As lawmakers consider giving the president emergency powers in case of an online attack, many in the field are offering scenarios for how to define a cybersecurity emergency and how far the government should reach to contain an attack.
Thoughts folks?
The President is at the top of the food chain in terms of knowledge about attacks.
The real problem is the knowledge and capabilities of the agencies that feed him/her information.
Theoretically, I would agree, but practically, I think that there is much more that needs to be fixed at lower levels before an action like this is allowed.
I certainly agree that ISPs have been remiss and possibly negligent in not automatically blacklisting known security risks (and they are known). There are ASNs which have been flagged by SANS and others as being hosts of malware and other disruptive devices, which have operated, unimpeded, for months because the ISPs don't care to do anything about it.
The technology exists to deal with this. There are groups which have researched and identified known botnets, malware sites, etc. Heck, I update my firewall daily and if my ISP did the same thing, we'd have a lot fewer problems.
But the real issue is that there are too many layers of, shall we say, limited competence, between the President and the subscribers and I would be more concerned about the financial and economic impact of a total network shutdown based upon bad or incomplete evidence, than about the potential damage to subscribers of the ISP services.
To make a decision of that magnitude would require that the President have reliable, accurate, information, and from my experience, that is not the case, today. The alternative, widespread restrictions on commerce and freedom of expression, would be intolerable in light of the limited information that the President has, today.
Doug,
I'd like to see your thoughts on this…
Doug,
I'd like to see your thoughts on this…
Fair. Harlan, I'd like to see yours!
I had this argument just yesterday. If the president can down every airplane over the US because it's "under attack" then I can't see the difference from a powers view between this response, and shutting down the internet.
Anyone with a basic knowledge of what's actually happening in the online security world knows that any coordinated attack on the US will come through the exploitation of compromised private systems, i.e. a zombie attack of the kind most often used recently to extort e-commerce and particularly online gambling sites.
What's most scary is that we were having this discussion about critical information infrastructure protection in 2006 in Australia, and generally the telcos, ISPs, QauNGOs and the government were all on the same page, and yet this planning is only in its infancy here in the US. I could say more, but I avoid expressing overt political criticisms in an open forum.
Some thoughts on
- This is not China, there is no one "switch" to turn off the Internet.
- Who tells the President that a company or ISP is under attack so that the Internet can be turned off? There is no Cyber Czar, the various government entities with initials have a hard enough time with their current duties, how can they possibly add more responsibility? I have serious concerns about the trigger events.
- "The Secretary of Commerce— shall have access to all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access…" Seriously? We trust the Commerce Department with absolute, non-emergency access to “all relevant data” without any privacy safeguards like standards or judicial review?
- SEC. 3. CYBERSECURITY ADVISORY PANEL. I cannot see how yet another advisory panel does anything than add overhead. Do we not already have CERT, SANS, etc.?
- SEC. 4. REAL-TIME CYBERSECURITY DASHBOARD. I cannot fathom how this can be developed in 90 days and implemented in 1 year. I do not think that that rushing something into play in IT is any better than doing it in other industries.
- SEC. 5. STATE AND REGIONAL CYBERSECURITY ENHANCEMENT PROGRAM. InfraGuard?
- SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE. Are the current standards going to be abandoned? Instead of waiting a year why can we not push forward with something like the SANS cyber initiative or the current 20 Critical Security Controls V2.1?
- SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS. I know there is not a universally recognized forensic cert, but on the security side ISC2 has CISSP and GIAC has several certs for managers and practitioners and the government is beginning to require NSA 4011. Do we need another designation?
- SEC. 10. PROMOTING CYBERSECURITY AWARENESS.
- SEC. 11. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.
Absolutely.
- SEC. 12. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM. There are quite a few available and several fellowships. Training future professionals should be a good thing a long as funding matches results.
- SEC. 13. CYBERSECURITY COMPETITION AND CHALLENGE. Already established. Did the bureaucrats forget to do their research again before they put pen to paper?
Feel free to jump in.
How to define an attack is going to be difficult. Back in 2006 I wrote a piece about wireless future at my blog and even a smaller paragraph in that piece hinting at potential abuse and loss in sovereign controls over particular aspects potentially in network usage, economic and legal boundaries. I thought of those as potential "candidates who are less than honest seeking maximum gain, whilst seeking and engineering maximum anonymity" © GSmith 2006
http//
Wouldn't this be enough in case of attack? 😯
http//
wink
P
jaclaz
I had this argument just yesterday. If the president can down every airplane over the US because it's "under attack" then I can't see the difference from a powers view between this response, and shutting down the internet.
Ordering airplanes to the ground is hardly the same as shutting down a Tier 1 ISP. Sure, there is a disruption in commerce. But all of the people travelling by air at any one time are not interconnected in purpose to the same degree as are the entities linked by an ISP. Consider that there are peering arrangements between ISPs upon which are based reliable, redundant links that support all kinds of commerce.
Anyone with a basic knowledge of what's actually happening in the online security world knows that any coordinated attack on the US will come through the exploitation of compromised private systems, i.e. a zombie attack of the kind most often used recently to extort e-commerce and particularly online gambling sites.
The proposed legislation is a solution in search of a problem. The only practical way to coordinate such an attack is either by someone going to the trouble to set up computers in hundreds or thousands of locations, which is impractical, or through the use of hundreds or thousands of compromised systems, which is happening all the time.
The problem with the latter scenario is that we know what is happening and we know who is compromised and yet we do nothing about it. We don't need an executive order to shut the mess down, we need better vigilence, better cooperation between the public and private sectors, and we need more stringent criteria for who has access. Consider that in most states you can put a car on the road without an inspection, yet you can put any computer on the Internet for next to nothing.
What's most scary is that we were having this discussion about critical information infrastructure protection in 2006 in Australia, and generally the telcos, ISPs, QauNGOs and the government were all on the same page, and yet this planning is only in its infancy here in the US. I could say more, but I avoid expressing overt political criticisms in an open forum.
On this I agree. But this is, in part, because the government in the US insists on appointing people to cybersecurity positions who have little practical experience or knowledge in cybersecurity. The fact that someone has worked for a major IT company or has been a CIO of a city or state does not, necessarily, qualify them for this kind of work. There are many people in academia who have been overlooked by this and past administrations who know a darn sight more than some of the political hacks who are currently holding the positions.
There are many other problems, as well, too many to go into in this forum. Let me just say that the approach taken by the proposed legislation is akin to using a cannon to kill a fly. What is needed is to control the situation so that you never have to use this approach, rather than fall back on it because you don't have a plan.
There was a note about this in the SANS NewsBites that went out yesterday. Mind you I haven't read the original document that is talking about the "Internet Kill Switch," but the SANS editor pointed out that there is only one sentence in the document that even makes mention of this. It was also mentioned that the sentence will most likely be removed in the final version.
Honestly I think there's a bigger deal being made of this than there needs to be. If you want to shut down the Internet, just turn off Gmail, Facebook, Twitter, RIM, and AT&T. )
On a side note, the article in the original post of this thread came from Fox News, and we know how much they love the President. )
Tom