
New US cybersecurity bill could threaten free software - tjr
http://www.fsf.org/blogs/community/new-us-cybersecurity-bill-could-threaten-free-software
======
Bud
Ever since W started tacking "Homeland" onto everything he could find, the
presence of that word on ANYTHING has been a guarantee that that thing a)
sucks, b) is unnecessary, and c) is a grave threat to civil liberties.

Thanks for the useful shorthand, W!

~~~
ars
Who or what is W? White house?

~~~
kgermino
George W. Bush. I think people starting using W to differentiate him from his
father George H. W. Bush.

~~~
ars
Am I old fashioned in that I think it's disrespectful to call a president
that?

~~~
hugh3
Of all the ways that George W. Bush has been disrespected, calling him by his
middle initial doesn't really register.

On the broader point, presidents are politicians, not gods. More to the point,
they are our _employees_ , and they should be treated with the dignity and
respect appropriate to that position. You don't bow and scrape to your
employees, but you don't call them rude names and spit at them either, even if
you disagreed with the decision of the hiring committee to hire this
particular candidate for the job.

------
joe_the_user
The bill might have changed since this was written.

Current I see "(1) IN GENERAL- The owners and operators of covered critical
infrastructure shall have flexibility in their cybersecurity plans to
implement any cybersecurity measure, or combination thereof, to satisfy the
cybersecurity performance requirements described in subsection (c) and the
first-party regulatory agency or sector-specific agency may not disapprove
under this section any proposed cybersecurity measures, or combination
thereof, based on the presence or absence of any particular cybersecurity
measure if the proposed cybersecurity measures, or combination thereof,
satisfy the cybersecurity performance requirements established by the Director
under subsection (c)." ( [http://thomas.loc.gov/cgi-
bin/query/F?c111:1:./temp/~c111l3R...](http://thomas.loc.gov/cgi-
bin/query/F?c111:1:./temp/~c111l3ROpa:e13057): )

Which seems to specifically state you can choose any approach you want as long
as you secure the site.

Maybe there's something I missed.

~~~
smokeyj
They can simply require a security measures that is protected by existing IP,
thus leaving network security up to the biggest patent-trolls with a lobbying
budget. I would much rather entrust security to market-driven solutions, not
some herp derp government agency.

~~~
tptacek
Market-driven security is failing us. It's luck, not sound engineering, that
is preventing catastrophe. I can respect that regulation would be even worse
than catastrophe, but have a hard time dignifying the argument that there's no
tradeoff.

~~~
joe_the_user
Thom,

I think you're confusing market-driven security _levels_ with market-driven
security _products_.

Big-website-taking-lots-of-citizen-data: I don't need security, the market
hasn't demanded it.

The-State: I'm demanding it. Go buy good security, I don't care how.

Big-website-taking-lots-of-citizen-data: Ah, Ok, I think I've found it.

The-State: good, just give me outline so I know.

Big-website-taking-lots-of-citizen-data: here you go.

While the anarchist in me might just hate the state and the large
corporations, here no one has yet shown how any of these are doing dastardly
deeds. And that's a fine exception to the rule, really.

~~~
tptacek
This bill isn't about "big-website-taking-lots-of-citizen-data". To save us a
really pointless and boring argument, let's stipulate that it's about Exelon
and not about eBay, and to the extent it isn't, that's a flaw that needs to be
corrected.

~~~
joe_the_user
... orthogonal to my earlier argument...

------
mikecane
Just remember this, kids: Did any of you imagine TSA would lead to crotches
being grabbed in the name of "national security"? There will come a day when
all computing purchases will be "routinely" reported to DHS. And every member
of IT staff will need a Fed license.

~~~
tptacek
Instead of resting on "government is bad, m'kay", how about taking a crack at
suggesting something to improve the bill? That's something people can actually
debate productively.

~~~
noarchy
Bills are not written by people on discussion boards. They are written by
lobbyists, and then adopted by legislators who rarely even read the bills on
which they vote.

~~~
tptacek
What's your point? Presumably, you're commenting for a reason.

~~~
smokeyj
It appears OP doesn't trust lobbyists to ensure security.

------
jrockway
I skimmed the bill but couldn't find any reference to "specific proprietary
software". What are we talking here, Cisco routers or something?

~~~
wooster
I presume it's a reference to the Common Criteria certification requirements.
So:

<http://www.commoncriteriaportal.org/products/>

------
tptacek
Both the FSF and CNet's sources are making the same complaint about the
proposed bill: that it allows DHS to designate private networks as "critical
national infrastructure", and that the terminology in the bill is so broad
that it would allow (say) eBay to be declared critical infrastructure.

The reality is, while the bill sucks and the language is fuzzy, the intent is
clear: critical private national infrastructure means air traffic control and
the power grid. _Maybe_ , under the broadest interpretation, they might call
the NASDAQ ECNs part of the "nation's information infrastructure".†

The bill makes no mention of proprietary software or hardware. The FSF is
apparently reacting to the notion of DHS having _any_ authority over the
operation of networks; the notional concern is, "if they can dictate
operational terms, they can dictate Cisco and Microsoft". They could just as
well dictate Linux or Apache.

It is a fair critique of this bill that DHS has virtually no expertise in this
area (despite repeated appeals to US-CERT, which, respectishly, doesn't have
the requisite expertise either).

Personally, while virtually everyone else on HN is going to disagree with me,
I think it's less fair to criticize the notion of FedGov nationalizing the
security of private networks in an emergency. I have several reasons for
arguing this:

* * * It is simply the truth that vast amounts of our critical infrastructure are privately owned and operated, and while reasonable and mostly hands-off regulation may enable utility operators to serve the public good using their own best judgement, that same regulation does nothing to deal with malicious adversaries.

* * * The government already has the "shadow" authority to accomplish these goals. Does anyone seriously believe the President lacks the ability to nationalize power grid security in the event that an attack makes the midwest go dark? Of course he can. It's better to be explicit about that authority now, when we're not panicking over an actual technological attack, than it will be for us to create _de facto_ new rules in a crisis.

* * * There is a real risk that companies managing critical infrastructure might not realize that their networks are critical infrastructure, or, worse, might not care. We have decades worth of track record for companies not disclosing horrible incidents for fear of economic consequences. It's one thing when a retail chain delays disclosure of credit card leaks; it's another when a grid operator gets owned up.

† _Systems can be designated if "the destruction or the disruption of the
reliable operation of the system or asset would cause a national or regional
catastrophe"; specific factors that must be considered include whether an
attack would cause "a mass casualty event with an extraordinary number of
fatalities", "severe economic consequences", "mass evacuations with a
prolonged absence", or "severe degradation of national security capabilities,
including intelligence and defense functions"._

~~~
LiveTheDream
> while the bill sucks and the language is fuzzy, the intent is clear

Is it so hard to believe that a bill could be interpreted in such a way that
unexpected and undesired consequences happen? Rather than waving off criticism
by claiming "intent is clear", I think it's best to make the language clear.

~~~
quanticle
Unfortunately, courts do not decide on the _intent_ of legislation. Courts
decide on the language of the legislation and the facts of the case. The fact
that this legislation has such broad language is something to be feared,
regardless of its intent.

Perhaps an analogy is in order. The _intent_ of intellectual property
legislation (specifically, patent law) was to promote innovation. However, the
_outcome_ of the legislation has been almost exactly the opposite when such
legislation has been applied to computer and information technologies. How can
you say that the same thing will not happen with this legislation? As the
aphorism goes, "The road to hell is paved with good intentions."

~~~
tptacek
How would you improve the language? _Nobody here_ is sticking up for the
language as it stands. Don't be boring! Improve the language!

------
tomjen3
That's true, but the headline is am understatement. This line of legislation
will kill Silicon valley. Who can afford $100k/day when you are just two guys
in a garage? Or even writing cyber defence plans and submit them to DHS?

