|
|
[News Service Index] [Comment Blog] [Now on Facebook] [Heartlink Home] [Bio] [Heartlink Radio Show] [Coaching/Counseling] [Classes] [Seminars] [Other Services] [Contact] [Disclaimer] |
|
POLICY REVIEW: ANOTHER STEP TO INTERNET CONTROL May 31, 2009, by John 'J' Trinckes A recent report entitled Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure just came out of the White House. This report was written by a team of government cybersecurity experts that “inventoried relevant presidential policy directives, executive orders, national strategies, and studies from government advisory boards and private-sector entities.” The comprehensive review occurred over 60-days and intended to “assess U.S. policies and structures for cybersecurity.” The team came up with ten (10) recommendations (or near-term action plans) that are ultimately supposed to mitigate cybersecurity-related risks. (Note: The report was not conducted by an independent group or even provides the names or affiliations of the individuals on the team of experts.) Reading through the seventy-six (76) page report, I couldn't help myself critiquing the quality of work that went into the report. First, the run-on sentences were plenty and confusing. I found myself reading sentences two and three times just to make out what the author(s) were trying to explain. I consider myself to be an intelligent individual and a published author as well. I guess the old saying that 'it is good enough for government work, still applies.' Second, the report states that “the engagement process included more than 40 meetings and yielded more than 100 papers that provided specific recommendations and goals.” If this were the case, then why are most of the ten recommendations provided general in anture and rather vague in substance? It is hard for me to believe that a comprehensive report could be completed in 60-days with as much information that would have to be reviewed from 40 meetings and over 100 papers on the topic of cybersecurity policy. This is especially true when the report defines cybersecurity policy to include:
Wow! That was a mouthful. Don’t worry, the scope of the report did not include “other information and communications policy unrelated to national security or securing the infrastructure.” I’m not really sure what this means since the report defines cyberspace as pretty much all encompassing:
The definition further goes on to say that “common usage of the term also refers to the virtual environment of information and interactions between people.” (Interesting, government control of the interaction between people.) Why was this review necessary? “America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration.” (Source: Report by the Commission of Cybersecurity for the 44th Presidency, December 2008). The report also states that:
Really, we had sensitive military information stolen? When? Where? Who? Why was this not reported to us earlier? (I usually try to keep up on these types of things, but never heard about this one. While other sources were referenced in the report, this sentence had none.) It is a known fact that “information and communications networks are largely owned and operated by the private sector, both nationally and internationally.” In addition, the private sector “designs, builds, owns, and operates most of the digital infrastructures that support government and private users alike.” The report indicates that there are many ways that the Federal government can work with the private sector. One way is by examining “existing public-private partnerships to optimize their capacity to identify priorities and enable efficient execution of concrete actions.” That’s nice, but it is nothing new. I mean, let's keep doing the same things that we have been doing and hopefully, we will get a different result. What are some of the other ways that the Federal government can work with the private sector? How about setting up an "incentive mechanism," per the report, to make more secure products and services available to the public?
OK, we need more regulations to make cyberspace safe, right? Of course, “protecting cyberspace requires strong vision and leadership and will require changes in policies, technologies, education, and perhaps laws.” (You can be assured that there will be more laws coming down the pipe as I already hinted to in my last column Proposed Bill: Cybersecurity Act of 2009 (SB773) – How the President of the United States Can Control the Internet.) No report from the government would again be complete without including the part about how much it is going to cost us [The American People]. “The Federal government should initiate a national public awareness and education campaign informed by previous successful campaigns.” (If these campaigns were successful in the past, then why are we at the point of urgency now in terms of our cybersecurity risks?) “The government needs to increase investment in research that will help address cybersecurity vulnerabilities while also meeting our economic needs and national security requirements.” “Appoint a cybersecurity policy official…” and “designate a privacy and civil liberties official…” (Just curious what the salaries and benefits would be for these two positions, heck, if it’s good, I may apply…. NOT!) Let me digress for just a moment and explain how we’ve gotten to this point. According to the report, “the impact of technology on national and economic security needs has led the Federal government to adapt by creating new laws and organizations.” (Not a shock here.) The report indicates that even back to 1918, Congress authorized the President, through a Joint Resolution, to assume control of any telegraph system in the US and operate it as needed during World War I. In 1934, The Communications Act formed the Federal Communications Commission (FCC) to establish a broad regulatory framework for all communications, by wire and radio. In 1957, the Soviet Union launched Sputnik, the first man-made satellite. It was the peak of the cold war and the US and the Soviet Union considered each other enemies. Americans were scared of this news and thought that since the Soviet Union was able to launch a satellite into space, they could launch a missile at us. In response to this and to give the US a technological edge over other countries, President Dwight D. Eisenhower (not Al Gore) created the Advanced Research Projects Agency (ARPA) in 1958. ARPA enlisted help from Bolt, Beranek and Newman (BBN) to create the first computer network connecting four computers running different operating systems. They called the network ARPANET. A lot of the protocols used on the Internet today were developed through ARPANET. As soon as larger networks joined, the Internet was born. (Source: computer.howstuffworks.com) The Brooks Act of 1965 gave the National Bureau of Standards (NBS), now the Department of Commerce’s National Institute of Standards and Technology (NIST), responsibility for developing standards and guidelines for federal computer systems. In 1984, Executive Order 12472 re-chartered the National Communication System (NCS) to include telecommunication assets owned or leased by the Federal government. (In 2003, the Department of Homeland Security inherited the NCS.) In 1994, the Foreign Relations Authorization Act authorized the Department of State control over international communication and information policy. Now, we have the Cybersecurity Act of 2009 sitting in committee to give the President (or his designee) full control of the Internet under the disguise of security. (Or mabye it is War since we are still fighting two wars abroad and a war against terrorism, in all forms and on all fronts, at home.) Back to the topic at hand, the report recommends “leading from the top” and appointing a cybersecurity policy official; however, “the cybersecurity policy official should not have operational responsibility or authority, nor the authority to make policy unilaterally.” What? Let’s assign someone responsibility for cybersecurity, but not give them any authority to implement any changes. Maybe we need to run our government like successful private companies do. Most large companies have a Chief Executive Officer (CEO) (i.e. the President) that has full authority to run the company governed by the Board of Directors (i.e. Congress) that reports to the business Owners (i.e. the People). They put Chief Information Officers (CIO) or Chief Technology Officers (CTO) in charge of technologies to align with business goals. They also have Chief Security Officers (CSO) or Chief Information Security Officers (CISO) that report to Security Committees (made up of high level executives) or the Board of Directors directly to create an independence element. Security is normally in direct conflict with operations, but they both need to work together to create effective systems for continued business prosperity. I found this to be pretty interesting as the report goes on to say:
Well we can’t have laws enacted to make the Federal government’s job more difficult, can we? I guess that is one of the reasons why President Obama nominated Judge Sonia Sotomayor. Judge Sotomayor is first nominee with cyberlaw record. Coincidence? I think not. The report does a fairly good job in pointing out some hesitations that private sector industries have in partnering with the federal government. “Industry has also expressed reservations about disclosing to the Federal government sensitive or proprietary business information, such as vulnerabilities and data or network breaches.” “Industry may still have concerns about reputational harm, liability, or regulatory consequences of sharing information.” You think? As a former police officer, one of the ploys we used was to have the suspect tell on themselves. We would give the suspect some false sense of hope that we were on their side, they should trust us, and things would go easier if they would just tell us ‘the truth’. (More times than not, the information the suspect provided to us created the case against them in the first place. Until the suspect started talking, we didn’t really have anything on them.) Do you think it would be any different if a company admitted to not following certain laws? Or, if they did, would the government grant some additional protection as the report puts it: “The civil liberties and privacy community has expressed concern that extending protections would only serve as a legal shield against liability.” So if a company is not keeping to its obligations in protecting their client's information, but as long as they tell the government about it and followed their standards in good faith (although these standards may have been lacking or not followed during a specific time frame that led to the security breach), they will be protected from lawsuits? Here is another statement in the report that concerned me:
If my interpretation is correct, the report writers are pretty much saying that there is NO distinction between national security and other federal networks, thus any federal department or agency would be considered under the umbrella of a national security incident even if the department or agency doesn’t deal in national security related activity. Interesting, no? I really like this one, “the government needs a reliable, consistent mechanism for bringing all appropriate information together to form a common operating picture.” Computer systems and networks have been around for about 50 years now and although technology has advanced, the government still hasn't gotten a good operating picture of their systems? This brings to my mind Cybernet in The Terminator movies. (I’m not saying we will have metal robots come to life to kill all humans, but if you recall the basis of the Cybernet program, it was to effectively monitor/control all government systems under one system. Unfortunately, Cybernet took over all these systems. It also contained some ‘artificial’ intelligence components. Wait, haven’t I heard this word 'artificial' before somewhere else?) The report indicates that “we cannot improve cybersecurity without improving authentication, and identity management is not just about authenticating people.” It isn't?
I bolded the ‘opt-in’ since I always take this as meaning optional. We all now how easy optional becomes mandatory through varied mechanisms of control. We are all to familiar with the government 'enhancing privacy' matters. What privacy means to me is not what privacy means to the government.
Again with the national emergencies since we all know how well the Federal government has handled these in the past. As far as I’m aware, the current administration still hasn’t got anyone in control of the Federal Emergency Management Agency (FEMA). There are fourteen (14) additional mid-term action plans, but again, they are all pretty general and vague with no direct guidance on how or what impact these recommendations would ultimately have in the real world or on cybersecurity. As a point of reference, I highlighted the words ‘global’ and ‘international’ above. I counted at least 35 times that ‘global’ was used throughout this report and at least 76 times that ‘international’ was used. Coincidence? I think not. (Can anyone say New World Order?) In conclusion, I’m a huge proponent of Information Security and making the Internet (i.e. cyberspace or whatever you want to call it this week) more secure. It is very important to me. I live it, I breath it, and I know some of the risks and threats are real; however, I don’t believe this report to provide a clear, concise solution to the problems. It appears more to me to be some sort of mission statement or one group’s agenda on how to take control of the Internet (i.e. cyberspace) under the disguise of assuring a trusted and resilient information and communication infrastructure. (I don't know about you, but my Internet (i.e. cyberspace) connection has been on and running pretty well over the last few years. I mean, there are those moments that it doesn't work just the way it should, but these occassions are rare and far in between.) Isn't this the reason why we need more regulations and control, from the government to ensure a 100% uptime, right? I do have to agree with at least one statement from the report: “The Federal government is not organized to address this growing problem [cybersecurity] effectively now or in the future.” "This is just one of those reasons why I hate stupid people." Related Article: Cyber bill squelches speech, curtails liberty, by Bob Barr © 2009 John 'J' Trinckes - All Rights Reserve - http://www.newswithviews.com:80/Trinckes/john101.htm PROPOSED BILL: CYBERSECURITY ACT OF 2009 (SB773) May 23, 2009,
by
John 'J' Trinckes As if the government doesn't control enough in our lives, a new bill was introduced in the Senate on April 1, 2009 that basically gives full control of the Internet to the President of the United States. As of this writing, the bill is currently in the Commerce, Science, and Transportation Committee. The bill, as proposed, is short titled “Cybersecurity Act of 2009” (Click here for full text), and it's purpose is: “to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes.” I don't know about you, but I always get nervous with an open ending statement of ‘for other purposes’. So let's take a look at this proposal and break down the real intent of this bill, shall we? The act designates a Cybersecurity Advisory Panel to the President. Although I may not totally disagree with this endeavor and feel that the President needs to be educated as much as possible on security threats especially when it comes from Cyberspace, I'm not that convinced that there will be real experts in the field on the panel, but rather, another way for the government to ‘throw bones’ out to their friends and family members. The act continues with the development of a real-time cybersecurity dashboard under the responsibility of the Secretary of Commerce. As a security expert working in the field, I've never before seen the Secretary of Commerce deal with cybersecurity related items. Most of the time, security is synonymous with Department of Homeland Security or the National Security Agency. Other executive departments (FBI, CIA, etc.) normally have responsibility over their own security matters. Besides this, there is already a National Vulnerability Database in place to track cybersecurity related threats. No act would be complete without the government spending more money. This one is no different. The Cybersecurity Act of 2009 will create and support Cybersecurity Centers (again, ran by the Secretary of Commerce). “The purpose of the Centers is to enhance the cybersecurity of small and medium sized businesses in [the] United States through:” transfer of cybersecurity knowledge; participation from industry, university, state governments, federal agencies, and the National Institute of Science and Technology (NIST); efforts to make cybersecurity software/hardware usable by small- and medium-sized business; active dissemination of information, utilization of federal laboratories; and make short term loans to small businesses (defined as a business having less than 100 employees) for advanced cybersecurity countermeasures. The act designates financial support not to exceed 50% of annual operating/maintenance cots for non-profit organization(s). I'm not sure where the funding for the other 50% is going to come from to support these centers. I'm assuming, which I hate to do, that it would come from donations and the interest earned from the short term loans? There is going to have to be some basis for revenue to continue operation of these centers in order for them to survive and accomplish their goals. (I guess they could always ask for a bail-out if they don't succeed.) Of course we will need standards and the act will require critical infrastructure systems to follow the NST standards. To make sure that departments (or companies) handling critical infrastructure systems comply with these standards, the Director of NIST shall: “enforce compliance with the standards developed by the Institute under this section by software manufacturers, distributors, and vendors, and shall require each Federal agency, and each operator of an information system or network designated by the President as a critical infrastructure information system or network, periodically to demonstrate compliance with the standards established under this section.” I have a couple of issues here. First, I'm not sure what periodically means. Is this annually? semi-annually? bi-annually? I hate laws that are vague and allow for interpretation. If the government wants compliance, it should be specific in when it wants it. Second, I'm not sure what type of enforcement authority the Director will have. Will he/she issue fines or other penalties to force compliance? Section 7 will have a direct effect on me and my livelihood. This section introduces licensing and certification requirements for cybersecurity professionals. Like I don't have enough certifications, education, and real-world experience dealing with cybersecurity matters already (see my bio below), now I’ll have to get approval from the government and pay a ‘fee’ to continue to work. I'm not opposed to demonstrating my abilities and providing credentials to my clients in an effort to ensure them that I know what I'm talking about when it comes to information security, but now I’ll have to pay another fee to show it as well. It will be interesting to see what type of licensing, certification, and periodic recertification program will be required since it is left up to the Secretary of Commerce to develop and coordinate. (Do doctors and lawyers have a national licensing?) Furthermore, since cybersecurity services and critical infrastructure information systems are not specifically defined in the act (which we will discuss in a moment) it will be interesting to see how this all works out. In addition, the act doesn't specify if violating these requirements will be a misdemeanor or felony and doesn't list any sanctions like imprisonment or fines. Maybe it will fall under practicing cybersecurity related activity without a license? And then what will be defined as cybersecurity related activity in the scope of this new act? As a point of reference, the common acceptable definition of cybersecurity is “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.” Source: Merriam-Webster.com Another definition of cybersecurity is “the protection of data and systems in networks that are connected to the internet. See information security.” Source: Pcmag.com So if you are installing or updating your anti-virus software, I guess you could be found guilty of practicing cybersecurity related activity without a license. In Section 14, we find the act establishes a public-private clearinghouse under the Department of Commerce. (Again, why we are seeing so much of these security related items under Commerce is beyond me.). This one shall surely get you, “The Secretary of Commerce -- shCommentsClose CommentsPermalinkall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access.” Say what? Without regards… to any provision of law … any relevant data… (Of course, relevant data is again, not defined here.) I thought this country was built on laws? CommentsClose CommentsPermalink This brings us to the main point of this article. The act does not specifically define critical infrastructure systems, safe it to say, that the President (or his designee) can define them in any form he wants. If he goes by a previous Presidential Decision Directive 63 (PDD-63), critical infrastructure systems are those systems that are crucial for survival. The critical infrastructure of the U.S. is telecommunications, energy, banking and finance, transportation, water systems and emergency services, among others. (source click here) *PDD-63 (Presidential Decision Directive-63) An order by President Clinton on May 22, 1998 to define U.S. federal government policies on critical infrastructure protection. PDD-63 is the foundation document for the creation of the National Infrastructure Protection Center (NIPC), the United States Computer Emergency Readiness Team (US-CERT) and other organizations devoted to protecting the nation's crucial industrial and financial base. For more information, visit here. See critical infrastructure. There is reference to what constitutes a critical infrastructure information system and network from a quote supplied as a basis for the act. “According to the February 2003 National Strategy to Secure Cyberspace, ‘our nation’s critical infrastructures are composed of public and private institutions in the sectors of agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking finance, chemicals and hazardous materials, and postal and shipping. Cyberspace is their nervous system--the control system of our country’ and that ‘the cornerstone of America’s cyberspace security strategy is and will remain a public-private partnership.’” This pretty much covers everything, but if the President (or his designee) expands the definition, it could include any and all systems connected in some form or fashion to the Internet. Here is the kicker. Section 18 of the act provides the President the authority to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal government or United States critical infrastructure information system or network.” It further contends that the President can “order the disconnection of any Federal government or United States critical infrastructure information systems or networks in the interest of national security.” Unfortunately, the act does not define what constitutes a cybersecurity emergency. In addition, the part about national security is also rather vague. So, ladies and gentlemen, how does the President of the United States control the Internet? Just have the Cybersecurity Act of 2009 pass as written. “This is just one of those reasons why I hate stupid people.” © 2009 John 'J' Trinckes - All Rights Reserve http://www.newswithviews.com:80/Trinckes/john100.htm Cyber bill squelches speech, curtails liberty
The Internet — arguably the most empowering and important
innovation of the modern era — is in danger of being stifled
by the heavy hand of government control. Legislation now
pending in the U.S. Senate would give the president, the
Department of Commerce and other federal bureaucracies
absolute power to define the Internet’s usage and to close
it down at will.
While the “Cybersecurity Act of 2009” so far has only a few sponsors, it appears on a fast track for hearings, mark-up and passage. This cybersecurity bill presents itself as a necessary and carefully considered response to a legitimate problem — the lack of adequate security measures for national security programs and infrastructure sectors. It is, however, a cyber-wolf in sheep’s clothing. As introduced by Democrat Jay Rockefeller and Republican Olympia Snowe, the legislation’s scope and power to reach every corner of the vast Internet system — including individual, private Internet usage — raises extremely troubling privacy and censorship concerns. When coupled with provisions in the little-known International Cybercrime Treaty ratified by the Senate in 2006 under pressure from the Bush administration, enactment of the Cybersecurity Act of 2009 presents the very real possibility of direct interference by other nations and international organizations in domestic Internet use. As with most pieces of bad legislation, this one starts with high-sounding “findings” that mask and divert focus from its actual effects. The preliminary section, for example, correctly states that “failure to protect cyberspace” constitutes a serious national security problem, and that a cyber attack on our national power grid, for example, could be devastating. However, rather than focus solutions to these problems on
areas properly within the scope of the federal government
the legislation sweeps so broadly as to grant the federal
government virtually unfettered and unreviewable power over
every aspect of the Internet, from the most complex national
security segment to the smallest individual user. The bill incorporates within the unwieldy term “federal
government and United States critical infrastructure
information systems,” the following : all “state, local, and
nongovernmental information systems … designated by the
President as critical . The president is empowered to declare a “cybersecurity emergency” (not defined in the bill) and “order the limitation or shutdown of Internet traffic to and from” any of the defined networks! Even in the absence of declaring a so-called cybersecurity emergency, the president can order the shutdown of any of the defined networks whenever he decides doing so would be “in the interest of national security.” The bill grants deeply troubling powers over private-sector use of the Internet that should bother every user and purveyor of Internet services. Such concerns are heightened when considering that the 2006 Cybercrime Treaty requires U.S. law enforcement agencies to grant to foreign governments that have likewise adopted the treaty, access to an Internet service provider’s customer use records. If signed into law, the 2009 Cybersecurity Act would constitute the second half of a one-two punch effectively neutering the Internet.
You can Comment at Hearlink Blog |
|
