Has anyone asked Al Gore where the master switch is?
jaclaz's link shutdown only the Oval Office, when I clicked it. roll
Honestly I think there's a bigger deal being made of this than there needs to be.
Except that it is telling that someone writing the legislation would think this either possible or practical.
When the Morris Worm first hit, one of the first things that the government did was to shut down the connection between the military and civilian networks. A good thought except for the fact that the cause of the worm and the solution had been detected within a few hours of the attack and disseminated by, among other things, e-mail. Phone messages were left at the offices of UC Berkeley (where sendmail and BSD Unix were developed) and DARPA but neither had 24-hour phone support so the messages weren't received until the next day.
Meanwhile, site with 24-hr sysadmins were able to get the details on the fix, implement it, and go to bed happy.
My point is that even suggesting such an approach is scary because it indicates that the bill's authors don't understand where the real problems are or how to fix them.
Except that it is telling that someone writing the legislation would think this either possible or practical.
You do realize what you are saying with that statement right? Just think back to the Internet being a bunch of "tubes". )
My point is that even suggesting such an approach is scary because it indicates that the bill's authors don't understand where the real problems are or how to fix them.
Oh I'm not disagreeing with you at all, but the point I was trying to make is everyone seems to be focusing on one sentence in this Act, but there's nothing mentioned about the rest of it (the pork projects included for example).
When has any legislation dealing with "IT/computer/Internet" related topics ever been understood by the people that wrote the legislation? It's always about some lobbying group with an agenda that says "Hey, this is what you should put in there, because it's good for everyone (when it's only good for the group the lobby represents)."
Tom
While this may look like a solution in search of a problem…which I tend to agree with, but only a little bit…it's also the logical outcome of all previous regulation and legislation.
That doesn't make it a good thing.
I think what the issue is here is that to an individual victim of cybercrime…a citizen or a corporation…that crime in an annoyance. Cybercrime isn't understood as well as physical crime, so it's not viewed in the same context. However, on a greater level, this can be (and is) viewed as a national security issue.
However, much like other regulation (PCI, HIPAA, etc.), while this legislation may directly or indirectly mandate certain criteria (in this case, for information security), those criteria will intentionally be vague. This applies to what constitutes an 'emergency', what the Presidents powers will be, and what is required of organizations that participate in this 'coordinated response'.
Several in this thread have mentioned mass attacks due to the use of vast botnets…this is not only a very real possibility, it's a reality. So what happens when percentages of those attacks originate from academic or corporate networks?
All in all, IMHO, this is what we used to call on the rifle range a "bold dope change"…too bold. I don't think that this is the right approach, necessarily…I do agree that someone needs to be in charge, but I also don't think that the President working with CEOs of major organizations is actually going to get anything done…they're all too far up the food chain, and the political mire beneath them is far too thick. However, I do think that this is the start. My concern is that too little will be accomplished and this will simply die on the vine.
Just an alternative thought.
I suspect The President will need to have a "bit of a chat" with his allies before he shuts down the WORLD wide web. It not being just the US wide web.
Might cause a bit of a ripple in Whitehall, Kremlin, Paris, Berlin, Rome, European Central Bank, Melbourne, New Delhi, Pretoria, UK Stock Exchange etc etc etc. Wont affect Ireland of course we are broke already!
And, after the threat has receded, I wonder how quick Beijing, Moscow etc etc will be, to turn back on the infrastructure that those Politically powerful US companies with major investments on foreign soil rely on, So I wonder whether an action of such International corporate magnitude can be placed in the one office no matter how oval it is.
I think there are easy ways to shut down the US side of the Internet. For example kill the root domain name servers and the primary peer points of the major carriers.
The question is why would one want to shut down the "Internet"? What would be the benefit?
The Internet is so heterogeneous, so diverse there will always be functioning pockets.
The fact is, gents, the Internet won't be shut down…the economic impact of doing so would be untenable. Look at what happened with the SQL slammer worm…many CC transactions were processed by hand, and as a result, many were lost or processed incorrectly.
My thoughts Harlan?
Well it is a mix of cautious optimism and skepticism when the current government branches and agencies get involved and the inability for the press to have a non-fear discussion about security. Everyone wants their name on this initiative and a piece of the IT security pie. (Has anyone actually been in the awesome Northrop Grumman cyber command office I saw in commercials? I want headsets and six 75 inch screens! By the way, not as cool in real life
The past year or so has been particularly newsworthy for IT security. Cybersecurity, Cyberwarfare, cyberthreats are covered in the news or blogged about extensively on a daily basis. From stories of the TJX Albert Gonzalez hacking case to North and South Korea's summer dispute using web based attacks, it has become a public very issue.
Those of us that have seen integration of IT systems into our lives over the past 20 years seem to be dumbfounded that it has taken so long to get a response from the public and government that something needs to be done about the security of the digital infrastructure.
Here are some interesting excerpts from Dennis C. Blair, Director of National Intelligence in his 2/12/09 - Annual Threat Assessment of the Intelligence Community for the Senate Select Committee on Intelligence report.
If there is a realization of the importance of the infrastructure
The US information infrastructure, including telecommunications and computer networks and systems, and the data that reside on them, is critical to virtually every aspect of modern life.
The perceived threat to our technology infrastructure is so grave
Further, the growing connectivity between information systems, the Internet, and other infrastructures creates opportunities for attackers to disrupt telecommunications, electrical power, energy pipelines, refineries, financial networks, and other critical infrastructures. Over the past several years we have seen cyber attacks against critical infrastructures abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts.
How long will it take to get something done? We do not have the time or resources for an extended pissing contest between branches of the Government and its various compliance and security agencies. There are moments in a nation’s history that requires action instead of only discussion – this is one of them.
However our nation has a history of slowly enacting change. Civil rights for example. It took over 100 years after the end of slavery to remove racial integration barriers. 100 years. If according to the Threat Assessment Report that 81% of all email is SPAM and 15% of all online computers are botnets, while “Over the past year, cyber exploitation activity has grown more sophisticated, more targeted, and more serious” time is not on our side.
The push for The Cybersecurity Act of 2009 at face value wants to tackle the issues head-on because “cybersecurity is the soft underbelly of this country” as stated by the previous Director of National Intelligence, Mike McConnell.
Now there is a lot of noise in the press about the language of the Senate bill.
The latest working revision of the Act
which updates the April version
changing such language as
may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;
to
In the event of an immediate threat to strategic national interests involving compromised Federal Government or United States critical infrastructure information system or network — [the president] may declare a cybersecurity emergency; and may, if the President finds it necessary for the national defense and security, and in coordination with relevant industry sectors, direct the national response to the cyber threat and the timely restoration of the affected critical infrastructure information system or network.
But only getting inflammatory headlines
Senate Cybersecurity Act of 2009 Could Shut Down the Internet
Is Move By Obama to Turn Off the Internet In a Cyber-Emergency a Power Grab?
Cyber security plan gives Obama control of Internet
Really? This is the best we can come up with now that we are talking about security? Can we please just have an intelligent public discourse to address the underlining issues at hand?
My fear is that we now have the issue on the table and it will get politicized, lobbied and news bitten to the point of no effect. There is some great language in the bill about co-operation about public and private sector to address the most important issues and proposing a cybersecurity workforce plan - the troops on the ground for such actions should be a mix of public and private people that have talent not just titles. And some negative language stating “Beginning 3 years after the date of enactment of this Act, it shall be unlawful for an individual who is not certified under the program to represent himself or herself as a cybersecurity professional.” Ok ease up. It’s difficult enough to get the time and money for the various SANS, GIAC and ISACA certifications. Please use these existing and recognized degrees and programs as pre-requisites.
The Government has the logistical ability to get things done when not shooting itself in the foot with political posturing and lobbyist hand holding. I would also ask that the Government not feed in to the press stirring irrational fears about IT security. For this nation make it out of the current economic mess it will need clear unobstructed lanes for information travel. If we keep on this path of reaction to threats instead of proactive measures then we will fail. There needs to be a top level initiative about cyber security and the threats that are faced, but it will only work if there is open discussion with people that are in the trenches now that deal with many of the issues. If the Government could just muster the courage to think past an election cycle and work with companies that are passionate about this it can be a winning combination. Public can be safe, politicians can put their names on bills and business can grow because of the success of innovation. I just hope that there is real public and private cooperation to make this work and we care as much about cybersecurity as a pop stars death.
The problem with the latter scenario is that we know what is happening and we know who is compromised and yet we do nothing about it. We don't need an executive order to shut the mess down, we need better vigilence, better cooperation between the public and private sectors, and we need more stringent criteria for who has access. Consider that in most states you can put a car on the road without an inspection, yet you can put any computer on the Internet for next to nothing.
Sean my friend we have posted about this before - apparently no one in Washington reads Forensic Focus. Vigilance and embargos (shotgun on buzzwords e-embargo, cyber embargo) on networks that are know to be safe havens for botnets. Block traffic to certain networks on the top tiers when a know threat is originating from a particular location. Automatically enforce client side security measures before a computer can get past a proxy. There are capabilities out there to at least begin to make a difference. But it's always easier to talk about problems then deal with them….
apparently no one in Washington reads Forensic Focus.
WHAT??????????? lol
(sorry, been one of those days)
Tom