New Bill Would Put DHS In Charge of 'Critical' Private Networks

GovTechGuy writes "A new bill unveiled Wednesday by House Homeland Security chairman Bennie Thompson (D-Miss.) would give the Department of Homeland Security the authority to enforce federal cybersecurity standards on private sector companies deemed critical to national security. The Homeland Security Cyber and Physical Infrastructure Protection Act of 2010 authorizes DHS to establish and enforce risk and performance-based cybersecurity standards on federal agencies and private sector companies considered part of the country's critical infrastructure. Such firms include utilities, communications providers and financial institutions."

What is the determination?

[databyss]

I'll assume they can designate any forum they don't like as critical to national security due to terrorists using it to communicate.

I'll sit over here

[Megaweapon]

and wait for the Republicans to fight this government intervention tooth and nail. .........

Re:What's the alternative

[lgw]

Has the DHS demonstrated that they are any smarter than the current crop? Is an enforced monculture somehow better for security than a variety of solutions? Is the DHS going to be immune to carefully chosen campaign contributions at the federal level, resulting an an all-Microsoft infrastructure?

The way IT for banks is regulated, by creating standards that the banks must comply with but not dictating specific solutions, might work OK here. But I have no faith that that's where "OMG, the government needs more power" is going to end up.

Better Yet

[ciderbrew]

Stop spending Tax, giving yourself more powers. You should have rules in place for internal departments and for any company that is THAT important, surely any contract set up would require some terms and conditions.

Re:Wording is vague.

[Rosco P. Coltrane]

If that just means new security standards that companies have to meet, then I can't see the harm in that

When the standards are defined and enforced by incompetents, they tend to be useless, costly and bad for productivity.

Re:Wording is vague.

[chemicaldave]

It's certainly the right idea if standards are all they're pushing. But I agree, the DHS shouldn't be involved in this. I can't see why they are in the first place other than someone used the word "terrorist".

Competence

[Anonymous Coward]

Considering that the DHS is probably one of the most dysfunctional, incompetent departments in the entire federal government, I find that more frightening than the terrorists.

What's critical?

[girlintraining]

As we saw with anti-terrorism spending, what's deemed critical and what truly is hasn't exactly ever been the same.

Lame Duck

[MikeB0Lton]

As if they haven't spent enough tax dollars they don't have.

As Ben Franklin said ...

[Anonymous Coward]

They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety

This is the race to facism at its finest.

[mr_mischief]

I'm sure "federal cybersecurity guidelines" for a network include having Federal employees shutting down general non-critical access and putting control of the network under FEMA control whenever there's a disaster. That's great for a network owned by the Federal government. It's an abomination against the rights of the people and private companies to do those things to a commercial network on which millions of people rely for their own uses.

It's called "socialism" when the government takes over industry for the people. It's called "facism" when the government takes over industry to enhance the power of the government. Somehow I just can't see the government taking over control of networks the citizens use as benefiting the people more than the government.

Re:I'll sit over here

[schmidt349]

Sorry, the Republicans only fight government intrusion if it lacks the magic words "national security" and your annual income is above $250,000.

In this instance what they can do for you is a visit from Ann Coulter, who will shriek "why do you hate America SO MUCH" loud and shrill enough to shatter all the glass in your house.

Not necessarily monoculture

[bsDaemon]

This move doesn't necessitate a monoculture, it just depends on how they write the law and how those in charge of implementing it end up crafting regulations. As long as they're only enforcing standards and not a standard implementation, then its probably OK, as you stated in the second part of your post. For instance, if the regulation states that networks which have any convergence points with the public internet have, at all crossover points, IDS/IPS systems in place which meet a certain level of ability, then its up to the firm who owns the network to decide whether to go with a solution from Cisco, Juniper, Sourcefire, or another vendor, or to roll something home-grown as long as they can meet the requirements.

I'm sure most of the organizations which will be affected by this will already have most, if not all, the necessary security mechanisms in place. However, they may be out of date to some degree, not properly monitored, and some smaller organizations may be missing large swaths of helpful security infrastructure and best practices because it just hasn't "been an issue" for them in the past. This is probably a fairly direct result of the Stuxnet work/virus. Whether Federal mandates are actually going to help remains to be seen, but if they follow sane policy frameworks such as those outlined by the NSA IAD and the CNSS then this ought to be fine.

Since this is Slashdot, I'm sure at least a plurality will focus on the "private" in critical private network, as evidenced by the air quotes around 'Critical' in the lead line of the story, however when we're talking about power, water, and communications systems critical probably isn't strong enough a word to describe them, and their ability to operate is largely a result of government-enforced monopolies and government-enforced easements, so I wouldn't really call them 'private' either.

Re:What's critical?

[Anonymous Coward]

In fact, the DHS have demonstrated a DISTURBING lack of understanding of "Critical" by applying no protection where the real problem is and spending billions on new scanners and paying people tofonsdle our junk. In the end, they've no business protecting anything if they can't get this much right.

Re:Wording is vague.

[locallyunscene]

Thank you. I agree, defining standards are okay, but DHS should be the last one selected to do it. Networks like these need security not security theater.

Re:What's the alternative

[TrisexualPuppy]

And how hard is it to apply what you have hopefully learned with the rest of the legislation passed in the ten years?

Repeat after me. This legislation exists to build a presence.

At the best, it will do what the FAA's legislation has done to General Aviation over the past fifty years. Overregulation of federal standards which cripples usefulness/availability and stagnates innovation because new ideas are either illegal to implement, or they become too expensive to try. Give it five or ten years, and we will of course have the need for DHS to be able to overtake the Internet during "national technological emergencies" declared by the president. These boys would already have had that kind of legislation in place if any security problem really did exist on the Net and we had been attacked because of it.

Re:Not necessarily monoculture

[cayenne8]

I guess again..I just don't trust them.

Who's to say WHAT is a critical business infrastructure? Sure, it may start now with financial institutions, the power grid, etc...things I think many people could agree upon. But as with all govt. regulations....you will get scope creep, it is just the nature of the beast.

Look at the recent discussion here about the move to force many if not most websites to conform to new ADA guidlines?!?!

In that argument, they said the *MIGHT* not force private, small websites to comply....might not??

Once the Feds can get into private companies and tell them what to do...it is kinda like the mob, they get more and more and more involved. Once this starts spilling over into small businesses...the cost of regulations will likely knock a lot of the smaller guys off, and close the market to new competition from smaller businesses.

Re:I'll sit over here

[IgnoramusMaximus]

That is due to the tremendous difference between the Democrats and the Republicans:

During the Republican reign within the last 50 years, the average, inflation-adjusted US worker's income increased -1% and the average CEO's income increased 500%. This stands in great contrast to the Democrats, under whom the average US worker's income increased -1% and that of the CEO mere 400%.

This shocking difference explains the dire straights your poor, rich corporation is in, thus necessitating further belt-tightening, "shared sacrifices" and other "austerity" measures...

Re:Not necessarily monoculture

[LifesABeach]

I question, "Why the DHS?" In retrospect to the 'Katrina' event, and how DHS helped American citizens then; I see no reason to believe that the DHS won't repeat itself when it is involved in another 'opportunity in which to excel.' And now the TSA, a love child of the DHS has basically created an environment in which Horses Asses can be generated, without the need for the rest of the Horse. There's a reason why the rest of the Horse should be attached.

Re:I'll sit over here

[divisionbyzero]

and wait for the Republicans to fight this government intervention tooth and nail. .........

You'll be waiting a long, long time. Chances are that most of the companies that would benefit from this legislation (i.e. large IT shops) donate more money to the Republicans than the Democrats. You act as if there is a fundamental difference in the parties rather than rationalizations for supporting whichever group gives the party more money. Neither of the parties believe in the principles which they espouse. They simply cater their rhetoric to whomever gives them more votes or money. This kind of stitched together ideology is full of contradiction. The Republican party as it exists now is a great example.

Re:Not necessarily monoculture

[hedwards]

As opposed to the current business practice of bolting on a tin can solution to a gold plated problem? I mean seriously, corporations rarely if ever spend enough on cyber security. A lot of the massive exploits were only accomplished because the corporation that got ripped off wasn't even implementing the most basic policies.

Having the government threaten to take over their network if they aren't properly secure it would likely go a long ways towards them actually behaving responsibly, even if the government never does it.

Re:I'll sit over here

[hedwards]

What's fucked up about the US is that "austerity measures" is just a code word for we're going to cut funding to things which even out the income distribution and welfare. So, that we can send the money to the rich who apparently are capable of printing money. Also that people are more concerned with the welfare of parasitic billionaires that the folks that actually produce the wealth.

I'm really curious as to where the wealth in the US comes from, because it apparently doesn't actually involve anybody having to work for it.

Re:Not necessarily monoculture

[Reziac]

Further, I wonder what would be defined as 'critical'. Certainly it would start with infrastructure, but at some point it's going to creep into everything at every level, as nearly every gov't regulatory function before it has done. Twenty years from now your home network could conceivably be deemed 'critical' because you happen to work for the power company.