
US Senate bill allows White House to disconnect private computers from Internet - drewr
http://news.cnet.com/8301-13578_3-10320096-38.html
======
tptacek
0.

So, when you look at something like this, I think you have a choice to make:
you can put on the tinfoil hat and concede any relevance you might have to the
discussion, or you can recognize the real weaknesses of this bill and the
process that is producing it and comment rationally on whether the government
is capable of legislating improved security for its own systems when those
systems are by necessity constructed from COTS pieces created by unregulated
technology companies.

1.

The thing that everyone is going to talk about here is the definition of a
"nongovernmental critical information system". The term is defined broadly in
this bill: the President designates them. But I think the intent here is
pretty clear: private industry operates the E911 system, the cellular phone
network, all our financial exchanges, and a good chunk of the power grid.

Most of these systems are in some way connected to public networks: for
instance, a generic Cisco VPN vulnerability could get you a telco, which would
get you to private leased lines. Before you shrug that off, read up on
"Operation Sun Devil", and the state of the art of teenage hacking in 1991.

I think it's hard to say that the NSC, given a secret update that, say, all
Cisco IOS versions were vulnerable to a pre-auth generic TCP remote code
execution vulnerability, should NOT have the capability to ensure that exposed
power grid systems were locked down.

On the other hand, I agree that the wording is overbroad. I'm interested in
what HN people think good wording would be for what would qualify as a
nongovernmental critical information system.

2.

What sucks about this situation is this:

The broad intention of this bill, to improve "cybersecurity" across all of US
industry and government systems, is going to fail. You can't legislate it.

But narrowly, this bill is going to define what it means to work with systems
at DOD, law enforcement, and energy. And I don't care that much, except that
the existing processes in these areas are arcane, arbitrary, and exclude a lot
of talent and ideas. Relative to financial services, DOD does _not_ have
excellent security.

But since everyone is going to get ratholed in the meaningless broad intention
of the bill, nobody's going to get into the nitty-gritty of secure software
accreditation, procurements, certification of personnel, funding for
technology and technology grants, and so on. Those topics are boring, but
they're more important than whether you can outlaw insecurity.

~~~
jamesbritt
" ... created by unregulated technology companies."

As best I can tell there is not a single company in the US that is not
regulated in some way. Whether the regulations are good, bad, sensible, inane,
is a different matter, but regulation is as American as apple pie.

~~~
tc
If may be a bias, but when I think of what characterizes the word _American_ ,
I think of something more like Unix than Multics.

(Even though _America_ itself certainly contains plenty of both models.)

------
gloob
Rough summary:

"A bunch of American politicians have worked themselves into a right tizzy
over something they don't even come close to understanding. In response, they
are trying to pass a law saying that they run the Internet. When asked his
position on the bill, a senior Senator emitted a series of 1990s-era
buzzwords."

~~~
tptacek
Politicians don't write bills. The law doesn't say they run the Internet. But
you're right, when asked, 72-year-old sponsoring Senator John Rockefeller was
unable to give a coherent summary of how information security works.

------
rsingel
What's dangerous is that people are letting the military, politicians and the
cybersecurity industry raise the hype and fear about the online world. That
will only feed their budgets and militarize the internet. Remember the hype
around Conficker and "cyberwar" in Estonia. Neither, in hindsight, meant
anything. Good network security practices for the government? Sure! A
secretive government internet security program run by the NSA and DHS and a
Pentagon botnet? No, no, no.

~~~
tptacek
Which is why it's disappointing that even the people on these comment threads
haven't managed to be more cynical about all the Conficker stories that have
been posted over the past several months.

------
miked
Key passage from the article:

"Probably the most controversial language begins in Section 201, which permits
the president to "direct the national response to the cyber threat" if
necessary for "the national defense and security." The White House is supposed
to engage in "periodic mapping" of private networks deemed to be critical, and
those companies "shall share" requested information with the federal
government. ("Cyber" is defined as anything having to do with the Internet,
telecommunications, computers, or computer networks.)"

"The language has changed but it doesn't contain any real additional limits,"
EFF's Tien says. "It simply switches the more direct and obvious language they
had originally to the more ambiguous (version)...The designation of what is a
critical infrastructure system or network as far as I can tell has no specific
process. There's no provision for any administrative process or review. That's
where the problems seem to start. And then you have the amorphous powers that
go along with it."

~~~
tptacek
That's Sec. 18 (5). It says:

 _(5) shall direct the periodic mapping of Federal Government and United
States critical infrastructure information systems or networks, and shall
develop metrics to measure the effectiveness of the mapping process;_

Which is to say, the government will have an inventory of its networked
assets. Which, if the WaPo ran an expose about how the government _didn't_
have an inventory of their assets (they don't), we'd be writing comments
making fun of them about.

The thing that's freaking people out is Sec 23 (3), which says:

 _(3) FEDERAL GOVERNMENT AND UNITED STATES CRITICAL INFRASTRUCTURE INFORMATION
SYSTEMS AND NETWORKS- The term ‘Federal Government and United States critical
infrastructure information systems and networks’ includes-- (A) Federal
Government information systems and networks; and 3 (B) State, local, and
nongovernmental information systems and networks in the United States
designated by the President as critical infrastructure information systems and
networks._

23 (3) (B) allows the president to designate a "nongovernmental information
system" as critical. That's scary until you realize that:

* There clearly are nongovernmental information systems, such as SCADA and nuclear controls facilities, or E911, or GSM towers.

* Those nongovernmental systems are often scarier than the systems this bill is really going to impact, viz. secretary desktops at Interior.

* The other requirements of this bill w/r/t those designated critical systems are so onerous that it's unlikely too many systems will be so designated.

* Those nongovernmental systems are often already under intrusive regulation, for instance NERC/FERC, and this bill is just aiming to harmonize that.

I'm not saying I like the language here. I don't. But it's just a badly
written bill. It's not a conspiracy.

~~~
jaekwon
I agree, the wording could be misinterpreted, but it's clearly not the
intention.

~~~
anamax
> I agree, the wording could be misinterpreted, but it's clearly not the
> intention.

How do you know the intent of the bill's authors and the folks who are likely
to vote in favor? (I'm not doubting you, I'm asking about your sources.)

------
tptacek
Here's the actual bill text:

<http://www.opencongress.org/bill/111-s773/text>

~~~
sp332
<http://news.ycombinator.com/item?id=792178>

~~~
tptacek
I like the OpenCongress interface better, but thanks, interesting to compare
the two.

------
hughprime
I'm no expert. Can anyone think of a set of circumstances under which this
power could be reasonably used?

Alternatively, can anyone think of a _likely_ misuse of this power? (I'm not
talking black-helicopter stuff here, just standard-issue governmental
overreaching).

~~~
silentOpen
Misuse: the shutdown switch or codes aren't properly secured and Foreign Enemy
X shuts down your country's internet throwing it into chaos.

Introducing systemic weakness isn't the answer when you're trying to
strengthen your network, strengthening your network is the answer.

~~~
wmf
Let's hope they don't try to automate this; CALEA was complex and expensive
enough.

~~~
tptacek
And CALEA narrowly impacted on the tiny minority of systems that directly
worked with voice communications. The tinfoil hat interpretation of this
capability would cost hundreds of billions of dollars.

------
wmeredith
AFIK the President has always had these powers in wartime. The War Powers act
allows the gov't to mandate complete control over any of the countries
resources, oil, trains, airwaves, etc...

------
ams6110
Look for booming business in offshore hosting facilities.

~~~
pasbesoin
I'd say, look for alternative physical transport layers. I don't know the
timeframe until practical deployment on a significant scale, but I fully
expect this.

~~~
cmars232
Agree. Ultra-wide-band mesh wireless networking perhaps? I've heard UWB can
exist over licensed spectrum without even affecting existing narrow-band
reception.

------
mcantelon
This is part of a pattern. The US state has been making a concentrated effort
over the last decade to establish an infrastructure that will protect them
from their own citizens (the establishment of Northcom being the foremost
example). Why the sudden fear, unless they plan on imposing something they
anticipate will be met with widespread resistance?

~~~
fuzzmeister
The government always tries to extend its power. That does not mean that it is
engaging in some grand conspiracy, it's just the natural tendency of
government to grow.

~~~
mcantelon
The natural tendency of government is to extend power and when the power
extension efforts suddenly narrow their focus to a certain realm it indicates
a trend. Given the resources and coordination needed to fuel a trend in
development of a state's security apparatus there is likely a perceived threat
behind it.

Cold War efforts, for example, were in anticipation of possible conflict with
an external enemy. In this case, as the Pentagon's recent request for
authorization to deploy 400,000 troops within the US indicates
(<http://tr.im/xn5T>), the perceived threat is domestic. This begs the
question why they are anticipating a domestic threat.

~~~
tptacek
It's true, and the APCs stationed on every block of my neighborhood are damned
annoying, as at the Lt. Col's constant requests to quarter soldiers in my
house. I'd be fine with it, except they want they beds, and not just the
couch. SIC SEMPER TYRANNUS!

~~~
mcantelon
Don't you bring the dinosaurs into this.

~~~
tptacek
Oh crazy left-wing message board geek, I just can't stay mad at you.

~~~
mcantelon
Predictable ad-hominem is predictable... I'm still waiting for a reasonable
justification for the US military deploying twice the force currently in Iraq
domestically.

~~~
tptacek
Yeah, that'd be an awesome conversation for HN, wouldn't it. And we'd all
learn so much about cybersecurity, too!

~~~
mcantelon
Any _reasoned_ discussion about things that matter has the potential to be
interesting.

------
jrockway
What I realize about this is that, in the day and age of a global Internet,
localized government is becoming rather irrelevant. Laws like this aim to keep
the people under control and the government in power.

------
frisco
Has the whole piracy episode taught us nothing? You cannot control the
internet. The internet is about the efficient conveyance of information: it's
basically a law of physics that nothing can stop information from spreading.

