Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Legislation Would Federalize Cybersecurity

samzenpus posted more than 5 years ago | from the big-brother-security dept.

Security 194

Hugh Pickens writes "Senators Jay Rockefeller and Olympia J. Snowe are pushing to dramatically escalate US defenses against cyberattacks, crafting proposals in Senate legislation that could be introduced as early as today, that would empower the government to set and enforce security standards for private industry for the first time. The legislation would broaden the focus of the government's cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. 'People say this is a military or intelligence concern, but it's a lot more than that,' says Rockefeller, a former intelligence committee chairman. 'It suddenly gets into the realm of traffic lights and rail networks and water and electricity.' The bill, containing many of the recommendations of the landmark study 'Securing Cyberspace for the 44th Presidency' (PDF) by the Center for Strategic and International Studies, would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. The legislation calls for the appointment of a White House cybersecurity 'czar' with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway. It would require the National Institute of Standards and Technology to establish 'measurable and auditable cybersecurity standards' that would apply to private companies as well as the government. The legislation also would require licensing and certification of cybersecurity professionals."

cancel ×

194 comments

Sorry! There are no comments related to the filter you selected.

Last one out.... (0, Redundant)

theshowmecanuck (703852) | more than 5 years ago | (#27426929)

Shut the light off.

Re:Last one out.... (5, Interesting)

Z00L00K (682162) | more than 5 years ago | (#27427323)

This may be a late April fools joke by government standard, but it sure contains plausible concerns.

Concerning the document, I would say that it isn't a joke, but you may have to express some concerns about if the proposed methods are causing more problems than they are solving.

If you shut down a whole network, then you also cut off the owners of possible infected computers from the services that may help them to clean them up. This has been tried before within larger companies which just ended in a deadlock, nothing was done at all until the network was up again. In effect - you got an ultimate D.o.S attack!

If anything - put more effort into hunting down and apprehending the perpetrators. This will give a much better result in the long term. In effect - follow the money.

Another approach would be to put more effort into hardening of operating systems and tools for operating system management. SELinux is one good example, but unfortunately this only works to some extent and it only covers one area of security measures.

One detail that also is cause for concern is ISP:s that migrates from several routed segments to a large segment where switches are used instead. It makes sense from an economic perspective, but it's not making sense from a security perspective. This means that more computers can be joined into dark nets using private IP addresses for internal communication, which in turn can make attacks even better coordinated.

Large switched segments where private IP addresses propagates can also result in new intriguing ways of obscuring file sharing traffic and other traffic that is to be masked. This can result in the funny effect of making a whole town suspected of possession of child pornography.

Re:Last one out....bad episode of twilight zone (0)

Anonymous Coward | more than 5 years ago | (#27428123)

As I see big brother re-run of the twilight zone using my streamed video feed
from the government server farm, I'm asked for my DRM CLIP TV chip passcode....to watch!
They've already censored most of it with web filters and such. What next.. either
I turn the IP channel or disconnect from it.

It will be named.... (1, Funny)

feepness (543479) | more than 5 years ago | (#27426941)

Standardized KeYing NETwork.

Not such a good idea (5, Interesting)

Bruce Perens (3872) | more than 5 years ago | (#27426943)

I don't tremendously trust the government to:
  • Maintain competence in a technical topic undistorted by political agendas.
  • Be free of influence from deep-pockets technical companies to the disadvantage of smaller and disruptive players.
  • Be platform-indepependent in their requirements and certification process.
  • Segregate the power to turn off segments of the network to manage attacks vs. turning them off to manage other issues such as some mis-guided concept of "piracy", etc.

I side with Vinge in believing that segmentation of the network is a sure indicator of a government going feral.

Bruce

Re:Not such a good idea (4, Insightful)

rackserverdeals (1503561) | more than 5 years ago | (#27427087)

Yeah but what can we do? We're just a bunch of people that bitch and moan on slashdot.

If only there was some respected, well known figures in the tech world that could try and get the ear of people that mattered.

If only there was someone that already had advised the Obama administration, other national governments and even spoke at the UN that could raise the concerns with people that matter. :)

Re:Not such a good idea (3, Insightful)

fferret (58662) | more than 5 years ago | (#27427681)

Speak for yourself. I'm a /.er who bitches, moans, and runs two private networks, the one at work, and the one at home. I agree that the government cannot be trusted to be impartial, but I also agree that cooperative action must be taken to forestall a network issue. Perhaps the best way to handle this would be a mutual cooperation agreement between the upstream ISP, and the private network admin. That would be sufficient for most problems. Since the Internet is non-deterministic, anything widespread enough to require a national response is going to have probably brought down the net anyway. Top-tier ISPs, (if they don't already) should have co-op agreements in place. This means that the fed only has to coordinate with the Tier 1 ISPs on national/international issues. I would also point out that the government cannot (and in many cases will not,) act to preserve data that it considers irrelevant to it's current concerns.

Re:Not such a good idea (1)

shadowbearer (554144) | more than 5 years ago | (#27427147)

  * Appoint people who know how to do all of the above, or who will listen to people who would give them good advice.

SB

Re:Not such a good idea (4, Insightful)

phantomfive (622387) | more than 5 years ago | (#27427209)

Optimist! :)

Personally I don't trust government to:
  • Maintain competence. Period.
  • Be free of influence from deep-pocket companies. Period.
  • Come up with any sort of sane requirements. Period.
  • Manage power in any way that doesn't attempt to increase their own.

In choosing democracy we've (wisely) given up some effectiveness in government in order to avoid having dictators. However this current government seems to have gone off the deep end, insanely grabbing power, and then not knowing what to do with it once they have it.

On the bright side, after the coming mass-inflation, they essentially won't have any power due to the fact that they'll have no money (at least, no money that's worth anything). On the depressed realistic side, how can we reasonably expect our representative government to manage money/things when half the population is incapable?

Re:Not such a good idea (1)

timeOday (582209) | more than 5 years ago | (#27427453)

this current government seems to have gone off the deep end, insanely grabbing power, and then not knowing what to do with it once they have it.

How so? Attaching some strings to the tax money they pump into failed businesses? We certainly seem headed for a bad economy, but allowing it to implode unimpeded may well have been even worse. There are no good options.

As for the new cyber-security initiative being flawed, compared to what? The baseline is: nothing. Assuming the govt. will fail at policing the networks of critical infrastructure is like assuming the govt. will fail at policing the streets, which is manifestly false. Our police and courts aren't perfect, but they're a far sight better than anarchy, and all-in-all well worth the taxes that support them. Certifying cybersecurity professionals may not be a 100% guarantee, but again, the baseline is no certification. I'm glad dentists and doctors have to be certified, even though malpractice isn't fully eliminated.

Re:Not such a good idea (5, Insightful)

phantomfive (622387) | more than 5 years ago | (#27427587)

How so? Attaching some strings to the tax money they pump into failed businesses?

You clearly haven't been paying attention. Apart from trying to tax bonuses with unconstitutional laws, they've bailed out some companies while letting others fail with no clear motive, they've bailed out companies when letting them fall into bankruptcy would likely be a better option, they've spent a lot of money on projects that won't particularly help the economy all that much, they've spent so much money that inflation will be hard to avoid in the near future (and you REALLY don't want inflation during a recession), they've sent unclear messages about what they are trying to accomplish (some have speculated that Bernanke's ultimate goal is to never be accused of not spending enough), and on top of it they've proposed a budget that will triple the national debt in 10 years, and double it in five. If you want to go back a little farther, we can talk about starting two wars, not a great idea to begin with, but more importantly they were waged with clear incompetence from the beginning.

As for the new cyber-security initiative being flawed, compared to what? The baseline is: nothing.

I don't know if you are trolling here, or if you just haven't read the article, but they want the power to shut down any network they want. This is significantly worse than nothing, for reasons pointed out by Bruce above.

Sometimes it is better to do nothing. As the saying goes, "Don't just do something, stand there!"

Re:Not such a good idea (3, Insightful)

jandersen (462034) | more than 5 years ago | (#27427707)

I know it is a national pastime in America to be as negative about government and politicians as possible, and unfortunately it isn't all unjustified. But if you can't see anything good or positive even in your worst enemy, you are seriously blinkered; and what is worse, you cut yourself off from the possibility to communicate from a common basis and thus from any chance of exerting any influence. Isn't this what keeps all the stupid regional wars going for generations? The Middle East, Sri Lanka, Northern Ireland until recently, much of Africa etc etc.

Your all-out, negative attitude actually plays into the hands of lousy politicians - they want you to think it is hopeless to try to change things, so they can't go on and line their own pockets they way they know best.

Re:Not such a good idea (1)

phantomfive (622387) | more than 5 years ago | (#27427769)

You are right, government doesn't have to be bad, and it could be worse, however, the truth of the matter is, there is a high level of incompetence in the US government right now. The infrastructure is falling apart (we literally had a bridge fall down while people were driving over it), the social security has needed some fixes for a while now that were obvious, and yet no one has fixed them; the list goes on. If you can't take care of the basics, if you can't even maintain a balanced budget (which is where California especially is), then you fall into the category of incompetent. I stand by the four points I made in my previous post.

This is why it is important that we have more transparency in government, so we can see what they are doing and can do something about it if they do stupid things, like this lame law, for example.

Speciation Of The Internet (1)

broward (416376) | more than 5 years ago | (#27427213)

"a government gone feral"

I argue that it's an inevitable outcome of ecological diversification of information and the Internet. It's not just occurring in the United States. The internet is "speciating", evolving differentiation in order to limit infectious memes.

http://www.realmeme.com/roller/page/realmeme?entry=global_differentiation [realmeme.com]

Is our government nuts?
Well, yes.
But that's a separate issue.

Re:Not such a good idea (5, Informative)

clarkkent09 (1104833) | more than 5 years ago | (#27427329)

Missed an important one:

- Not abuse access to data held by said companies

Let me get this straight, NSA (the agency recommended for the job according to tfa) will conduct "ongoing audits" of private networks owned by the utilities (telecoms too?) and nowhere does it say that this does not include access mountains of data held by those utilities on just about every person in the US

Re:Not such a good idea (1, Interesting)

Deanalator (806515) | more than 5 years ago | (#27427473)

I think that this is a great idea.

I think that the government needs to have a hand in every industry that profits off of people's misfortunes.

Medical companies have no financial incentive to keep people healthy the same way that infosec companies have no financial incentive to secure the nation's infrastructure. Instead of research scientists working for cures we have greedy corporations that have risen up, trying to sell the antidote of the day.

What if, instead of hoarding 0day and designing proprietary crypto, the National Security Agency actually published their research publicly? What if their research allowed Americans to make secure phone calls with each other, instead of finding new ways to wiretap us? What if, with all their unlimited funding, they released their static analysis methods to the public and actually made America a more secure place?

Re:Not such a good idea (2, Insightful)

Toonol (1057698) | more than 5 years ago | (#27427717)

For every positive what if, I can construct a negative one, and it's more likely to come true. We want the government that governs least; that's the best (to paraphrase). When any action from the government is likely to make the problem worse (evidence: I point to the economy), the best course is to forbid it from meddling at all.

Rockefeller and Snowe? (4, Interesting)

cusco (717999) | more than 5 years ago | (#27426945)

Do either of them have any clue about what they're legislating? Hope they've got someone on their staffs who know the difference between a SCADA system and a server farm, because I'm quite sure they don't. The alternative is that they've let the intel agencies and the security industry write the legislation, which is just about the worst possible alternative.

go ahead (1)

TrueRecord (1101681) | more than 5 years ago | (#27426951)

New laws -> new prisoners -> new prisons -> new slave market

Re:go ahead (0)

Anonymous Coward | more than 5 years ago | (#27426959)

I patented that!

You owe me bigtime, bucko!

Re:go ahead (1)

TrueRecord (1101681) | more than 5 years ago | (#27426983)

My kingdom knows no patents.

Re:go ahead (0)

Anonymous Coward | more than 5 years ago | (#27427027)

Where's my -1, Retarded mod option?

Re:go ahead (1)

shentino (1139071) | more than 5 years ago | (#27427169)

I think it's "+1 Underrated"

To smite the mod, be a metamod.

Re:go ahead (1)

Tenebrousedge (1226584) | more than 5 years ago | (#27427309)

Underrated? A whole five words, that nonetheless manages to be inane and pointless? I disagree vehemently.

Your comment about smiting mods is rather non sequitur; as of now there has not been any moderation on that comment. Also, there's nothing 'meta' about the moderation these days: a lamentable change in policy.

Re:go ahead (1)

knappe duivel (914316) | more than 5 years ago | (#27427255)

You must be new here. AC's don't get to mod.

Re:go ahead (0)

Anonymous Coward | more than 5 years ago | (#27427293)

However, mods who wish to comment must do so anonymously, or else undo their moderations.

Again, where's my -1 Retarded mod?

Re:go ahead (0)

Anonymous Coward | more than 5 years ago | (#27427119)

-> profit! ?

Sure, why not (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27426991)

They already have arbitrary control over hiring, firing, and wages at private companies, why not authority over private networks too? If we're becoming neofascist, may as well go whole hog.

The current situation is living proof of the old saying, people get the government they deserve.

No, it is Liberal Facsism (1, Informative)

Anonymous Coward | more than 5 years ago | (#27427229)

You can even read the book or the blog [nationalreview.com]

Subject (0, Troll)

z-j-y (1056250) | more than 5 years ago | (#27426995)

HA-HA. April Fools!

More Than Meets The Eye (1)

hypnolizard (1464539) | more than 5 years ago | (#27426999)

Got to be some self-interest behind this. Who are the lobbyists?

Re:More Than Meets The Eye (0)

Anonymous Coward | more than 5 years ago | (#27427069)

Microsoft?

Re:More Than Meets The Eye (1, Informative)

Anonymous Coward | more than 5 years ago | (#27427205)

Name a defense company. It's a veritable Who's Who of Beltway Bandits.

Cybersecurity 'Standards" (5, Insightful)

actionbastard (1206160) | more than 5 years ago | (#27427001)

"measurable and auditable cybersecurity standards" that would apply to private companies as well as the government.

Until your elected representatives fully understand that any public infrastructure networks should not be connected to the 'Internet' -for any reason- any discussion of 'cybersecurity' is simply wasted words. WTF does it take for these 'public officials' to realize that critical infrastructure networks need to be completely isolated and secured from the hostile environment that the 'Internet' has become?

Re:Cybersecurity 'Standards" (5, Insightful)

jofny (540291) | more than 5 years ago | (#27427067)

"Public Officials" have absolutely -nothing- to do with where "public infrastructure" networks are connected since this "public infrastructure" is almost exclusively -privately- owned. You really, really don't want the federal government making these decisions. Really.

Actually they do (4, Insightful)

actionbastard (1206160) | more than 5 years ago | (#27427101)

'Public officials' are responsible for making sure that infrastructure like traffic lights, water systems, sewage systems, and the like, are completely secure and isolated from any 'public' network like the 'Internet'. If the control systems for these critical systems are connected to the 'Internet', every citizen should be outraged at the complete disregard for the security -or lack thereof- for these systems.

Re:Actually they do (1)

jofny (540291) | more than 5 years ago | (#27427237)

1. The people who own those assets are responsible for it, at the end of the day. In many cases, they're private companies which are free to figure out how to run their own businesses as they see fit. In some cases, it's a sort of mixed situation where they're owned by local municipalities with some of the same constraints (and sometimes additional constraints) as privately owned utilities. Finally, some are nationally regulated.

2. It would have been nice to never have connected these utilities to the internet in the first place, but as they are now there extracting them can be extremely difficult.

3. If you think having something as politically hampered, slow moving, and expensive as the US government take control of privately or local government owned utilities, you haven't dealt much with the federal government.

If you think response has been slow and crappy so far? Just imagine the world's largest bureaucracy running national cyber security and trying to keep up with evuhl -insert country of choice- hackers. That's a good solution, really!

Re:Cybersecurity 'Standards" (2, Informative)

jofny (540291) | more than 5 years ago | (#27427081)

As an aside, if you do actually want to get educated on current efforts, start here: http://www.dhs.gov/xprevprot/programs/editorial_0827.shtm [dhs.gov]

I don't need no education (2, Interesting)

actionbastard (1206160) | more than 5 years ago | (#27427135)

Common sense approaches to system security tell me that if I was in charge of these systems they would be secured by every means possible. There is absolutely no excuse for exposing critical infrastructure to attack by every thirteen year old Romanian hacker on the planet because I was not familiar with the latest means to secure my networks. This is, after all, the 21st Century.

Re:I don't need no education (1)

jofny (540291) | more than 5 years ago | (#27427189)

You obviously do need an education here. Go check out the actual reality of the situation, how about? As I said, read the NIPP. Then HSPD-7 which generated it. Then look at the sector specific plans. Then check out the archives of SCADASEC for some asset-owner perspectives. Maybe you'll come away with a better idea of the grey, in-progress state it's in, the progress that's been (or not) made, and what the financial and operational constraints are. Some of it sucks. Some of it's good. Mostly, it's an evolving, complex situation that is being worked on.

Re:I don't need no education (0)

Anonymous Coward | more than 5 years ago | (#27428101)

The other thing is, the government is all about security, but there are different levels of security across the whole "Gov" realm of things. The Navy lets their programmers have full admin rights on their boxes, the Army (mostly) doesn't let anyone have admin rights on their boxes and there are still government entities out there that are still running Windows 2000 boxes on their networks - something that was supposed to be flat out banned two or so years ago...

The major problem is, the government hires people they believe deserve the position the most. Notice I said "deserve" - not most fully qualified. I just came from an entity as a contractor were I knew more than a recently hired sysadmin and a security guy put together - and I was a Database Admin. Those guys got those positions because they were prior military - if someone like me applies for the same exact position, they get priority over myself since they were in.

Great system to take care of your own, but when it comes to networks, security, etc - it means you leave your systems wide open. The Databases I ran had run in standard install form for 4 years. When I showed up, I started securing everything and it made life difficult for programmers (I took SA access away, booted them off Production boxes, etc), but they let me do it. The security guy these idiots hired took a newly installed server with no security updates, connected it up to the network and started pulling Windows Updates - when it was brought to the attention of management - "He's just doing his job how he wants..." Needless to say, I no longer work there because I'm not going to be responsible if a box gets rooted.

Oh, and my interview - no technical questions, it was a personality test with "Rate x skill on 1 to 10" questions... The government must look at itself for security before it starts looking at others.

Cost-performance (1)

Mathinker (909784) | more than 5 years ago | (#27428151)

> I don't need no education

I like Pink Floyd's music as much as the next man, but quoting them, out of context, in a forum which is supposed to be for informed debate won't get you brownie points, at least with me. The opposite, in fact.

> Common sense approaches to system security tell me that if I was in charge of
> these systems they would be secured by every means possible.

OMG, I'm glad that you aren't in charge of things. Do you have any idea how much it would cost to secure them "by every means possible"? That would include large vaults and armed guards, eh? Like with everything else, you have to evaluate advantages and disadvantages and make a decision. Not fly off the handle like you're doing. This doesn't mean I disagree that connecting the systems to the Internet might be a bad idea. Assuming the systems do need communications, you'll still need to connect them to some other network, and you'd have to secure that network instead. BTW, if you want that network to be hermetically isolated from attack, you'd probably have to build it from scratch, at an enormous cost.

Frankly, I'd guess that using specially certified VPNs running between specialized embedded endpoints which run off of non-writable memories might be secure enough, even if it used the Internet as a communications medium.

Re:Cybersecurity 'Standards" (1)

ljw1004 (764174) | more than 5 years ago | (#27427337)

Banking?

The same story applies. Your bank account details are so precious that they should never be exposed on the internet. And yet you do use online banking. The benefit in convenience outweighs the security risk.

The same convenience applies to water, electricity, traffic lights and other parts of the public infrastructure. If we can manage the risk through security protocols, then using the public internet for remote management makes for increased efficiency.

Increased efficiency is a good goal. If the only argument against it is the unlikely risk that "terrorists might switch off our electricity supply" -- a risk that so far has no basis in fact -- then we should go for it.

Right! (5, Insightful)

koterica (981373) | more than 5 years ago | (#27427011)

Because US government officials ALWAYS make good technical decisions. Because the placement of officials is NEVER based on politics rather than skill.

Maybe we could legislate some openness instead.

CIP device (1)

Veramocor (262800) | more than 5 years ago | (#27427013)

Hopefully the terrorists won't get hold of the CIP device.

Never was the "It's a Trap" Tag More Appropriate (5, Interesting)

Anonymous Coward | more than 5 years ago | (#27427023)

Large vendors are behind this. With all the extra security certifications and processes that small businesses (or independent/open source developers) will be required to apply because of "security" open source would be closed out of the market by this.

Please watch this very carefully. Red Hat and free software companies actually large enough to have lawyers, please, please, please sniff out the rats.

Re:Never was the "It's a Trap" Tag More Appropriat (4, Informative)

shentino (1139071) | more than 5 years ago | (#27427159)

What about SELinux?

Isn't it NSA sponsored?

Re:Never was the "It's a Trap" Tag More Appropriat (1)

SirGarlon (845873) | more than 5 years ago | (#27428183)

NSA started SELinux but stopped development several years ago. Or at least, stopped sharing what they developed. ;-)

Re:Never was the "It's a Trap" Tag More Appropriat (1)

ElectricTurtle (1171201) | more than 5 years ago | (#27427175)

Mod parent up.

Sooo... (1)

NoobixCube (1133473) | more than 5 years ago | (#27427025)

The April Fools crap is over now? It's a silly day anyway.

How about one good joke (1)

fat_mike (71855) | more than 5 years ago | (#27427033)

We all know that today is/was April 1st. We all know Slashdot will roll out a whole bunch of crappy jokes. It is getting really old.

Here's a thought...how about one really well thought, well planned, actually funny joke.

If this is not an Aprils Fools joke thats... (2, Insightful)

Phizzle (1109923) | more than 5 years ago | (#27427039)

...trying to get under the wire, then please just fucking shoot me.

Re:If this is not an Aprils Fools joke thats... (1)

isa-kuruption (317695) | more than 5 years ago | (#27427065)

Bang!

Re:If this is not an Aprils Fools joke thats... (1)

DigiShaman (671371) | more than 5 years ago | (#27427141)

Don't be naive. Did you really think the Internet would remain some wild-wild-west fantasy of freedom?

Individual freedom is the antithesis to Political control.

Re:If this is not an Aprils Fools joke thats... (1)

guyminuslife (1349809) | more than 5 years ago | (#27427269)

The link is to WaPo. I think they're a bit stodgy to be playing April Fools jokes. And if they did, it would be geared toward a more general audience.

government? (0)

Anonymous Coward | more than 5 years ago | (#27427055)

christ... what is this world coming to?

Please please please (1)

boogerme0 (1151469) | more than 5 years ago | (#27427071)

Please let this be an April Fools joke.

The Real Deal, and I can prove it (0)

Anonymous Coward | more than 5 years ago | (#27427109)

It's not an april fools post. The news article it links to is from 3/31/09.

What a shitty world you Statists are creating (0)

Anonymous Coward | more than 5 years ago | (#27427121)

What a shitty world you Statists are creating.

Of course, in your Orwellian DoubleThink, Memory Hole, I am sure when this fails you'll just blame it on Bu$Hitler & the Jews. [ning.com]

Re:What a shitty world you Statists are creating (2, Insightful)

DigiShaman (671371) | more than 5 years ago | (#27427173)

Misery loves company. That's why many Statists will drag the rest of society down to their level. We must all suffer together so we may be bonded together with a closer kinship they say. Ya, right. Uh huh. Sure....

And people wonder how the horrors of Communism rears its ugly head throughout the world.

Re:What a shitty world you Statists are creating (1)

smoker2 (750216) | more than 5 years ago | (#27427815)

Yeah, like Britain, Germany, France, the Netherlands, Sweden, Norway, Spain, Italy, Belgium - in fact most civilised countries in the world.

If you want to live in a dog eat dog world go and do it. See how long you last. I don't believe communism is responsible for the recent financial meltdown, throwing people out of work and their homes.
Idiot.
At the rate the world population is growing, you will either get along with others peacefully or you will engage in constant war. No one group or person has any more intrinsic rights than any other, so why pretend they do ? Unless you want everything YOUR own way of course, which marks you out as a selfish asshole, no better than Madoff.

Enforcing compliance... (4, Interesting)

gillbates (106458) | more than 5 years ago | (#27427143)

If passed, this could have the effect of a de-facto outlawing of Linux. For example, consider the typical business small business owner's plight: he uses Windows mostly on the desktop, but has a few Linux servers handling things like mail and print services.

  1. Government inspector pays a visit.
  2. Government inspector verifies the desktops have the latest Microsoft patches and antivirus installed.
  3. Inspector then moves on to the server room, where Linux is installed. Inspector can't determine that "latest Microsoft patches are installed", so machines are marked as non-compliant.
  4. The business owner has 15 days to rectify the "non-compliant" situation. His IT guy tries to explain to the government inspector that Linux is its own operating system; that it doesn't need patches from Microsoft, indeed, that it can't even run said patches...
  5. Goverment inspector's response: "You have to install the latest patches from Microsoft. If your software doesn't support the latest patches, you have to upgrade."
  6. Small business has no choice but to move their servers to Windows so that Government inspector will sign off on compliance certificate. Score one for Microsoft, scratch one Linux installation.

I understand the government wants to ensure "cyber security" - whatever that means - but they, of all organizations, are the least qualified to implement it. The conflict of interest between big business and government interests is just too great for this to be anything but a tremendous waste of time and money.

And this without even considering the larger question of why the government should have any control over the software private users run on their own computers.

  • In the name of cyber-security, you will be required to run government-approved software. Which, if it isn't outright insecure in the first place (I'm looking at you Microsoft!) will provide a convenient avenue for the government to insert its own backdoors for spying on the public at large.
  • While were at it, why not use OS hooks to cap the user's bandwidth so they *cannot* download more than the large telecomms think they should.
  • Oh, and what a convenient way to stop piracy. Look! this government required security software reports back to the studios when a filesharing client is installed.
  • Why bother knocking down the door, when the Virtual Search Warrant (TM - Microsoft) will allow the police to keep us all "safer" by allowing law enforcement to check our computers for illegal content...

Re:Enforcing compliance... (1)

TrueRecord (1101681) | more than 5 years ago | (#27427203)

This way Linus will return home to Europe and will be free do whatever he wants with the kernel and he will forget the states like a nightmare.

Re:Enforcing compliance... (0)

Anonymous Coward | more than 5 years ago | (#27427483)

DUMBASS everyone knows that Linus Torovaldis is from RUSSIA!

Re:Enforcing compliance... (1)

TrueRecord (1101681) | more than 5 years ago | (#27427521)

FYI, there's Europe in Russia too.
Btw, One of his grandfathers, Ernst von Wendt,lived in Russia in 1917 and even took sides in the Russian civil war at that time.
Nowadays in Russia AFAIR there are no patents for algorithms. So...

Re:Enforcing compliance... (1)

Thanshin (1188877) | more than 5 years ago | (#27427433)

The only possible path from:

1 Government forces all businesses to use standarized crap software.

is:

2 Standarized crap software is thoroughly raped and even infants can enter any complying business.
3 Businesses remove crap software.

Re:Enforcing compliance... (4, Informative)

rennerik (1256370) | more than 5 years ago | (#27427445)

I'm pretty sure the government and military also runs Linux/BSD/Unix in certain applications, so it would be silly to assume that they wouldn't write legislation in such a way that such OSes would be included.

I imagine something of a "security certification requirements" that the ruling body of each OS would put forth (i.e., each Linux distro would put forward a list, as well as Microsoft for Windows, Apple for OS X, etc). This list would be submitted to the government/whatever authority, and they would use this list in testing whether or not individual IT installations are complicit. The list, if implemented, would also have to assure that the OS's operation would meet the government's "cyber-security requirements".

In other words, I don't imagine the government would completely ignore Linux to give a leg-up on Microsoft. Not only would that fall in the face of the whole anti-trust suit with MS, but also the government would have to shut down its own systems running non-MS operating systems. That approach doesn't appear to make any sense.

Re:Enforcing compliance... (0)

Anonymous Coward | more than 5 years ago | (#27428049)

The government does run Linux of a certain red headgear type. I assume this is because they actually have the funds to get certified at various security levels.

Posting AC for obvious reasons.

Re:Enforcing compliance... (0, Offtopic)

hyfe (641811) | more than 5 years ago | (#27427451)

-1 Nutcase.

Seriously, did you even read the summary? Did the mods? Critical infrastructure will be audited. Small business owners don't run critical infrastructure. Home users aren't running critical infrastructure off their DSL-lines. You could argue using the slippery slope argument, but saying that the government shouldn't inspect critical infrastructure (power grid, telephone system, water supply) because in the future they might restrict home users illegal file-sharing is so disconnected from reality it's utterly scary.

Furthermore, regarding their competence. They're not all idiots. Alot of governmental work is setup in ways that doesn't exactly promote talent, but they're still not raging retards. There are plenty of people that are fully aware that the wast majority of infrastructure doesn't run Windows. Hell, a lot of these systems were created long before DOS existed.

However, you are correct in that there will probably be a couple of silly results.. like a non-networked Win98 pc being audited. This could be a good thing though, because the 'if it works, don't touch it' mentality that often happens in real life quote often isn't a good long-term strategy.

As an aside, as a foreigner (just to ensure I don't get modded up), I'm absolutely flabbergasted that the wast majority of "omfg the government is scary"-americans seem to be republicans. The republicans are the ones who illegally wiretapped you. They're the ones who threw away habeas corpus. They're the ones who allowed torture and imprisoned foreigners for years without any sort of trial or oversight. I just honestly cannot believe they still got 45.66% of the vote. That is just utterly insane. New leader sure, but same party. Are you all daft?

Re:Enforcing compliance... (1, Interesting)

Anonymous Coward | more than 5 years ago | (#27427723)

I don't think the poster is nuts. I've seen them do it.

They come in, scan the network, any given machine is labeled "blessed" or "other". "Blessed" means "Windows at a certain patch level".

The also scan the computers physically (HD scan) and use a similar criteria for continued operation.

I've literally seen government security scanning teams go through a shop with sheets of red and blue stars, sticking them on the front of computers. Red means you can't power it on.

All of the computers may have proper accreditation and approval, with a paper trail, including Linux systems, but they still grade the shop using their own PASS/FAIL report. Meaning the shop looks better in the overall report if it's all patched Windows ("100% PASS") with no odd paperwork or allowances.

It's worth remembering how bills are written in the USA. It's not based on any particular rationale; it's based on lobbyist requests.

All the lobbyists W/R/T compute infrastructure basically work for Microsoft or some network scanning company. They are looking to make a lot of money if their proprietary toolkit becomes mandatory at all government or infrastructure sites.

And it's not "Democrat" or "Republican". When it comes to pork or political favors for some powerful or wealthy constituency, the party affiliation of any given politician is about as meaningful as the color of a whore's shoes.

Re:Enforcing compliance... (0)

Anonymous Coward | more than 5 years ago | (#27427561)

Wow...nice straw-man there. Could you possibly squeeze in a bit more FUD?

This type of argument against ANY idea just makes the case for the idea that much stronger.

Re:Enforcing compliance... (1)

freedom_india (780002) | more than 5 years ago | (#27427923)

Wasn't TCP/IP suite made JUST for handling the Ultimate War?
I mean after all the greatest (and probably the only) strength of IP is automatic re-routing in case of disruptions.
So, an attack against even 80% of our TCP/IP-based internet would still result in the rest of 20% routers taking the traffic and still deliver...
This is a clear case of Government spying on us.
And i thought Obama was a nice man...

Please stop saying "cyber" (0)

Anonymous Coward | more than 5 years ago | (#27427149)

No no no, please stop it. Cyber must go.

I'm not comfortable with this (1)

diewlasing (1126425) | more than 5 years ago | (#27427161)

Haven't we already been under attack for a while? Granted, I'm no expert in this field but haven't foreign nations been attacking the US for a while? Wasn't there a story a couple of days ago about GhostNet?

I heard a lot of tin foil hat people talking about an "i-Patriot Act" but I thought it was a lot of nonsense. When the government tries things like this and says they will work in a way as to try and not infringe on privacy, how many actually believe them.

The biggest concern I have would be the power to shut off networks. If there is a widespread attack that will hurt the most vulnerable, wouldn't shutting the system off hurt even more? For example, if the nations hospital networks were under attack, would we really want to shut those off? Or even traffic lights, does that sound like a good idea to anyone?

Maybe someone here with more knowledge about cybersecurity can correct or alleviate my concerns.

Capability based security (2, Interesting)

ka9dgx (72702) | more than 5 years ago | (#27427199)

Until we get operating systems that can run code without having to trust it, we're going to keep getting the same crap, over and over.

Linux isn't the answer. Hell, even SElinux isn't the answer.

Start reading up on Eros, Keykos and Capros to see about systems that might actually solve the security issues once and for all.

Re:Capability based security (2, Insightful)

jhantin (252660) | more than 5 years ago | (#27427573)

+1. Problem is, current CPUs themselves are buggy and exploitable, so you still need a verifier, and if you need that you may as well have a VM and a JIT. Unfortunately the major VMs that have the building blocks to be capability-secure -- such as CLR and JVM -- threw it all away with their standard library designs.

There's also a hidden side of capability security: preventing data, or more generally causality, from leaking in or out of a given piece of code. If there's an API exposed to untrusted code that allows it to detect its environment -- even so simple as the default object hash code or a way to get the current time -- you have a covert channel waiting to bite you.

I haven't read the article yet, but... (1)

Antony-Kyre (807195) | more than 5 years ago | (#27427221)

I sure hope there is some mention of a court order before shutting down anything, whether public or private. Even if it is in such a way where they do it first, then get the court order within like 72 hours.

Re:I haven't read the article yet, but... (1)

freedom_india (780002) | more than 5 years ago | (#27427897)

Court order???
What are you? A moron?
This is the new American man!
Where we free Senators who have been convicted of corruption, and refuse to prosecute presidents who broke laws.
But damn it, we send kids to jail for 25 years for taking photos of themselves or stealing an apple...
The French should demand that USA return back the Statue of Liberty: after all when a cop could shoot you down like a dog and not face jail for the crime, this country does not have liberty...

Software Mono-Culture (1)

scorp1us (235526) | more than 5 years ago | (#27427223)

Because the one thing we've learned from having software mono-culture is that its a Good Thing(tm).

Now we're attempting to fix the problem by having federally mandated mono-culture? Please!

And as someone who has worked for companies that have developed government specs, I can assure you that the process will be corrupted as to bias towards certain vendors. Any required feature that can be patented will be, and any open-source implementation will be sued out of existence.

Still haven't found a +5 funny yet. (1)

captnbmoore (911895) | more than 5 years ago | (#27427225)

but it is still early.

I think lobbying is afoot! (5, Insightful)

TheLeopardsAreComing (1206632) | more than 5 years ago | (#27427265)

1.) Instead of a Czar, I like "Commissioner Of The Internets" 2.)Issues like this make me question where these senators get their information. They obviously do not know the current technology well enough to create laws involving it... maybe we should focus more on the lobbyist groups that funded their campaigns and figure out who benefits the most from this!

It creates a czar, so I'm against it (2, Insightful)

carlzum (832868) | more than 5 years ago | (#27427291)

Anything involving a new "czar" invariably fails to achieve its objectives and shows disregard for our rights. Joe Biden is credited with coining the term "Drug Czar" and was a vocal proponent of making it a cabinet level appointment. Ironically, the current administration has downgraded the post to a non-cabinet level position. I hate the term and wish it would go away, it sounds anti-democratic and seems to act accordingly.

Re:It creates a czar, so I'm against it (2, Insightful)

TrueRecord (1101681) | more than 5 years ago | (#27427443)

it sounds anti-democratic

What if it sounded pro-democratic? Would be better?
Imo, It does not matter how it sounds. It IS anti-democratic.
I mean that's against people.

And then (2, Funny)

Amazing Quantum Man (458715) | more than 5 years ago | (#27427357)

the terrorists build a CIP device, and then storm the White House, and then they get bioweapons in DC.

Federalize my ass (0)

Anonymous Coward | more than 5 years ago | (#27427387)

Government has no place dictating these things.

april fools (1)

circletimessquare (444983) | more than 5 years ago | (#27427411)

as in, the legislators, not the day

Just to make you shut up (1)

DreamerFi (78710) | more than 5 years ago | (#27427465)

[The bill] would require the National Institute of Standards and Technology to establish "measurable and auditable cybersecurity standards" that would apply to private companies as well as the government. It also would require licensing and certification of cybersecurity professionals. "

And any of us who went public with information on illegal/un-ethical wiretapping or gross incompetence would lose their license.

That'll shut up those pesky security professional/privacy advocates.

What about voting machines? (0)

Anonymous Coward | more than 5 years ago | (#27427485)

That might be a good place to start.

Obvious solution (0)

Anonymous Coward | more than 5 years ago | (#27427491)

Geeze, do these government guys never learn? Don't worry guys John McClane and Sam Fischer are on the case. Relax and go back to doing... whatever it is you do.

FUCK THAT.....! (1)

IHC Navistar (967161) | more than 5 years ago | (#27427571)

Federalizing cybersecurity?

FUCK THAT!

Big Brother already has a hell of a time keeping the US's *physical* borders secure, with all of the politically-correct bullshit that is allowing drug smugglers, human traffickers, illegal aliens, and other less-desirable what-not to cross the border illegally at will.

If you want an idea on how it will go, take all the political-correctness and bureaucratic hurdles that have prevented effective enforcement of physical borders. Then, substitue *your* computer for the concept of a national border.

Scary thought, huh?

Effective laws? (2, Interesting)

mo'o ahi (633487) | more than 5 years ago | (#27427581)

While I applaud the Senators' efforts to assist in securing cyberspace, historical efforts to legislate cyber-security have not proven effective. (that was tough to say with a straight face) To wit, examine the Government's own record: Currently all federal agencies are required to follow strict guidelines/policy, yet the average info-security grade given by OMB, for FY2007 was a C-. How far would you get in life if your average grade was a C-? I'd guess the average Slashdotter had better than a 1.7 average.

Further, they seem to think that if NIST establishes "measurable and auditable cybersecurity standards", then all will be right with the world. NEWSFLASH - The Fed already has that for the entire GOV, and while many agencies have improved it has not shown to be the panacea they intended. According to OMB's report out 3 weeks ago [whitehouse.gov] (go to page 9), the DOD, the agency with the most important security concerns and highest risk (and consequently the most stringent InfoSecurity program) is failing miserably.

Funny, if you read the FISMA top page [nist.gov] , it refers to 'cost-effective' security programs, but nowhere does it mention effective programs...

New legislation is not the answer - holding people accountable is. [to keep this relatively short I'm not going to expand on this - you know how to find the laws]

As one previous poster noted, a bunch of us posting here is not going to change anything. So, I will end this with a call to action for all Slashdotters - write a letter to your Senator and Congressman and let them know (using clear, thoughtful words) that this is an f'ing stupid idea and that they should not support it.

Find your congressman [house.gov]

Find your senator [senate.gov]

I'd just like to point out... (1)

magamiako1 (1026318) | more than 5 years ago | (#27427589)

Most of what everyone is going on is speculation. We don't have the bills to read so we don't know. It could simply be limited to private companies that provide electricity and power for all we know, or any public infrastructure-based system.

Just calm down, wait until the bills are even introduced, read it, pick it apart, contact your Senator and express your dismay over the project.

Re:I'd just like to point out... (1)

shentino (1139071) | more than 5 years ago | (#27427719)

I doubt special interest groups would let it rest.

Besides, we at /. know that Microsuck can't make a decent secure product. Why should using them even be an option? Let alone mandated by a team of techies that were probably cherry picked by MS friendlies in the first place?

just as i suspected (1)

YouDoNotWantToKnow (1516235) | more than 5 years ago | (#27427633)

communists, terrorists and now hackers, what is next, aliens?

COmpare and Contrast (1)

senorpoco (1396603) | more than 5 years ago | (#27427673)

Both China and Russia have enormous 'cyber-armies', for want of a better word. Funded, organized and made up of proud nationalistic young people. America has hacker culture, mocked, criminalized and alienated. Who do you think is better prepared? America has the manpower and the ingenuity it just needs to bring hackers and IT culture in general in from the cold, make it something to aspire not just to get beaten up in highschool over.

Arms (0)

Anonymous Coward | more than 5 years ago | (#27427687)

If this makes it to the house and senate its time to take arms against our government.

This soulds like a disaster waiting to happen. (1)

Jane Q. Public (1010737) | more than 5 years ago | (#27427711)

And what is this stuff about "water"?

Sorry, but the States own the waterways.

My worry (1)

jandersen (462034) | more than 5 years ago | (#27427733)

My chief worry is actually not so much about "increased powers" - I suspect they can already do most of this in one way or another. But centralising things means that an attacker only needs to find one weakness, so to speak, and then they would be able to wreak havoc on a grand scale.

mod 04 (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27427745)

visit M4ny of us are

If it has to be secure, keep it off the internet! (0)

Anonymous Coward | more than 5 years ago | (#27427857)

From the Summary: "People say this is a military or intelligence concern, but it's a lot more than that," says Rockefeller, a former intelligence committee chairman. "It suddenly gets into the realm of traffic lights and rail networks and water and electricity."

TRAFFIC LIGHTS, RAIL NETWORKS, AND OTHER LIFE THREATENING DEVICES SHOULD NOT BE ON THE INTERNET!!! Why not make a seperate network (IPv6?) that is regulated and encrypted up the wazoo with no privacy and criminal penalties for doing rude stuff, like spamming?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>