
Obama Admin Pursuing Executive Order to Enact CISPA-Like Cybersecurity Language  - denzil_correa
http://www.opencongress.org/articles/view/2511-Obama-Admin-Pursuing-Executive-Order-to-Enact-CISPA-Like-Cybersecurity-Language
======
tptacek
Did I call this? Yes, I think I called this. The Obama bill (note: Obama-
supportin' Democrat here) is worse than CISPA: an everything-and-the-kitchen-
sink bill that randomly creates incentive programs, new research
organizations, a "cybersecurity tip line", and federally funds research into
DNSSEC (DNSSEC: Rated S for Statutory).

Also worth noting: nothing in the Lieberman bill that this EO is patterned on
creates enforcement mechanisms for IP and copyright enforcement, or for
collecting customer information from ISPs. Of course, neither did the GOP's
CISPA bill. That's because neither regulatory effort is about user
information.

The problems both of these ill-conceived bills are addressing are simple.

Problem 1: There is no coherent strategy in the (vast, sprawling, chaotic)
federal government, which is the largest IT operator in probably the world.
Every agency does something slightly different. This means (a) nobody is doing
exactly the right thing (usually, they aren't doing anything close to the
right thing) and (b) it is prohibitively difficult to introduce new technology
to help fix things, because everyone you'd get to buy it has a different set
of hoops to jump through.

Problem 2: If you were a foreign adversary who wanted to cripple the US with
electronic attacks, you probably wouldn't bother hitting government IT
systems. Instead, you'd go for something like the power grid, or a trading
exchange. Those systems are privately operated, and so nothing the government
does to try to track, monitor, or deflect online attacks can benefit them.

~~~
taw9
Solution to 1 & 2: Make use of Windows on any Federal computer or power grid
control system illegal, punishable by public whipping.

Let's call this EO what it is: erosion of privacy, redux.

This has nothing to do with political parties. This is about money. Stinks of
MPAA...

~~~
tptacek
In exactly what sense does this EO have anything to do with privacy? It is a
more limited version of Lieberman-Collins; you can read that bill online right
now, and it's linked from the story. You should be able to find a clause or
pattern of clauses that points to "erosion of privacy".

~~~
shirederby
I don't know if the update that added it was present when you read it, but the
quote from TechDirt explains why it might be a "privacy disaster."

And the post on OpenCongress mentions that "inclusion of this report [to
examine the legality of limiting liability of private actors for disclosing
information] suggests that the Administration may believe there is a potential
work-around for the privacy laws."

~~~
tptacek
_I don't know if the update that added it was present when you read it, but
the quote from TechDirt explains_ BZZT COMPUTER OVER. VIRUS=VERY YES.

~~~
shirederby
...I don't, err, get it.

I have a couple ideas but I'm not confident enough in them to assume veracity.

------
guelo
Obama has been shameful on civil liberties. The sad thing is that it has
traditionally been the Republicans who push against the limits of civil
liberties and the Dems who at least pretend to care. Thanks to Obama, the Dems
have flipped over so completely against civil liberties that there really is
no remaining government interest protecting us. It's a Nixon goes to China
moment, Obama has done more to destroy civil liberties than any Republican
ever could have dreamed.

~~~
tptacek
_Obama has done more to destroy civil liberties than any Republican ever could
have dreamed._

Ridiculous. I understand the perspective that civil liberties online are under
a constant assault by the government, but no reading of the actual facts could
lead someone to the informed belief that Obama's DOJ and NSA are worse than
Bush's, or, for that matter, Clinton's or Bush I's.

~~~
white_devil
_no reading of the actual facts could lead someone to the informed belief that
Obama's DOJ and NSA are worse than Bush's, or, for that matter, Clinton's or
Bush I's._

Oh? What about everything related to civil liberties going severely downhill
since Bush? Take the NSA "spy center" in Utah we're all aware of by now. How's
that for _Change You Can Believe In_?

Now, why is it that whenever there's a post about the US government being up
to no good, _you_ are _all over the place_ defending the government or making
things seem less serious, or like this time, just mixing things up?

Are you some kind of perception management agent or what?

Last time there was a post that um.. required your intervention, the thread
was like _half-full of your posts_. Seriously. What the fuck? What are you
doing?

Everyone who lives in reality knows you've got quite a police state going on
over there. Everyone knows your government is totally owned by Wall Street and
other elites [1]. Everyone knows your police force is full of thugs that tase
people to death for fun. Countless Americans have had their houses
fraudulently foreclosed on by the banks.

America is swirling down the drain. What the _hell_ are you trying to
accomplish here on Hacker News by trying to polish the turd of reality?

[1] Well, except for Ron Paul and a _couple_ of other people.

~~~
culturestate
> Oh? What about everything related to civil liberties going severely downhill
> since Bush?

Can you please provide some citations/examples? I'm not sure a new NSA
datacenter is enough evidence of "everything related to civil liberties going
severely downhill."

~~~
white_devil
How about the NDAA, which allows for treating American citizens as "enemy
combatants"?

~~~
tptacek
No, the NDAA did not allow the President to do that. The 2002 AUMF that
started the Iraq War did. What Obama's detractors are mad about W.R.T. the
NDAA --- apart from the ones who don't understand what the NDAA is, and
believe that it is actually a bill that specifically authorizes the President
to bomb people from drones --- what they're mad about is that Obama did not
VETO the NDAA in order to RESCIND the authority that the executive ALREADY HAD
from the AUMF.

Vetoing the NDAA, which passes every year, would have involved not paying
soldiers. In the United States, it's the legislative branch, not the
executive, that gets to decide the terms on which we pay people.

~~~
white_devil
_No, the NDAA did not allow the President to do that. The 2002 AUMF that
started the Iraq War did._

It seems both did.

 _what they're mad about is that Obama did not VETO the NDAA in order to
RESCIND the authority that the executive ALREADY HAD from the AUMF._

You say it like there's nothing wrong with the authority to detain citizens at
will because it was already in place.

Also, what I said about your behavior is accurate. You always _do_ spring into
action whenever bad things The Establishment does are discussed.

Why is that? For example in this case, it doesn't really matter that the AUMF
had already "legalized" something that just should not happen at all. The
point is that nasty shit is afoot. It's irrelevant exactly how and when your
government "authorized" itself to do it.

 _Vetoing the NDAA, which passes every year, would have involved not paying
soldiers._

Your "defense" budget could certainly use a hefty cut, but then you might have
(even more) trouble maintaining your global Empire.

But surely they could work around this issue if they wanted to de-authorize
the government from shipping any old innocent bystander (or unharmonious
troublemaker, as the case would be) off to Guantanamo on a whim.

------
luriel
What did you expect? Even before getting elected Obama voted for telco-
immunity, and then picked Biden as VP, who not only helped write the DMCA and
is a well known drug warrior, but who proudly claimed to have written most of
what become the PATRIOT Act.

~~~
rz2k
_Senator_ Dodd gave a very impassioned and long speech on the floor arguing
against that retroactive immunity.

It didn't involve identical issues as his efforts for the MPAA, but it is a
pretty radical change in sentiments nonetheless.

If we can be unpleasantly surprised, it would be nice to be pleasantly
surprised every now and then, too.

------
crisnoble
Another review from someone who has seen the draft:
[http://www.federalnewsradio.com/241/3026867/White-House-
draf...](http://www.federalnewsradio.com/241/3026867/White-House-draft-cyber-
order-promotes-voluntary-critical-infrastructure-protections)

------
jeremymims
After Anonymous (or an individual in Anonymous) shut down millions of small
business websites today, this legislation or executive order is now far more
likely to happen. Enough people with clout will want to prevent "hackers" from
messing with their businesses and will accept whatever line of thinking is
promised to deliver them from this evil.

~~~
snowwrestler
There are major successful attacks against networks and businesses every
single day. Not just small businesses; I'm talking about banks, power
companies, etc. You only hear about the ones that make the news, which is
almost none of them. But they are definitely happening, which is why there is
urgency to do something on cybersecurity now.

------
tsurantino
I like how this happens after his reddit IAmA where he espoused in a specific
answer that he would work in the interests of internet users to maintain a
free internet and not enact, support or enforce policies/legislature of this
nature.

This is politics as usual.

~~~
jscheel
I especially like the fact that the reddit hive mind has completely ignored
this story, but any time some pizza guy gives President Obama a hug, or Mitt
Romney stumbles on his words, it makes the front page.

------
DamnYuppie
Most of the comments in this thread are about either defending or bashing
Obama. I personally only care in finding ways to limit the means our
government has of needlessly gathering information on us. I am aware that this
is a losing battle but the idea of civil liberties and the societies that they
encourage are more important then a tit-for-tat discussion about who did what.

------
JumpCrisscross
My position on the security-liberty spectrum, as with many on HN, tends
towards liberty. But the risk of an offensive cyber hit on critical
infrastructure is real. If not a voluntary bulletin and audit network, how
should the U.S. ensure the viability of its critical infrastructure against
cyber attack without compromising civil liberties?

~~~
pnathan
As someone who has a more insider perspective on critical infrastructure
perspective, I think that what really needs to change for the better is the
culture of awareness and understanding of modern software in the SCADA world.
Right now it's where IT was in the early 90s, IMO.

My personal opinion is that certain facilities and services (say, water
management systems or the electric grid) _must_ be federally regulated, with
aggressive fines and various charges for negligence and slackness. There must
be a real and definite risk factor to being a slacker. Right now, there isn't-
not really. The risk is very small for the cost involved in upgrading
infrastructure and having annoying security people telling you that the
Internet is a source of problems and to stop communicating over telnet. :-)

I used to follow the SCADASEC mailing list which had several excellent
descriptions of the culture problem.

~~~
tptacek
This, by the way, is the original Democratic "Rockefeller bill" take on the
"cybersecurity" problem, and what I was actually invoking when I said Obama's
preferred version of CISPA was worse than CISPA; what he actually came up with
(this EO) is less bad than what I assumed he'd come up with (the Rockefeller
bill).

In short:

The Rockefeller solution to the critical infrastructure problem is:

1\. Allow the government to, with some due process mechanism, designate
private entities as "critical infrastructure"

2\. Allow the government to define, more or less by fiat, a set of qualified
auditors for critical infrastructure

3\. Mandate that critical infrastructure operators get audited

~~~
pnathan
Without being a policy analyst for the CIP world, just a guy who writes code
in it, these seem like a good idea. The only thing I would add is a point 4-
failing audits should hurt/cost. There needs to be an incentive to not fail.

The key problems to avoid lie around point 2. It can not become a case of
regulatory capture. Nor, for that matter, should be a bunch of IT security
yahoos who don't understand the unique demands that CIP/SCADA systems have.

(By the way, if anyone wants to talk about this sort of thing, feel free to
email me).

------
lstroud
Between this and his sponsorship of DOJ domain seizures ,without due process
of any kind, it's hard to see how any technologist could support Obama.

------
dguido
Excuse my ignorance, but what is CISPA like about this? The Federal News Radio
link talks about the EO is significantly more detail.

~~~
tptacek
CISPA is very short and merely establishes a voluntary mechanism by which a
power grid operator (for instance) could subscribe to an iDefense-like service
operated by the government to get updates about attacks and push back updates
about probes they themselves had noticed.

Lieberman-Collins does the same thing, but also establishes a "cybersecurity
tip line" and a regulatory regime for who in the FedGov can receive info from
that tip line, something like 20 different new research mandates, a
certification program from critical infrastructure operators that exempts them
from civil liability, a mandatory periodic research report to congress on
DNSSEC, a retention program for cybersecurity workers in the government, new
GSA regulations making sure that people don't buy fake Cisco routers, and like
40 other things I forgot after reading the bill.

~~~
dguido
Nice! I was being somewhat facetious so hopefully people came to the
conclusion themselves that the situation is nothing like what the title of
this thread is describing. Pretty sad that the copyright lobby has poisoned
the water so badly that "get out your pitchforks!" will be a standard reaction
to any cybersecurity legislation for years to come :-(.

From the Federal News Talk Radio article, I don't see why any of the following
are unnecessary or wasteful. Sounds pretty straightforward and at least
somewhat useful to me:

One subsection would ask industry to voluntarily submit cyber threat
information to the government. The draft order says this data wouldn't be used
for regulatory purposes or used against companies. Sources say there aren't
any liability protections in the EO because that could only come from
Congress.

A second subsection would require DHS to undertake privacy assessments of the
data they collect around critical infrastructure.

A third subsection limits what critical infrastructure is included under the
draft EO, and makes clear that First Amendment protections will apply to how
the government identifies critical infrastructure.

A fourth subsection would address acquisition and the preferences for products
and services that meet the cyber standards developed by the DHS-led council.

The final subsection would call for a report within 120 days discussing
possible incentives such as liability protection, expedited security
clearances and recognition by the government that the critical-infrastructure
owner and operator meet the voluntary standards.

