Cybersecurity Laws Would Do More Harm Than Good 77
Trailrunner7 writes with one perspective on the inability of the Congress to pass 'cybersecurity' legislation before recessing. From the article: "They've taken innumerable swings at it, and struck out every time, ... and, for once, we all should be thankful for our lawmakers' inability to act. ... What it's not good at is understanding the Internet or acting swiftly and decisively. The current cybersecurity legislation mess is the perfect combination of those two factors. Corporations and government agencies in the U.S. have been getting their heads handed to them by attackers from around the world for several years now. Long-term, persistent campaigns have been targeting defense contractors, energy and utility companies, manufacturing firms, and government agencies with an alarming rate of success. But Congress, or at least some members of it, don't seem to understand that. Sen. Joseph Lieberman sent a letter Monday to President Obama, comparing the threat to U.S. networks from foreign attackers to the threat from terrorists before 9/11. He then urged the president to use his executive authority to somehow influence the situation. Let's be clear: If the companies that own and operate critical infrastructure — not to mention defense contractors — don't understand the nature of the threat they're facing at this point, no amount of incentives will change that. Neither Congress nor the President can fix this problem with the kinds of solutions they're considering."
Reader CurseYouKhan links to a different perspective: "Chabinsky is the latest of several former Federal security types to issue warnings on the topic. Earlier this year, Shawn Henry, who recently retired as the Bureau’s top cyber-sleuth, also called for a more offense-minded approach. Ex-CIA director Michael Hayden thinks the private sector may not wait for the government to act. He expects to see the emergence of a 'digital Blackwater,' or the emergence of firms that could be hired to go all mercenary on online intruders."
What should that look like? (Score:5, Insightful)
Yes, we must do SOMETHING! Dunno what, but SOMETHING! And don't anyone think of the children?
Seriously, though. What kind of "action" does the honorable senator expect from Obama? I dunno, it seems Obama isn't just seen as some kind of magic worker by some voters (akin to "we gotta get economy back on track, Obama, go an fix!"), it seems the honorable senator seems to have fallen for the same spell. Great wizard Obama, swing your magic wand and DO SOMETHING!
There is no legal solution for it, though. First of all, you can't just outlaw hacking. That's already the case, you know? What do you want? More severe punishment? Doesn't faze the guy in Iran, China or $whatever-stan who wants to blow up your power plant. The only thing that might accomplish is to quench "hacktivism" akin to Anonymous with the drawback that everyone who actually knows a thing or two about hacking will keep their mouth shut instead of actually informing the relevant authorities.
Require companies to tighten their security? Then we are where we are already: Where security is a topic for risk management, not for IT. How much does it cost to implement security? How much is the fine? How likely is it going to happen? Now you can either lower the fine to a ridiculous amount where no halfway large company takes it serious or jack it up to a level where doing online business becomes Russian roulette for smaller companies.
Because, and here's the actual problem, there is no such thing as perfect security. If everything else fails, your admin might double cross you.
Still, the ONLY place where you can put the lever is the target of attacks, not the source, since the source, as has been stated above, is often outside of your jurisdiction. But is putting the burden on the victim really the way to go? I kinda doubt it.
Bottom line, as long as people and companies have no interest in security, no law you could draft will change their attitude towards it.
For once be thankful for inability to act? (Score:4, Insightful)
... for once, we all should be thankful for our lawmakers' inability to act ...
Only once? While gov't does occasionally get things right, getting it wrong is hardly a rare instance.
Think about how often gov't gets it wrong with respect to tech issues. The truth is they get it wrong just as often in other domains as well. We merely don't understand those other domains so we don't see the problems, we read some news article and all we see is legislation with good intentions. I'm sure some non-techie is reading an article about gov't going to increase cybersecurity and is thinking "sounds like a good idea".
IMHO we in the U.S. are judging our politicians too often by their good intentions rather than their actual performance, and politicians have adapted to this environment accordingly. All they really care about is that they hold the "correct" stand on an issue, not actually accomplishing anything. Until we start voting out people because they supported well intended but poorly thought out legislation little will change.
why trust the government (Score:4, Insightful)
I am constantly amazed at arguments in favor of whatever government action folks want that base their premise on the trustworthiness of government. Why does anyone think they can trust a government? Now I am certainly not an anarchist, however I take the same view of centralized government that the founders of the US took - powerful central governments will inevitably grow and be corrupted because they are comprised of humans who are imminently corruptible.
It amuses me to see folks distrust a corporation and turn to the government as if the people in a government job are somehow more moral or ethical than those in private sector. They are all made of the same human stuff, all just as corruptible - the only meaningful difference is that the humans in government wield the power of massive force to accomplish their goals.
The government has NO business getting involved with cyber security any more than they do getting involved with how I secure my house or car. The government sucks at doing things efficiently and using best practices - the examples are legion.
People need to take personal responsibility for their systems and decisions.
Re:digital Blackwater eh? (Score:5, Insightful)
Interestingly, I had that idea (offensive cyber security) about 5 years ago, but was told by the TLA I approached that implementing such a strategy would do nothing but earn me a long sentence in a federal prison...
As well it should.
Security is one thing, chasing criminals is quite another.
Protecting your network does not include attacking others. Packets arriving on your router are in no way like bullets arriving on your front door.
What's needed is a fast, focused, obligitory repsonse from upstreams.
Too often complaining about an attack, even when the source is a known single point, results in no action at all from your provider.
Re:Not the same thing (Score:4, Insightful)
You've totally misse the point here.
The point is that big media used copyright laws to goad big government into taking world scale action, including armed response, arrest, seisure, all in response to a little phrase in the law about "defending their copyright".
Can you imagine what might happen if you gave an Electric Power utility the right to counter attack rather than simply taking their plant control systems off of the public network?
Can you assure me you can write legislation authorizing counter attacks that will never result in more loss of freedom, more abuse of authority? Can you assure me that If I write a blog complaining about brownouts and post a link to the Power Companies complaints page, that I won't have jack booted thugs arriving at my door step simply because other people went to that page and complained also? Can you write legislation that will not be stretched to point of labeling encryption a munition?
The issue here is infrastructure serving entire cities and states, not some web site that goes down meaning you have to drive to your bank rather than banking on line.
A thousand bullets hitting the wall of a fortress does nothing. 50 million hitting the wall in the same place may make a little hole after awhile.
But the minute I unplug the router and take my oil refinery off the public network, all those "dangerous packets" go nowhere.
Exxon does not need counter attack authority. Anyone thinking they do is a very dangerous person.