

Obama expected to issue cybersecurity executive order - benwoody
http://www.usatoday.com/story/tech/2013/02/11/obama-cybersecurity-executive-order/1911159/

======
tptacek
Have any of you actually _read_ the executive order? If not, did you perhaps
notice who the sources were for the stories being written about it today?

There was a cybersecurity order on the table last year (it wasn't enacted). HN
got up in arms about it. Some of us read it. Guess what? It concerned itself
almost entirely with the operational security of the federal government itself
(which operates the world's largest IT departments). The places where it
stepped past instructing DOE how to secure their networks were to create
educational programs to get more people doing information security. It
contained _no provisions at all_ that would have given the government access
to private entities networks.

I haven't read this executive order, but if I was going to place a bet about
it, it would be that everyone hyperventilating about "king complexes" on HN is
being played.

~~~
bcoates
Are you talking about this? [http://www.lawfareblog.com/wp-
content/uploads/2012/11/White-...](http://www.lawfareblog.com/wp-
content/uploads/2012/11/White-House-Draft-Executive-Order-Publicly-
Circulating-Copy-11-1-12.pdf)

~~~
tptacek
The "new" EO is virtually identical to that one, yes.

(I think I got "educational programs", which IIRC was from Rockefeller's draft
bill, confused with "outside consultation" from this order.)

I did a clause-by-clause comparison (you're welcome! all part of the service I
provide) and while there are minor deltas (like which sentence of a clause the
Attorney General appears in, or whether deadlines are 90 days or 120 days)
it's the same thing:

* Coordinate better in managing FedGov systems

* Figure out a way to relay threat info from FedGov to private sector

* Inventory the US for computer systems that if disabled could kill people

* Reach out to owners of those systems to help them not be owned up over old dialup modems everyone forgot about

------
SoftwareMaven
The fundamental problem with this in my opinion starts with the executive
order. As the article states: the executive's job is to enforce laws, not make
them. EO's have stepped well beyond that in the last 20 years, with the
executive branch becoming more sovereign in nature, which scares the hell out
of me.

We do need a cyber security bill, but it should be passed by Congress, whose
job it is to iron out all the competing needs, instead of passed by fiat by a
wanna-be king[1] who "knows what's best for the country".

1\. EO's aren't the exclusive domain of Obama by any stretch. Every president
since HW Bush has used them in increasing number and, IMO, in increasing
defiance to the separation of powers. Another 20 years and Congress will be
nothing but a complete farce, much like other dictatorial "republics".

~~~
rayiner
The principle underlying executive orders is that they don't make laws, but
guide enforcement discretion that the President already has.

I'm curious to see what executive orders you think overstep the line from
guiding enforcement discretion to outright lawmaking.

~~~
stevvooe
<http://en.m.wikipedia.org/wiki/Executive_Order_9066>

~~~
rgrieselhuber
Couldn't have said it better myself. This is exactly why legislation is a
process that requires oversight and accountability. I'll never understand why
people are willing to write the president a blank check.

~~~
tptacek
Yet another illustration of the unintended consequences of authorizations by
Congress for war (obviously, in this case, an unavoidable war, but still).

The order to authorize internment camps was the result of two forces:

* Intense and direct recommendations from FDR's entire war staff and intelligence apparatus, which believed that there was an unacceptably high probability that Japanese and German populations would engage in sabotage during the war

* ENORMOUS public pressure, particularly in California, to eject Japanese citizens

The Japanese internment debacle is a blemish and a tragedy, no doubt, but it's
not an illustration of an executive power grab. The whole country shares the
blame for it.

The lesson I take from it is the same as the lesson I take from drone strikes
blowing up wedding parties: Congress should be extraordinarily careful and
guarded in its authorizations for using military force of any sort.

~~~
stevvooe
If this is not an illustration of an executive power grab, what power
authorizes the executive branch to round up a group of people?

Even so, legal or not, there is no valid reason to legitimize the internment
of Japanese-American citizens.

~~~
tptacek
It's an illustration of a _majoritarian government power grab_. I certainly do
not object to condemnations of Japanese internment camps! They were one of the
biggest mistakes our country ever made. I object to the root cause analysis
you've performed on it, and because this is a thread that is almost entirely
about that root cause analysis (and not Japanese internment), I think that's a
germane criticism.

------
jostmey
I find it worrisome when government declares it is time to protect the
internet. The internet has flourished just fine without intervention.

~~~
rayiner
The internet was born out of government intervention.

~~~
crusso
He said "flourished". The state of being implemented by some basic government-
funded research is almost completely disconnected from the time when
commercial interests took the idea and ran with it -- causing it to
"flourish".

~~~
rayiner
The internet wasn't implemented by some basic government funded research. It
was designed and built under a DARPA project and designed and implemented by
key pieces of the military industrial complex (BBN, etc). It was run by the
DOD and "flourished" long before it was commercialized.

~~~
adventured
The Internet isn't ARPANET any more than Ethernet is ALOHA.

The technology that made the Internet possible was almost exclusively private
sector technology. The desire, effort and vision to put together large
networks was already in place by the time the government made their move.

The government helped, no question about it, but all the pieces were already
there to make it happen. The private sector was driving that direction and
would have built out very large networks regardless of the government.

~~~
timsally
The record contradicts what you are saying here; what you've written is almost
a perfect inversion of historical fact. All the commercial networks being
developed or deployed when the Internet was being invented were circuit
switched, centralized networks. They really didn't have anything to do with
the Internet at all. The design philosophy behind the Internet [1, Section 3]
was drastically different than all commercial efforts at the time. The design
was so different and so unique compared to existing work that the inventors
won a Turing Award for it.

As an aside, all of the above is typically covered in the first week or two of
a networking course (I like Brighten Godfrey's [2]).

[1] <http://ccr.sigcomm.org/archive/1995/jan95/ccr-9501-clark.pdf>

[2] <http://courses.engr.illinois.edu/cs538/>

------
ck2
The order should be all critical computers like power-grid control should not
be able to connect to the internet in any way or have usb ports or DVD drives.

I have this fear that somewhere an ICBM is on an internet router because some
general wants to monitor it. Sounds insane right? Well why are power stations
on the internet?

~~~
tptacek
An executive order that forbad private companies from connecting to the
Internet would be far more of an executive overreach than anything proposed
for cybersecurity by the executive, the Democrats in the Senate, or the
Republicans in the House.

~~~
ihsw
Then those private companies shouldn't be in charge of critical
infrastructure.

~~~
tptacek
So we should federalize electric companies?

------
fatkid
the govt's efforts on cyber security are almost as much of a joke as their
response to protecting private businesses. unless you're google or a major
bank, getting some sort of response from the fbi/ic3. Have tried playing by
the rules when a client is attacked and submitting the information to them,
but never any response. Most of the time i brush these attacks off as my own
failure to keep things locked down but on the more serious attacks i've
submitted server logs, documentation tracking the person back to their home
address, facebook page, mother's phone number, everything they could possible
need to arrest and prosecute. nothing but crickets.

glad they're starting to make some effort, but from software loopholes to
literally exposed (outside & unprotected) hardware/transmission equipment,
doubtful they'll never get their shoes on the right feet.

------
knowaveragejoe
Seems pretty sensible to me, though some folks seem to be linking it with the
revival of CISPA.

~~~
ihsw
The problem is the bi-directional information sharing between private
companies and the multiple levels of government -- it should be one-way
(private companies -> government).

There is a very large potential for abuse and we will have no recourse.

~~~
bcoates
I don't want information sharing that way either. We have (sadly, increasingly
circumvented or weakened) laws banning that for a reason.

~~~
ihsw
I will not deny that it's unpleasant but it is a necessity, which is why
subpoenas and warrants exist.

Unfortunately, law enforcement organizations are harrumphing and ruffling
feathers so they're getting what they want -- ability to bypass the
requirement for subpoenas and court-ordered warrants.

------
websitescenes
The internet has been a wild new frontier. Unfortunately All frontiers
eventually become littered with the selfish ambitions of man.

