would make the same demands.
Disclaimer: At one time or another I have served as counsel (in-house and outside) for Martin Marietta, Lockheed Martin, SAIC, and L-3. While this does not lead me to necessarily conclude that the work is a mandatory matter of national security, it does give me insight into the complexity of what they do that gives rise to my comments. For example, it is trivial to develop and manufacture a circuit card suitable for commercial use. How many times, however, has the commercial market ever required such a circuit card to withstand an instantaneous acceleration of over 30 G's, temperature specs from deep space to extreme heat, data processing speeds that people can only begin to imagine, etc? The first time I ever read a the technical requirements of a government spec my reaction was "You have got to be kidding me!"
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
What's behind the secure barrier can be as complex as it wants to be because it's not doing the bulk of the security job.
And still, you have employees what will plug in USB keys they got in the bar last night "with the best porn ever" which will turn out to be a rootkit and the system is broadcasting to the world.
The companies you've listed are more than aware of the need for network security and have a good record in it. (No one is perfect, after all.) Even if it's mostly there to protect them from their competitors rather than cyber-espionage. That and they have well trained and motivated employees who aren't likely to go about inserting unknown USB keys into a computer, open spam or have weak passwords. It's hard to convince most people to take that much care or to simply not be stupid.
Oh, and yes, your second figure for G force makes much more sense if it's ordinance fired from a 155mm field gun. (Says the former artilleryman!)
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
Is the sky falling?
No, do nothing then, there is nothing to be done.
There are no attacks that happened that caused major catastrophic event ever in cyber space why da fuck do you need extreme powers to counter some theoretical that may never come to pass and is better solved by isolating that system from the internet instead of spying on everyone as an excuse to BS claims of terrible claims.
[ link to this | view in chronology ]
Re:
Some terrorists did some horrible things with some planes.
The immediate knee jerk response was to stomp on civil rights, in the name of keeping us safe and free.
When shown how ineffective the system they created was, they gave them more powers and more money.
They keep pouring money into removing the last shreds of dignity citizens have, ripping away civil rights, and using the threat of terrorism to make people be docile sheep.
*Movie Announcer Voice*
From the genius minds that gave us DHS and TSA....
CYBERDEFENSE WARRIORS!!!!!
Decisions made in a bubble outside of reality work horribly in reality.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
They're pushing for more
A recent bill in the House – the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011 or PrECISE Act — also empowers DHS in the event of a cyberattack, but the bill has been criticized by Reid as not giving the agency enough power. PrECISE focuses on strengthening the information sharing component between private corporations and DHS by allowing a limited amount of information to be shared between the two.
Reid favors an approach that would expand DHS authority beyond currently regulated “critical infrastructure,” such as utilities and financial institutions, to also include Internet service providers and private networks.
[ link to this | view in chronology ]
Letsconcentrate on the problems
First SCADA systems. They are often connected to the 'net with little security as a matter of convenience. They should be at least effectively fire walled or better yet not connected at all! Also a lot of the systems have known security vulnerabilities which have not been addressed let alone patched.
Second is the growing problem with RSA encryption. It must be replaced with a system whit is more stable and doesn't depend on flaky certificate authorities. Unfortunately we will need to go to some other country for the technology due the the anti crypto provisions of the DMCA.
[ link to this | view in chronology ]