White House Circulating Draft of Executive Order On Cybersecurity 94
New submitter InPursuitOfTruth writes with news that the Obama administration has been circulating a draft of an executive order focused on cybersecurity. This follows the recent collapse of an attempt at cybersecurity legislation in the Senate. According to people who have seen the draft, the order would codify standards and best practices for critical infrastructure. That said, it's questionable how effective it would be, since participation would be voluntary, and the standards would be set by "an inter-agency council that would be led by the Department of Homeland Security." The other agencies involved would include NIST, the DoD, and the Commerce Dept. "It would be left up to the companies to decide what steps they want to take to meet the standards, so the government would not dictate what type of technology or strategy they should adopt."
Voluntary ? (Score:5, Insightful)
That said, it's questionable how effective it would be, since participation would be voluntary
That "voluntary" part is inserted to throw off people so that they can't object to this executive order
After a while, the word "voluntary" would disappear, and participation would no longer be "voluntary" and the whole thing would be run by the Homeland Security or one of the many 3-alphabet-agencies
Count on it !
Cyber-security or whatever -security it might be, they are all designed to do one thing - to take away the freedom of the ordinary people and to concentrate all the power at the top
Re: (Score:3, Insightful)
NSA's illegal wiretapping was "voluntary" when they approached all major telecom providers about it. And when Qwest opted out, they cut their government contracts, prosecuted their CEO on trumped-up charges, and ultimately bankrupted them.
These people are criminal scum. They have an agenda. They are pushing it through, and eliminating anyone who gets in their way.
Well that means one thing... (Score:4, Insightful)
... proof positive of the existence of persistent fuck you overs.
many might say that but in reality it more factual evidence of the degradation of the government of which the Declaration of Independence has instructions by the founders for the peoples as to what to do about the failing of government of which they foresaw the probability of...... Go ahead and read it for yourselves, the instructions really are ther with real life examples too, so to be clear of their intent to communicate to the people in such a time of need..
Re: (Score:3)
Re:Well that means one thing... (Score:4, Insightful)
Traditional media aims to be looking for a lock down and a wholesale information availability reset. The Justice Department seem to be helping that effort along and these appointed trade representatives, in secret no less, and not too mention a few other fronts of encroachment into what we, as citizens all of us, know as freedom.
God damn to hell the backroom deals of governing this people, any people. There is a hideous stench in that. And that goes too for our relations with other countries, each and every one - we negotiate in public or we do not negotiate. If you're a leader with something to hide and are oppressive to your people then the natural course of things dictates that you should probably not negotiate but each and every corner of how you rule will become open for this country to see and hopefully others could follow as well. Looking for oil? Looking for water? Looking for rice, corn, weapons or weed? Then we should know. All of our people need to steer this nation, on this planet, in a direction that will enable us and not just guide us to some random (or well guided) fucking meat cleaver of an end point. Espionage? Lay it out. Is there something to fear in that? Are we going to allow a continued epic conflict between sciences that we've learned and discovered and the thing that created all of this vast thing we call the universe - all of creation? Really? The learn while you're alive VS the thing you may learn when you are dead? There's a good fucking con job in there baby. Are we going to find a room of super sophisticated heads of three companies, a handful of dictators and another of base religious driven drivel meant to blindly guide entire nations into some great and epic battle? Engage the people of the planet when and wherever you can right? This is one large conference call of potential these Internet lines. Mesh.
So, how much longer are we going to do this? Just as long as it takes until we can no longer communicate this freely? I'm beginning to think Mr. Manning had intentions that were just. A cherry pick would have been a waste of his efforts if it is to mean anything - anything at all. People blow whistles and we allow ourselves to be blindly led into stopping the sound and not the reason. What the fuck is that? Who's scared and of what? The time to stop playing these ball twisting games that lead to things like Hitlers and Assads and any other family of horrors in charge, including the family of darkness that drives nails of control and oppression right here at home. Justice Dept., treaty makers, the court of corporate opinion and channeled funds of influence. It doesn't take money to elect our officials - it takes people. Vote for control. Collective voice, open forum, genuine good intentions for any breathing mother fucker on this planet. Stop. Not. Taking. Control. Vote. Now. Fuckin' a.
Who's it going to be? WHO? (keep scrolling) [presidenti...idates.org]
--
futility is never trying
Re: (Score:3)
Re: (Score:2)
The US isn't "vendor locked" into two parties. The problem is that the third parties do not exist with enough backing to become major players. Sure, on the whole, they might have a couple million or more devoted followers in a country that has a population of over 300 million. But they are spread out within so many places that they are more like 1 in 10 or so or even less when it comes to districts and electoral votes.
One of the reasons this is true is because all too often the voter is in damage mode tryin
Re: (Score:2)
actually since a number of states effectively disallow "write in" candidates then a bunch of votes will be counted AS INVALID (and a red or blue President will be elected).
Executive Orders vs. Checks & Balances (Score:5, Interesting)
On the other hand, the complete usurping of the very principles of enumerated and separated branches of gubmint in order to prevent abuse and provide for accountability.
vs. Nothing (Score:5, Insightful)
I shared it before, but this Congress has passed a pittance of actual legislation. The trade off is whether to have no work or at least something that works. The separation of powers was to avoid abuses, not to obstruct the government from running itself.
Re:vs. Nothing (Score:4, Insightful)
Oh I see, so in your opinion if you can't get the people's elected representatives to agree with your law, the just pass it without them. That's what the executive orders are for, right? Have you ever considered a possibility that passing new legislation is not automatically a good thing. Government is not a law factory where the progress is measured by the number of new laws produced.
Re: (Score:2)
Any legislation including something that "would be led by the Department of Homeland Security", unless that something is the dissolution of the Department of Homeland Security, probably won't be particularly effective. It will look effective, and make excellent use of phrases such as:
terrorist threat
safety
completely secure
information security
It will not be effective at it's plain-text task, but it will enable Homeland Security complete access to all information these private businesses have.
Re:Executive Orders vs. Checks & Balances (Score:5, Insightful)
On one hand, efficacy and direct, immediate action.
No. There's been nothing efficient, fast, or direct about this. It's another power grab by the Department of Homeland Security, and pardon my french, but fuck them. They have incompetently managed every resource assigned to them, whether it's investigating domestic crime, securing airports, or anything else. They've created gulag prison camps within our borders to throw protesters in, encouraged the usurpation of local and state laws to further their interests, they irradiate their citizens and workers alike to the point that cancer clusters are now showing up in TSA screeners that are well-beyond being able to be dismissed as a statistical abnormality, and the list goes on.
And now they want a master kill switch for the internet, to dictate terms about how all our communications infrastructure is organized, and they have deep connections with media organizations -- of which only a few need to be manipulated to suppress information at the national level. The Department of Homeland Security has become the Ministry of Truth, and thanks to clever and covert manipulation of the media and the occasional use of deadly force and questionable laws, has all but silenced dissent or even knowledge of what its activities are.
No. It's gone too far. It no longer matters to me how well-intentioned or beneficial a proposal is; If it is administered or requested by Homeland Security, my advice is to resist it in any way you reasonably can... they're a dangerous and corrupt organization, unamerican and destructive of the very means it seeks to protect. I'd rather have a hundred Osama Bin Ladens out there plotting the downfall of my country than to turn over my personal safety and security to a bunch of incompetent bureaucrats -- at least in the former case, I know who my enemies are.
Re: (Score:2)
Looks like you pissed off the brown shirt mods. Semi kidding aside the majority already know there won't ever be a hijacking on another plane again. The second that it happens the passengers will overpower the people, even if some of them die. By the time the plane gets to the ground, the only thing left of the hijackers will be a smear of blood and bone from the cockpit doors to exit doors from the passengers making sure that they never endanger another aircraft again.
The TSA in itself is a joke, they
-1, Disagree... again. (Score:1)
Re: (Score:1)
I take it that stating something that may be politically controversial is a 'troll' now on slashdot. Rather than having the decency to respond to my post with some informed criticism, you choose to mod me "-1, disagree". Undo your mod, press reply, and tell me what, exactly, you disagree with. Because while I might be full of sarcasm, I don't think I've said anything a lot of people wouldn't agree with or find a factual basis for.
Welcome to the People's Democratic Republic of Slashdot.
This happens to me all the time. Just ignore it.
All it does is prove that your attackers have no credible rebuttals, and thus strengthens the credibility of your posts.
I browse /. at "-1" because those are usually the posts that actually make the most sense and contribute the most to the discussion, if they're not GNAA/goatse/Netcraft posts.
Slashdot moderation abuse has nearly succeeded in completely flipping the whole ranking system on it's head, wher
It's the brown shirts (Score:1)
I got it all the time, my friend.
In fact, if you scroll up, you'd see that the brownshirts had already modded my comment down
Now Slashdot is crawling with many brownshirts, and some of them are said to have unlimited mod points.
Re: (Score:2)
I see your comments
Like the previous guy, I do read comments that are being modded down to "-1"
I may not agree with what they say, but I do read them
*cough* (Score:2)
Isn't it already up to companies to decide what steps to take for security?
Re: (Score:1)
It is but it's hard for the government to stop constantly producing new laws even if they are completely ineffective. The congress, not to mention state and local governments have already signed several libraries worth of new laws in 2012, as they do every year, and it would be a shame for the executive branch to be left behind.
Re: (Score:2)
Simple solution... (Score:2)
The Government will contract crackers to hack your company using exploits inside of the limits specified by the annual security proposal. The crackers get a little something something for their effort plus a bit more if they find new and interesting ways to break people security (fixes for which will be added to next years security standard.)
If they break in, they will levee a "Fine" from your bank account, set aside for security tax and charged for non compliance (by the way this "Fine" is prededucted from
How about some basic guidelines? (Score:5, Insightful)
Rule 1 of critical national infrastructure: Don't put it on the damned internet.
Rule 2: See rule 1.
Rule 3: Are you sure you saw rule 1? Quadruple check anyway.
Rule 4: Manufacture everything pertaining to the critical national infrastructure in your own country (microchips, resistors, diodes, final assembly, etc)
Rule 5: Keep it simple.
Now for big business:
Rule 1: Don't let anyone leave your office with a notebook or any form of portable media containing sensitive customer information unless it is encrypted and heading to your off-site tape storage facility.
Rule 2: Don't let anyone hook their own computers and gadgets up to your network.
Rule 3: If it needs to be on the internet, have a nice firewall between it and the internet.
Rule 4: Have your web browsers running in sandboxes.
There, now we don't need feel good, ineffective legislation.
Re: (Score:2, Interesting)
You make too much sense, especially regarding the manufacturing. Our manufacturing base is dead and gone and if we are ever to regenerate economicallly it will be when we begin making things again...
Re: (Score:3)
It may be shrinking, but $230 Billion in new orders sounds quite large for July.
http://www.census.gov/manufacturing/m3/index.html [census.gov]
Do you have any backup for what you're saying, or did you just repeat something you heard?
Re:How about some basic guidelines? (Score:4, Insightful)
We lost 13,000 maufacturing jobs last month.. that's a drop in the bucket. Now, look where wealth is generated and it comes from manufacturing things. Here is just one article on our decline. [huffingtonpost.com] When whomever is in charge wants to get serious about generating wealth again they'd do well to lift the burdens on U.S. manufacturers, get factories built and start building things again. Until then we are going backwards.
Re: (Score:1)
We need fewer people to manufacture the same amount of goods because technology. By and large, it isn't John Chinaman who is causing American manufacturing jobs to go away, it's R. Daneel Olivaw.
Facts do not agree with that "economist" (Score:2)
That guy doesn't even qualified as an "economist" -
Shrimp - China does _NOT_ export shrimps
The amount of shrimps China produces (from shrimp farms and caught from the sea) is not sufficient for China's own consumption
In fact, China IMPORTS shrimps from many South East Asian countries, from Australia, and even from Africa !!
Flat Screen TV - Many LCD TeeVee sold in the USA may have been assembled in China, but the crucial parts - the LCD panels, the electronics, - are made in Korea, Japan and Taiwan
China does
Re: (Score:2)
Manufacturing in general is losing jobs. Not only in the US but in third world countries like China and Mexico because of efficiency increases.
http://www.bloomberg.com/apps/news?pid=newsarchive&sid=aRI4bAft7Xw4 [bloomberg.com]
It's a reprise of what happened 50 years earlier when farms became mechanized. It is an inexorable inevitable trend that machines will replace humans in routine tasks.
The fact is that manufacturing as an economic sector in the US is doing fine. To paraphrase Mark Twain, rumors of demise are much e
Output Value Per Hour (Score:2)
Manufacturing in general is losing jobs. Not only in the US but in third world countries like China and Mexico because of efficiency increases.
http://www.bloomberg.com/apps/news?pid=newsarchive&sid=aRI4bAft7Xw4 [bloomberg.com]
It's a reprise of what happened 50 years earlier when farms became mechanized. It is an inexorable inevitable trend that machines will replace humans in routine tasks.
The fact is that manufacturing as an economic sector in the US is doing fine. To paraphrase Mark Twain, rumors of demise are much exaggerated.
The US is easily the world's most productive manufacturing nation in terms of output value per hour, and also has the largest manufacturing economy in the world.
http://www.nam.org/Statistics-And-Data/Facts-About-Manufacturing/Landing.aspx [nam.org]
http://www.seeitmarket.com/u-s-still-in-the-business-of-making-things/ [seeitmarket.com]
http://business.time.com/2011/03/10/can-china-compete-with-american-manufacturing/ [time.com]
The United States of America achieved the highest Output Value Per Hour of all countries in the world by doing one thing - making super high valued items - like Stealth Fighter planes, Nuclear Submarines, Super-computers, and CPUs.
Except for the last item, which is produced by the millions, the rest of those super-high-valued items are not mass-produced - at least not mass produced to achieve the economy of scale.
That lies the problem.
The USA may be the biggest exporters of the world because there is still
Re: (Score:2)
Alternatively,
[National] Rule 1: put it on the internet, with suitable security, if doing so will save money
[Business] Rule 1: let media travel so long as it's encrypted
Hey presto, I get a country with lower expenses (lower tax rate), and a business where workers work more effectively at home. Up until the time I get attacked, then I've outcompeted you economically. Maybe you didn't even survive long enough to see the attack.
Re: (Score:1)
Alternatively, [National] Rule 1: put it on the internet, with suitable security, if doing so will save money
This.
In many ways the air gap is antithetical to the interests of both the government and any related organizations responsible for said infrastructure. The air gap is nearly impossible to manage in a sane and worthwhile fashion. You can read about the myth of the air gap here [tofinosecurity.com].
Re: (Score:2)
Now for big business:
You fogot rule 0
Rule 0: consider you have already been compromised
Re: (Score:3)
Too many things make this not possible to not have connected (air gapped). One is OATI [oati.com] and in California there is the CA ISO [caiso.com]. Both use the Internet for the agencies to connect to them and both are essential for the Energy Sector to function in an inter-connected grid. Agencies have to get SCADA information into billing/historical systems and conversely schedules have to get into SCADA systems. Both of these intermediate business networks need Internet access to OATI and CAISO. So while SCADA systems ar
Hate! Hate! Hate! (Score:2)
Obama administration has been circulating a draft of an executive order
What? Obama is going to force us to do something? Hate! Hate! Hate!
participation would be voluntary
What? How is that going to be effective, then? Obama can't get anything done! Hate! Hate! Hate!
Re: (Score:1, Troll)
Yes, you are right. We hate him not because he is the most radical liberal president we have ever had (yes, counting Carter), or because he socialized our healthcare system through a procedural loophole against the wishes of majority of Americans, or because he increased our debt from 10 to 16 trillion in 3 years with no end in sight, or because he went back on most of his election promises including bringing about a more transparent government, or because the highest percentage of Americans in history are
Re: (Score:1)
Hate to reply to a coward, anonymous or not, but what exactly did I say that is not correct except that I meant to say decades, as SS and madicare are not quite scheduled go bust in the next 10 years but even as it stands it is not much of an exaggeration.
Re: (Score:3)
Well, for one thing you posit that Obama 'socialized our healthcare system'. By that statement, you make it abundantly clear that you have no earthly idea what you are talking about.
Oh, now that I see your sig 'Socialism is slavery' I begin to understand. But you clearly, don't.
Re: (Score:2)
You don't think that "the government" forcing everyone to get insurance because it makes it cheaper in the long run for those already with insurance isn't socializing it? You don't think that increasing taxes and taking money from medicare in order to provide insurance for the poor isn't socializing it?
It may not be your ideal utopia of socialism but it isn't exactly not socialism either.
Wake up call! Medicare is socialized medicine. Obamacare is not.
Re: (Score:2)
They both are socialist programs- Neither is socialized medicine per se more rightly socialized health care. The only difference is whether you pay a middle man first or not, but the government control and forced participation is there. The government is still in control of the treatment options.
You need to look up socialism.
Re: (Score:1)
You should look up democratic socialism and Leninism.
Re: (Score:2)
You should look up democratic socialism and Leninism.
Post the link to the Glenn Beck video for me.
Re: (Score:1)
What is a glenn beck video?
Google will work for you, I've already checked those terms out and they are gold.
Obama is a LIBERAL?? (Score:4, Insightful)
Obama is a liberal? Are you nuts?
Obama is the best Republican president we've had since . . . Bill Clinton.
Re: (Score:2)
It all depends on your point of view. I agree that the mainstream Democrats have had some success is keeping their lunatic left wing quiet by pretending to be more liberal than they are, kind of like the Republicans pander to their religious nuts with words more than with actions. From my personal libertarian vantage point Obama certainly seems very liberal.
Re: (Score:3)
Hah. I'm from Canada and a conservative that makes me on average more "liberal" than most democrats. In truth I'm more libertarian than anything else. But Obama is a liberal, even by Canadian's leftwing standards.
Re: (Score:2)
Obama is unquestionably far, far to the right of Ronald Reagan. That is simply reality. Name practically any policy, Obama is farther to the right on the issue then Reagan was.
Although I realize when the "center line" has been pulled so far to the right practically everything appears "left"...
I'd like what you're smoking (Score:5, Informative)
You do realize that most of the "socialized healthcare" law came straight out of the Republican recommendations of less than 10 years ago and, with the exception of providing vouchers(!) for those who are lower income to buy commercial insurance, is nearly identical to the right's plan as a counter to the Democrats call for a single payer system?
You obviously have never heard of Keyens, either, or remember that in 1929, Herbert Hoover actually implemented many of the Tea Party recommendations in an attempt to prevent the national debt from growing as the federal government's income revenue shrank. Not only did it spiral the unemployment rate to 20%, but even when FDR implemented (effectively) Keyensian economics by leveraging the US governnment to create jobs it took 6 more years for the economy to stabilize. In 80 years we haven't had as wild a bubble burst, and yet the current presidents approach to stopping the hemmoraging - which worked almost immediately - is considered a failure? You do realize that the previous 6 years of growth was based solely on margin spending of consumers based on inflated values of their homes - and now that the market has corrected there is no more real estate to leverage in the same way, and nobody else in the world has any consumer money to spend either?
Did you miss the part about BHO getting rid of Don't Ask, Don't Tell? Did you miss how he promised health care reform and - even though you clearly don't need it - actually passed it? Did you miss how he promised to re-regulate the Financial industry, and put forth and passed legislation to do so, only to have the Republican held congress refuse to enact, fund, or appoint people to run it? Did you miss the part where he planned to pull us out of Iraq, and to draw down the surge in Afghanistan.
Has is been so long - 3-1/2 years - that you forget that the rest of the world hated us so fucking much that they gave him the Nobel prize for simply not being GW Bush? No, of course he didn't deserve it, but the whole rest of the world hated Bush and Cheney so much they gave hi a medal and a million dollars just for not being them. Let me repeat that - our allies don't hate our guts any more. Even the neutral states think we're okay now. Did you notice that, when Egypt and Libya went apeshit we didn't have to mobilize ground troops. Hell, we were barely involve. Our allies took that over and we didn't have to put on our cowboy boots and lead the charge.
As for corporate value, I'm not sure where you've been hiding where the Dow Jones doesn't get reported, but from when GWB took office in 2001 to when the bubble burst in 2008 - the peak!- the market went up by 32%, and then fell crashing down for a NET LOSS OF VALUE UNDER G W BUSH of nearly 23%, start to finish. That was my God damned 401k retirement fund. Holy shit that sucks. Since Obama took office, the market is up...sit down for this...62%. That's right, and that doesn't count the low spot - that's from the day they swore him in. In 3.5 years he did DOUBLE for the value of the market what GW Bush did right before the bubble burst. We just had the worst market crash in 80 years, and in 40 months the market is back to within spitting distance (5%, if you're counting) of the all time high.
Are you worried about gas prices? Ever wonder when gas has been the most expensive? Yup G W Bush - mid 2008. Even higher than right now. And do you know why gas is so high? It's not because we're dependent on foreign oil - our dependence has gone DOWN under Obama. It's because we're EXPORTING most of our gas to other countries who are willing to pay more! Gasoline was the #1 (total, top, more than anything else) US EXPORT last year. We're making money hand over fist on it. Are you going to fault Obama for not restricting exports to keep gas prices down, because that would do it. And you know that pipeline through PA Romney is going to build the day he gets into office? It's not for keeping domestic oil in the US, it's to get oil to the gulf where is can be refined and exporte
Re: (Score:2, Interesting)
in 1929, Herbert Hoover actually implemented many of the Tea Party recommendations in an attempt to prevent the national debt from growing as the federal government's income revenue shrank.
That's absolutely false. Hoover never cut taxes (which is Keynesian incidentally), spending, or the deficit. He increased all three. In 1932, he proposed increases in spending. Roosevelt mocked him and ran on a balanced budget platform. In 1932, Roosevelt was the Tea Party candidate. Once elected, Roosevelt rebranded Hoover's programs as the New Deal and implemented them, abandoning his campaign promises of a balanced budget.
It's true that the economy showed some signs of recovery at that time. It is
Re: (Score:1)
You do realize that rejected and failed plans from the past does not all the sudden mean universal support in the present right? There is a reason why it was just a
No DHS (Score:5, Insightful)
led by the Department of Homeland Security
Anything led by the DHS is bound to go from "voluntary" to mandatory (or hyper peculiar) too quickly. I can't imagine the same band of brigands doing such things as this [techdirt.com], this [techdirt.com] , this [slashdot.org], or that [epic.org], and so on [boilingfrogspost.com] and so forth [youtube.com] could offer anything constructive to the interweb or anything else.
Voluntary - Mandatory (Score:5, Insightful)
First it's purely voluntary.
Then it's voluntary... but if you want to be a supplier to the US Government, you must implement it.
Then if you want to continue being a supplier, you MUST implement it AND your own suppliers must do it, or you can't be a supplier.
By this point since "almost everyone is doing it anyway" and "those who aren't are clearly a threat to security" it will be mandatory.
E
Re: (Score:2)
Re: (Score:3)
It will get even more interesting once you get lobbyists from the various hardware and software manufacturers involved. I could easily see this getting into a situation where companies need to switch from Vendor X to Vendor Y for their antivirus or firewall software to get that government contract, because only the latest version of Vendor Y's product is on the "Homeland CyberSecurity Approved" list.
Companies like Microsoft and Oracle will love this, because it's one more way they can lock out smaller open
Failure of Congress again... (Score:2)
May be I'm just looking through my tainted glasses, but here's another example of failure of congress to do it's daily job that the Obama has to step in and issue another executive order. The spirit of Checks and Balances is being broken again because the government as a whole isn't doing its job.
Well, if the right (or Reid for that matter) keep this up, may be a Romney presidency will see at least some legislation passed since they at least have convinced themselves to like him--and may be there will final
Re: (Score:2)
Yep, your glasses are tainted. If doing something is a power delegated to Congress and Congress doesn't do it, it just shouldn't get done. It's not up to the executive to decide what Congress should do and then do it for them.
You know what they want? Obedient workers (Score:1)
Memorable quotes for
Looker (1981)
http://www.imdb.com/title/tt0082677/quotes [imdb.com]
"John Reston: Television can control public opinion more effectively than armies of secret police, because television is entirely voluntary. The American government forces our children to attend school, but nobody forces them to watch T.V. Americans of all ages *submit* to television. Television is the American ideal. Persuasion without coercion. Nobody makes us watch. Who could have predicted that a *free* people would voluntarily s
"Cybersecurity?" (Score:2)
Isn't cybersecurity just another way of telling people how to talk on the internet?
Maybe some First Amendment concerns?
Mandatory already for electric power (Score:3)
For the high voltage part of the electric grid there are already mandatory standards, They are part of the reliability standards mandated by a 2005 law and are produced by an industry consensus standards organization. However, upon acceptance by the Federal Energy Regulatory Commission (FERC) they become mandatory with maximum penalties of a million dollars a day per violation.
The early versions of the standards mainly required asset owners to attend to cybersecurity by identifying critical assets and making and following plans to protect them. The early violations were not having the plans and not updating them. Some asset owners tried to say they didn't have any critical assets. Over the years provisions have tightened (like defining what kinds of assets are critical and requiring that the plans not only be prepared but actually followed).
The asset owners have some legitimate concerns. For example, if the standards give discretion to auditors in reviewing the quality of their cybersecurity protections, they are worried about auditors who don't really understand the technology, see an actually inapplicable "best practice" somewhere and downrate the cybersecurity protections if the practice isn't followed. For example, the general practice in IT is to routinely install vendor patches. However, the proper practice in electric grid control systems is to individually test the patches to ensure that they don't cause system instability or equipment misoperation. You don't routinely install vendor patches if your job is to keep the lights on.
Mandating of cybersecurity has to be done carefully with sensitivity and attention to details in the application domain. But it does need to be done.
Re: (Score:2)
Agreed. The Whitehouse needs to keep their hands off of the Electrical sector and let us continue to do what we're doing.
Federal Energy Regulatory Commission Chairman Jon Wellinghoff [thehill.com] is pandering to Congress and the Whitehouse with untrue statements such as:
“No. 1, I don’t have an effective way to confidentially communicate [cyber threats] to the utilities,” Wellinghoff said. “And No. 2, I have no effective enforcement authority, and I’ve said this for six years now. And I
Re: (Score:2)
Some problems do remain. FERC and NERC only control the Bulk Electric System. The state PUC's regulate the distribution system, and few PUCs have the capability for overseeing cybersecurity. Second, there is huge pushback on NERC when they try to tighten the CIP standards. The prime example is the continued existence of the scope exclusion for non-routable protocols. They are just as vulnerable as routable protocols, but if they were made in scope asset owners would have more work to do to protect them
From the actual memo (Score:1)
The memo starts:
Too little. Too late. And too much.
The standards already exist (Score:4, Insightful)
...in the NIST SP-800 series of publications. Federal (US) agencies are already expected to abide by the standards described in that series, as well as other NIST/FIPS publications, e.g.FIPS 140-2 for cryptographic modules,or FIPS 200 for establishing minimum security requirements for specific systems.
Having had to study several of those publications for work-related tasks, I don't see where there should be any level of pushback from the corporate IT world, since a great many of them already have security measures in place that meet or exceed the requirements described in the NIST and FIPS publications. Individuals' systems, or SOHO systems and networks, would be a bit more problematic; a retailer throwing together an office network of four or five off-the-shelf boxes from (picking a name at random) Dell would likely have no idea where to start in trying to meet all the various technical specifications described just in NIST 800-59, if they even know that publication exists.
Bottom line...there's a great deal of education that will be required, not only with individuals and small-shop operators, but with network designers and custom-system builders. The days of ordering up a laundry list of parts from (again, grabbing names out of midair) NewEgg, throwing them together and delivering a completed machine to a customer with a pat on the back and a "have fun" are gone. Especially if the customer falls into one of the more ticklish areas of electronic security, such as a doctor's office or a law firm.
Just my 2p worth.
Hey, what ever it takes (Score:2)