Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Bill Would Put DHS In Charge of 'Critical' Private Networks

Soulskill posted more than 3 years ago | from the too-big-to-404 dept.

Government 193

GovTechGuy writes "A new bill unveiled Wednesday by House Homeland Security chairman Bennie Thompson (D-Miss.) would give the Department of Homeland Security the authority to enforce federal cybersecurity standards on private sector companies deemed critical to national security. The Homeland Security Cyber and Physical Infrastructure Protection Act of 2010 authorizes DHS to establish and enforce risk and performance-based cybersecurity standards on federal agencies and private sector companies considered part of the country's critical infrastructure. Such firms include utilities, communications providers and financial institutions."

cancel ×

193 comments

Sorry! There are no comments related to the filter you selected.

What's the alternative (4, Interesting)

jeffmeden (135043) | more than 3 years ago | (#34280900)

Considering how much a lot of those companies rely on their network infrastructure, if there isn't a provision for this then perhaps the alternative is to be prepared to take over the whole organization if/when they are crippled by an attack. I am not one for heavy handed government but someone needs to light the fire under these guys.

Re:What's the alternative (1, Redundant)

Xiph (723935) | more than 3 years ago | (#34280922)

The problem is that this will mean that they end up forcing critical infrastructure projects to rely on rot13 encryption.

Re:What's the alternative (4, Insightful)

lgw (121541) | more than 3 years ago | (#34280972)

Has the DHS demonstrated that they are any smarter than the current crop? Is an enforced monculture somehow better for security than a variety of solutions? Is the DHS going to be immune to carefully chosen campaign contributions at the federal level, resulting an an all-Microsoft infrastructure?

The way IT for banks is regulated, by creating standards that the banks must comply with but not dictating specific solutions, might work OK here. But I have no faith that that's where "OMG, the government needs more power" is going to end up.

Not necessarily monoculture (4, Insightful)

bsDaemon (87307) | more than 3 years ago | (#34281138)

This move doesn't necessitate a monoculture, it just depends on how they write the law and how those in charge of implementing it end up crafting regulations. As long as they're only enforcing standards and not a standard implementation, then its probably OK, as you stated in the second part of your post. For instance, if the regulation states that networks which have any convergence points with the public internet have, at all crossover points, IDS/IPS systems in place which meet a certain level of ability, then its up to the firm who owns the network to decide whether to go with a solution from Cisco, Juniper, Sourcefire, or another vendor, or to roll something home-grown as long as they can meet the requirements.

I'm sure most of the organizations which will be affected by this will already have most, if not all, the necessary security mechanisms in place. However, they may be out of date to some degree, not properly monitored, and some smaller organizations may be missing large swaths of helpful security infrastructure and best practices because it just hasn't "been an issue" for them in the past. This is probably a fairly direct result of the Stuxnet work/virus. Whether Federal mandates are actually going to help remains to be seen, but if they follow sane policy frameworks such as those outlined by the NSA IAD and the CNSS then this ought to be fine.

Since this is Slashdot, I'm sure at least a plurality will focus on the "private" in critical private network, as evidenced by the air quotes around 'Critical' in the lead line of the story, however when we're talking about power, water, and communications systems critical probably isn't strong enough a word to describe them, and their ability to operate is largely a result of government-enforced monopolies and government-enforced easements, so I wouldn't really call them 'private' either.

Re:Not necessarily monoculture (5, Informative)

anegg (1390659) | more than 3 years ago | (#34281584)

I have been involved in government IT security for many years now as an employee of a government contractor often hired to perform various parts of the government security process. One of the biggest problems with the government security "standards" and "processes" in place now is that there is practically no cost feedback to the controls. The policies all say that the cost of the controls should be commensurate with the value of the system being protected, but many of the security "approvers" demand gold-plated security, and are often opposed to signing off on anything less. (Hey - you can't be held responsible for a security problem in a system you approved if you simply never approve any systems.) There are numerous government systems operating either "unauthorized" or under "temporary waivers" (for years and years) because the security folks wouldn't sign off the controls.

These problems are with the government policing the government. I can't imagine it would be any different when they are enforcing the standards on commercial companies. Although private enterprises can and do go underboard with security, government monitors are almost certain to go overboard. I have some (but limited) experience reviewing IT security for commercial entities (financial services firms, oil and gas firms, pharmaceuticals) and they often "get" most of what needs to be done... with a few lapses (like connecting SCADA networks to the regular corporate network, which is also connected to the Internet).

If the approach is to have a few *simple* rules (like networks over which critical infrastructure communicates must be isolated from corporate networks that are attached to the Internet), then I think some government oversight wouldn't be bad. But if the approach is to require private enterprise to demonstrate compliance with full-blown government IT security C&A with the government doing the certification, I would predict drastic increases in costs, without necessarily dramatically increasing actual security.

Re:Not necessarily monoculture (4, Insightful)

cayenne8 (626475) | more than 3 years ago | (#34281818)

I guess again..I just don't trust them.

Who's to say WHAT is a critical business infrastructure? Sure, it may start now with financial institutions, the power grid, etc...things I think many people could agree upon. But as with all govt. regulations....you will get scope creep, it is just the nature of the beast.

Look at the recent discussion here about the move to force many if not most websites to conform to new ADA guidlines?!?!

In that argument, they said the *MIGHT* not force private, small websites to comply....might not??

Once the Feds can get into private companies and tell them what to do...it is kinda like the mob, they get more and more and more involved. Once this starts spilling over into small businesses...the cost of regulations will likely knock a lot of the smaller guys off, and close the market to new competition from smaller businesses.

I wouldn't even support that. (1)

khasim (1285) | more than 3 years ago | (#34281916)

Instead of mandating what should be deployed, stick to testing the defences of the companies.

Fine them if the DHS crackers can gain access.

As a side benefit, it would discourage the monoculture. Different companies would deploy different systems and that would make it almost impossible for a single attack to crack them all.

Re:What's the alternative (1)

jeffmeden (135043) | more than 3 years ago | (#34281156)

"The Homeland Security Cyber and Physical Infrastructure Protection Act of 2010 authorizes DHS to establish and enforce risk and performance-based cybersecurity standards on federal agencies and private sector companies consider part of the country's critical infrastructure."

It does sound like a standards-based, not a "take over" approach. The crisis alternative (as we found out during the financial crisis) is for a takeover/bailout of the entire organization when internal processes fail to account for risk. When it comes to a bank's bottom line, you might argue that they have free will to self destruct. When it comes to utilities that we rely on for life and liberty, mandating the least risky approach isn't overkill if you ask me.

Re:What's the alternative (2, Insightful)

TrisexualPuppy (976893) | more than 3 years ago | (#34281494)

And how hard is it to apply what you have hopefully learned with the rest of the legislation passed in the ten years?

Repeat after me. This legislation exists to build a presence.

At the best, it will do what the FAA's legislation has done to General Aviation over the past fifty years. Overregulation of federal standards which cripples usefulness/availability and stagnates innovation because new ideas are either illegal to implement, or they become too expensive to try. Give it five or ten years, and we will of course have the need for DHS to be able to overtake the Internet during "national technological emergencies" declared by the president. These boys would already have had that kind of legislation in place if any security problem really did exist on the Net and we had been attacked because of it.

MOD PARENT UP!!! (0)

Anonymous Coward | more than 3 years ago | (#34281564)

This post rings the bells of justice and enlightenment

Re:What's the alternative (0)

Anonymous Coward | more than 3 years ago | (#34281670)

Exactly man. Exactly.

Re:What's the alternative (2, Informative)

jeffmeden (135043) | more than 3 years ago | (#34281924)

Not to straw man your other arguments, but the FAA has managed to keep people alive at an unprecedented rate. Considering the aviation disasters that befall less regulated nations on a regular basis (and even other transportation methods in our own nation,) I would have to politely decline the notion that the FAA is overstepping it's bounds. As someone who has put on a lot of miles in the air, I prefer to take my planes well regulated and safe, as opposed to innovative and in a crater.

Re:What's the alternative (0)

Anonymous Coward | more than 3 years ago | (#34282102)

Must be coming from a doctor or shark with too much money to think or care.

Re:What's the alternative (2, Interesting)

mcvos (645701) | more than 3 years ago | (#34281048)

My first thought was: why does national security even rely on private networks? But if there's one thing that the mortgage crisis taught us, it's that quite a lot of our economy can be easily messed up by a handful of irresponsible banks. Of course the same is true for telecommunication companies and our communication infrastructure.

Re:What's the alternative (0, Funny)

Anonymous Coward | more than 3 years ago | (#34281250)

Apparently the term "of course" is synonymous with "this is a troll...

Re:What's the alternative (1)

arivanov (12034) | more than 3 years ago | (#34282072)

This approach is similar to what other countries have been taking for a while. The governments pretty much slept through the Internet becoming the predominant telecommunication medium and the awakening has been rather rude for all of them.

Nearly all other governments have taken similar steps. It is actually positive that USA has put some legal framework behind it. That has not been the case with other big-8 countries where the various three symbol abbreviated agencies have forced a number of changes on the infrastructure without any legal framework to back them up.

Do we like it or not - this is something that could not be avoided. It is probably better if it is done legally, above board and with clear and well defined game rules instead of a cloak and dagger.

Re:What's the alternative (1)

mysidia (191772) | more than 3 years ago | (#34281682)

Considering how much a lot of those companies rely on their network infrastructure, if there isn't a provision for this then perhaps the alternative is to be prepared to take over the whole organization if/when they are crippled by an attack. I am not one for heavy handed government but someone needs to light the fire under these guys.

The alternative is to require that they develop their own standards, and be subject to periodic penetration tests sponsored by the government.

If a government pen test against them succeeds, then they will be seriously penalized, or compelled to hire a 'government approved firm', implement that firm's requirements, and pass another government pen test, or face serious penalties and losing their right to run the critical service.

If they refuse to comply, also, the results of the government test will be immediately published so the public will know that the service is vulnerable.

Re:What's the alternative (3, Funny)

pete6677 (681676) | more than 3 years ago | (#34282036)

"be subject to periodic penetration tests sponsored by the government"

Just like commercial airline passengers.

What is the determination? (1, Insightful)

databyss (586137) | more than 3 years ago | (#34280908)

I'll assume they can designate any forum they don't like as critical to national security due to terrorists using it to communicate.

Re:What is the determination? (5, Informative)

LordLimecat (1103839) | more than 3 years ago | (#34281208)

That has absolutely nothing to do with whats being proposed, according to TFA. This is about setting network security requirements and enforcing them, not shutting down threats of any kind. Grats on not reading the summary tho.

I'll sit over here (5, Insightful)

Megaweapon (25185) | more than 3 years ago | (#34280926)

and wait for the Republicans to fight this government intervention tooth and nail. .........

Re:I'll sit over here (0, Troll)

elrous0 (869638) | more than 3 years ago | (#34281080)

Only if someone attaches an amendment that hurts corporations or the rich in some way. Then they'll become George Washington fighting the British.

Republicans, we fight to get the government off your back!!*

* If you're rich or a corporation

Re:I'll sit over here (1)

EraserMouseMan (847479) | more than 3 years ago | (#34281586)

I work for a "rich corporation". We have not had the means to increase our staff in over 2 years. Over that period nobody has gotten raises or bonuses either. The Democrats would like to see the Bush tax cuts expire and see the balance sheet of corporations take an additional 3% tax hit. Lovely.

Re:I'll sit over here (4, Insightful)

IgnoramusMaximus (692000) | more than 3 years ago | (#34281882)

That is due to the tremendous difference between the Democrats and the Republicans:

During the Republican reign within the last 50 years, the average, inflation-adjusted US worker's income increased -1% and the average CEO's income increased 500%. This stands in great contrast to the Democrats, under whom the average US worker's income increased -1% and that of the CEO mere 400%.

This shocking difference explains the dire straights your poor, rich corporation is in, thus necessitating further belt-tightening, "shared sacrifices" and other "austerity" measures...

Re:I'll sit over here (1, Insightful)

schmidt349 (690948) | more than 3 years ago | (#34281126)

Sorry, the Republicans only fight government intrusion if it lacks the magic words "national security" and your annual income is above $250,000.

In this instance what they can do for you is a visit from Ann Coulter, who will shriek "why do you hate America SO MUCH" loud and shrill enough to shatter all the glass in your house.

Re:I'll sit over here (0)

Anonymous Coward | more than 3 years ago | (#34281416)

I just look forward to watching Repubs try to reduce the deficit without touching their two sacred budget cows, military spending aka "welfare" and benefits for seniors aka "voters"

Re:I'll sit over here (1)

c6gunner (950153) | more than 3 years ago | (#34281694)

Sorry, the Republicans only fight government intrusion if it lacks the magic words "national security" and your annual income is above $250,000.

Guess you haven't been following the airport-scanner debacle.

you will ? (1)

unity100 (970058) | more than 3 years ago | (#34281608)

you will have to forget before doing that, the fact that ACTA was initiated, prepared and cooked and started being pushed around in republican term in congress, senate and admn., before 2006. at 2006, it was already during international negotiations stage, first by being pushed to canadians.

Into the Probulator! (1)

snspdaarf (1314399) | more than 3 years ago | (#34280970)

If this passes, does it mean I have to have the "new" patdown, or can I opt for the "classic", before I can enter the server room? And, if I can only bring in four ounces of soda, my productivity is gonna go to hell.

Re:Into the Probulator! (1)

dkleinsc (563838) | more than 3 years ago | (#34281178)

"My fellow Earthicans, we enjoy so much freedom it's almost sickening. We're free to choose which hand our sex-monitoring chip is implanted in. And if we don't want to pay our taxes, why, we're free to spend a weekend with the Pain Monster."
- Richard Nixon's Head

Safe to say this is where we're heading.

Re:Into the Probulator! (1)

natehoy (1608657) | more than 3 years ago | (#34281554)

It gets worse. You can't have a patch cable longer than 3 inches per new regulations. They have to check you for illegally-long patch cables, and the "new grope" isn't going to cut it, nor is the Play{boy|girl} Scanner. I'd suggest bringing your own disposable gloves, just in case budget cuts are dictating too-aggressive recycling.

And, no, you can't have more than three ounces of liquid, remember? "The number of the counting shall be three and three shall be the number of the counting, thou mayest not proceedest to four. Five is right out."

The good news is you can probably hollow out a laptop battery and remove all that perfectly legal explosive Thermite-like Lithium-Ion stuff and replace it with illegal contraband Mountain Dew. But think of the CHILDREN, man!

Wording is vague. (1)

chemicaldave (1776600) | more than 3 years ago | (#34280978)

What do they mean by "enforce federal cybersecurity standards"?

If that just means new security standards that companies have to meet, then I can't see the harm in that

Demanding exclusive admin access? Now it's complicated.

Re:Wording is vague. (4, Insightful)

Rosco P. Coltrane (209368) | more than 3 years ago | (#34280994)

If that just means new security standards that companies have to meet, then I can't see the harm in that

When the standards are defined and enforced by incompetents, they tend to be useless, costly and bad for productivity.

Re:Wording is vague. (4, Insightful)

chemicaldave (1776600) | more than 3 years ago | (#34281018)

It's certainly the right idea if standards are all they're pushing. But I agree, the DHS shouldn't be involved in this. I can't see why they are in the first place other than someone used the word "terrorist".

Re:Wording is vague. (1)

bsDaemon (87307) | more than 3 years ago | (#34281172)

DHS is likely involved since they have a Federal mandate allowing them to operate in Civilian-space internally to the US, something NSA isn't really allowed to do for corporations (hence why similarly-skilled contractors were recommended to help with the incident response for Google re: China), but can do for government and military outfits. As I noted above, I strongly suspect that the DHS rules will be based on FIPS standards as well as slightly modified policy and technology guidelines from the IAD and CNSS. As long as they don't try to do this from scratch using a copy of 'Security+ For Dummies' as a guideline, then this might actually turn out alright.

Re:Wording is vague. (1)

dgatwood (11270) | more than 3 years ago | (#34281298)

I think we'd be far better off if the government weren't coming up with the standards in any significant way. They've shown little understanding of security (and particularly computer security) in the past. Far better if they instead pass laws that simply mandate certain types of companies conduct regular security audits by their choice of external auditors, coupled with penalties if those audits find that the companies are not following established industry standards.

Alternatively, the government could create a standards organization consisting of industry leaders and security researchers to create and maintain appropriate standards if they don't think the existing industry standards are good enough.

Either way, HomeSec is already too big and bloated to be useful. The last thing we need is for them to do more.

Re:Wording is vague. (4, Insightful)

locallyunscene (1000523) | more than 3 years ago | (#34281242)

Thank you. I agree, defining standards are okay, but DHS should be the last one selected to do it. Networks like these need security not security theater.

Re:Wording is vague. (1)

iivel (918436) | more than 3 years ago | (#34281492)

Most of the DHS standards come from combined work with NIST, US-CERT and the NSA. They're all pretty good at what they do.

Re:Wording is vague. (0)

Anonymous Coward | more than 3 years ago | (#34281022)

Just like most IT...

Re:Wording is vague. (1)

LordLimecat (1103839) | more than 3 years ago | (#34281184)

If that just means new security standards that companies have to meet

That seems to be just what theyre asking for, according to the article.

Im not exactly clear why the DHS would be super good at proposing network security requirements though

Re:Wording is vague. (1)

macshit (157376) | more than 3 years ago | (#34281264)

Im not exactly clear why the DHS would be super good at proposing network security requirements though

Is there anything the DHS is good at?

I suppose one way to look at it is: they probably suck massively at network security, just as they do at everything else; since we've already thrown tons of other random powers at them, why not this...

[head explodes]

Re:Wording is vague. (1)

anegg (1390659) | more than 3 years ago | (#34281610)

I would expect the ultimate goal is for such systems to be overwatched by the new US "Cyber Command" being set up at Fort Meade.

Better Yet (2, Insightful)

ciderbrew (1860166) | more than 3 years ago | (#34280984)

Stop spending Tax, giving yourself more powers. You should have rules in place for internal departments and for any company that is THAT important, surely any contract set up would require some terms and conditions.

Financial Institutions (1)

homes32 (1265404) | more than 3 years ago | (#34281006)

great. like we don't have enough regulation in this area as it is.

Pirates, not terrorists, are probably first (3, Interesting)

elrous0 (869638) | more than 3 years ago | (#34281012)

Why do I have a sneaking suspicion that this law will be applied WAY more often to fight torrent sites than it will ever be used to fight actual terrorists?

Re:Pirates, not terrorists, are probably first (2, Interesting)

Rosco P. Coltrane (209368) | more than 3 years ago | (#34281112)

Why do I have a sneaking suspicion that this law will be applied WAY more often to fight torrent sites than it will ever be used to fight actual terrorists?

Torrent sites that aren't taken over by russian virus makers, where the files you download are guaranteed genuine and not cheap porn movies that have been renamed, certified safe by the government? Yeah, I'm all for that.

Re:Pirates, not terrorists, are probably first (1)

LordLimecat (1103839) | more than 3 years ago | (#34281166)

Why do I have the sneaking suspicion you didnt even read the summary, much less the article? This bill is about requiring certain standards to be met by certain vital private sector companies. How on earth would you even get at torrent sites under this bill, require them to upgrade to the latest version of cisco IOS?

Re:Pirates, not terrorists, are probably first (1)

elrous0 (869638) | more than 3 years ago | (#34281304)

Because part of the "critical infrastructure" of this bill are ISP's. And part of the "new security regulations" could easily include shit like blocking torrent sites on both the front-end and back-end (because they pose a virus threat to our security, of course).

Think about it (3, Funny)

pjt33 (739471) | more than 3 years ago | (#34281286)

You obviously haven't thought this through. Remember, torrent sites steal billions of dollars from hard-working cinematographers. Where do you think that money is going if not to tiny camps in inaccessible parts of distant countries in order to wreak damage and destruction in the heartland of America? Honestly, this stuff is so basic that any junior congressman could understand it...

Re:Think about it (1)

elrous0 (869638) | more than 3 years ago | (#34281354)

Remember kids, downloading Harry Potter is downloading T E R R O R I S M ! ! !

Competence (5, Insightful)

Anonymous Coward | more than 3 years ago | (#34281030)

Considering that the DHS is probably one of the most dysfunctional, incompetent departments in the entire federal government, I find that more frightening than the terrorists.

Re:Competence (1, Informative)

Anonymous Coward | more than 3 years ago | (#34281396)

as i just started working for the dhs as a contractor looking from the outside in, and i couldn't agree with you more.....

Re:Competence (0)

Anonymous Coward | more than 3 years ago | (#34281690)

I work for IT for FEMA... this is the LAST thing they need to be sticking their fingers in...

Wrong - DOI is (0)

Anonymous Coward | more than 3 years ago | (#34282030)

The Department of the Interior is the worst government entity. DHS - who gives us the TSA - is a close second.

TRUST BUT VERIFY !! (0)

Anonymous Coward | more than 3 years ago | (#34281064)

Only TERRORISTAS would be concerned. Are you concerned? You are a TERRORISTA !!

What's critical? (5, Insightful)

girlintraining (1395911) | more than 3 years ago | (#34281072)

As we saw with anti-terrorism spending, what's deemed critical and what truly is hasn't exactly ever been the same.

Re:What's critical? (1, Insightful)

Anonymous Coward | more than 3 years ago | (#34281198)

In fact, the DHS have demonstrated a DISTURBING lack of understanding of "Critical" by applying no protection where the real problem is and spending billions on new scanners and paying people tofonsdle our junk. In the end, they've no business protecting anything if they can't get this much right.

Lame Duck (4, Insightful)

MikeB0Lton (962403) | more than 3 years ago | (#34281088)

As if they haven't spent enough tax dollars they don't have.

As Ben Franklin said ... (0, Insightful)

Anonymous Coward | more than 3 years ago | (#34281106)

They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety

This is the race to facism at its finest. (4, Insightful)

mr_mischief (456295) | more than 3 years ago | (#34281124)

I'm sure "federal cybersecurity guidelines" for a network include having Federal employees shutting down general non-critical access and putting control of the network under FEMA control whenever there's a disaster. That's great for a network owned by the Federal government. It's an abomination against the rights of the people and private companies to do those things to a commercial network on which millions of people rely for their own uses.

It's called "socialism" when the government takes over industry for the people. It's called "facism" when the government takes over industry to enhance the power of the government. Somehow I just can't see the government taking over control of networks the citizens use as benefiting the people more than the government.

And why are you sure of this? (1)

sirwired (27582) | more than 3 years ago | (#34281486)

Before you go ranting and accusing the government of fascism, maybe you could actually, you know, READ the proposed legislation, and then cite the passage where you have found this provision?

Seems like fasicism marching on... (0)

Anonymous Coward | more than 3 years ago | (#34281130)

What's surprising is that this bill is coming from someone thought to be a Democrat.

Re:Seems like fasicism marching on... (1)

Attila Dimedici (1036002) | more than 3 years ago | (#34281466)

Why is that surprising?

Re:Seems like fasicism marching on... (1)

kilfarsnar (561956) | more than 3 years ago | (#34281504)

It's becoming clearer to you now, isn't it?

Re:Seems like fasicism marching on... (1)

anegg (1390659) | more than 3 years ago | (#34281638)

There is no political party that has exclusive claims on the ability to seize power and wield it.

DHS DHS.. it sounds so familiar... (0)

Anonymous Coward | more than 3 years ago | (#34281182)

remind me why it wouldn't be such a great idea to give them a say in this process?

New security rules from DHS (1)

Jason_D_Berg (745832) | more than 3 years ago | (#34281246)

All employees accessing sensitive networks must now remove their shoes...

important changes (2, Funny)

glebovitz (202712) | more than 3 years ago | (#34281248)

I hope they don't require a genital pat down to use the Internet.

Re:important changes (0)

Anonymous Coward | more than 3 years ago | (#34281528)

But that's exactly what I use the internet *for*!

(captcha: harden)

Re:important changes (2, Funny)

snspdaarf (1314399) | more than 3 years ago | (#34281626)

Judging from what eventually comes back on almost any google search, I suspect the internet is used to get ready for a genital pat down.

Re:important changes (0)

Anonymous Coward | more than 3 years ago | (#34281760)

Well, that might not be so bad depending on which sites you happen to be visiting ...

Personally ... (1)

PPH (736903) | more than 3 years ago | (#34281982)

... I welcome our fondling overlords.

Proactively fighting post terror. (1)

retech (1228598) | more than 3 years ago | (#34281254)

So if they do this like their other wonderful policies I cringe to think of what will happen...

Those companies will see their mail servers flooding the net with botnet spam. Their websites will be littered with porn pop-ups. The and all of their secure transactions will no doubt authenticate via a .ru connection.

Alternatives (1)

Ukab the Great (87152) | more than 3 years ago | (#34281292)

Or we could ban software companies lobbying to lower security standards and we could push for changing government pay grade scales for security experts so gov't actually has a chance of competing for talent with the private sector.

New corporate dilemma (1)

way2trivial (601132) | more than 3 years ago | (#34281326)

choices, choices

do we want to be "too big to let fail" or "not critical to national security"

No. (1)

moxley (895517) | more than 3 years ago | (#34281328)

No.

Not entirely a bad idea (1)

dbIII (701233) | more than 3 years ago | (#34281346)

Somebody should get those Diebold ATMs off the public internet and back on a WAN like they should be.

Like PCI compliance? (0)

Anonymous Coward | more than 3 years ago | (#34281356)

If this is done in a similar manner as PCI compliance for handling credit card information then I wholeheartedly welcome this addition. I see no reason not to have the government set a baseline of security for crucial infrastructure (everything patched, firewall in place, no open relay mail servers, etc).

I think this is one of those situations where the devil is in the details. This could be a good or bad thing but it all comes down to the implementation and enforcement of such a program. I'm as worried as the next guy to have DHS poking around in my systems but that's not necessarily what this entails.

Insanity (1)

anorlunda (311253) | more than 3 years ago | (#34281360)

If you want to send any enterprise down the tubes, start by giving one group the authority and another the responsibility. DHS wants to dictate standards but when the next big blackout occurs will DHS rush to accept the blame?

Have we considered the risk of self-inflicted damage caused by ill-conceived government-mandated software?

You don't need to be a libertarian to see that this is insanity.

Obligatory Vader... (1)

digitaldc (879047) | more than 3 years ago | (#34281390)

Vader says... [youtube.com]

Who can spot the real problem? (1)

GameboyRMH (1153867) | more than 3 years ago | (#34281414)

private sector companies considered part of the country's critical infrastructure.

*Insert Jeopardy music here*

"Enforce Standards" != "In Charge Of" (2, Informative)

sirwired (27582) | more than 3 years ago | (#34281464)

DHS has been given authority to ensure critical networks are up to federal security standards. Apart from the discussion of if this will be useful, this does not, in any way, put them "In Charge" of the networks.

Re:"Enforce Standards" != "In Charge Of" (1)

mu51c10rd (187182) | more than 3 years ago | (#34281928)

As anyone aware of the "security and accreditation" program of the DoD can tell you, this will just spawn another army of government contractors doing audits on the basics. Just like SoX was supposed to prevent large corporate breakdowns (didn't help the latest round of collapses like Lehman Brothers and Merrill Lynch), this will not help. It will merely feed the pockets of the big government contractors and not "secure" anything.

ROFL... (0)

Anonymous Coward | more than 3 years ago | (#34281506)

I work IT for FEMA, I can tell you first hand that DHS's network is one of the most hosed up messes I have ever seen... this is the last thing we need.

i see this to be about (1)

nimbius (983462) | more than 3 years ago | (#34281532)

as useful as PCI (Payment Card Industry) standards. a great idea with loads of rules to keep things on the right track, but no real punishment for repeat offenders or major breeches. in short: just another meeting on my calendar.

DNS Verisign USA (1)

54mc (897170) | more than 3 years ago | (#34281556)

DNS moving from the hands of Verisign [wikipedia.org] and into the hands of the government? Sounds like "Out of the frying pan and into the fire" to me.

U.S. control of internet slipping in 3,2,1 (1)

unity100 (970058) | more than 3 years ago | (#34281570)

First, the bill to censor internet and get ahold of any domain name, with a court order

now, the ability for a single department of u.s. government, without requiring a court order, to control private networks,

Couple these two with the draconian and stupid copyright/patent laws in usa, and you can see that it wont take a few months after this for u.n. or eu to come up with an alternative, international or european authority to govern domain names and ip numbers.

way to go, u.s., cutting the leg you are standing on. any other country would cut its own real legs (metaphorically) rather than risk losing the de facto control of internet.

maybe it was high time.

I'm picturing this. (1)

fishbowl (7759) | more than 3 years ago | (#34281604)

A DHS uniformed guy on a folding chair in front of the server closet in the 4-member IT dept of a small company that is, among other things, a defense contractor. This uniformed guy checks the sysadmin's badge each of the 20-50 times a day he goes into the server closet. The rest of the time he sits there doing search-a-word puzzles or watching a portable tv or whatever. I'm as horrified by this image as I am amused by it.

DHS not NSA... umm NO (2, Informative)

Anonymous Coward | more than 3 years ago | (#34281624)

I worked in the security industry for many years and we had contracts with a number of government departments, major ISPs, and enterprise businesses. Our talks with the DHS ended when they suggested making a Windows-based version of our Linux-based network security server. The conversation went something like this:

Us: "Sure we could do it, but it would cost more, be slower, and have poorer performance because we wouldn't be able to modify the OS directly to support what we need. You'd need a significant number more machines to do the same task, each machine would cost more, and the project would be delayed at least a year while we developed it and went through the security certification process again. Additionally, the security would be weaker and these should be high security systems as they have access to all the traffic running through your network and are already managing the traffic."

DHS Security Guy: "I think that's the way we want to go."

Us: "Do you mind if we ask why?"

DHS Security Guy: "I don't like managing non-Windows systems."

Maybe things have changed over there in the last few years but... dear god! They were some of the most incompetent Microsoft loving fuckwits ever. We had a contract with Microsoft at the time and they were cool with our Linux based solution and were even considering installing custom Linux systems of their own design to supplement the limitations of their Juniper routers with regard to network traffic management and security.

Social hacker's wet dream (0)

Anonymous Coward | more than 3 years ago | (#34281630)

If this is anything like the DoD or rest of the governments security policies it will drastically reduce the productivity of those using these 'critical networks'. And of course lets not forget the all the post-it notes with passwords on them this will create!

YUO FaIL IT! (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34281644)

bought the farm... Alike to reap 1. Therefore it's

Follow the money (2, Informative)

barzok (26681) | more than 3 years ago | (#34281660)

How would this benefit Rep. Thompson's campaign & PAC funding? "Defense Electronics" firms are the #3 contributor to his campaign & leadership PAC for 2009-2010. "Computers/Internet" were #3 for the 2008 campaign.

http://www.opensecrets.org/politicians/summary.php?cid=N00003288 [opensecrets.org]

Feel Safe (1)

morgauxo (974071) | more than 3 years ago | (#34281684)

Senator Palpatine will protect us!

TSA is under DHS (2, Funny)

scorp1us (235526) | more than 3 years ago | (#34281718)

So we'll have the same policy for fliers as packets? Deep, humiliating inspections?

Here's one letter-writer (1)

Byzantine (85549) | more than 3 years ago | (#34281866)

Representative Thompson is my congressman. He'll be getting a letter from me expressing my opposition to this measure.

Hmmm. (0)

Anonymous Coward | more than 3 years ago | (#34281876)

Why does the DHS think they have a better solution to this than the private companies?

From what I know all the smart people go to the private companies, NOT the government in order to get better pay.

You can't fight security with legislation (0)

Anonymous Coward | more than 3 years ago | (#34281890)

A simpler solution is to keep your executables and data separate and don't allow write access to the executables - simples ;)

Any Better? (1)

TheNinjaroach (878876) | more than 3 years ago | (#34281950)

I think this begs the question, why does anyone believe that government goons would be more capable at managing a network than the private IT goons who built it?

I'm experiencing deja moo (1)

russotto (537200) | more than 3 years ago | (#34282092)

...that is, I've seen this bull before. At least twice, previously phrased as an "internet kill switch". Unfortunately, the problem with bad ideas is they're almost certainly to eventually become law.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>