Cybersecurity Laws Would Do More Harm Than Good 77
Trailrunner7 writes with one perspective on the inability of the Congress to pass 'cybersecurity' legislation before recessing. From the article: "They've taken innumerable swings at it, and struck out every time, ... and, for once, we all should be thankful for our lawmakers' inability to act. ... What it's not good at is understanding the Internet or acting swiftly and decisively. The current cybersecurity legislation mess is the perfect combination of those two factors. Corporations and government agencies in the U.S. have been getting their heads handed to them by attackers from around the world for several years now. Long-term, persistent campaigns have been targeting defense contractors, energy and utility companies, manufacturing firms, and government agencies with an alarming rate of success. But Congress, or at least some members of it, don't seem to understand that. Sen. Joseph Lieberman sent a letter Monday to President Obama, comparing the threat to U.S. networks from foreign attackers to the threat from terrorists before 9/11. He then urged the president to use his executive authority to somehow influence the situation. Let's be clear: If the companies that own and operate critical infrastructure — not to mention defense contractors — don't understand the nature of the threat they're facing at this point, no amount of incentives will change that. Neither Congress nor the President can fix this problem with the kinds of solutions they're considering."
Reader CurseYouKhan links to a different perspective: "Chabinsky is the latest of several former Federal security types to issue warnings on the topic. Earlier this year, Shawn Henry, who recently retired as the Bureau’s top cyber-sleuth, also called for a more offense-minded approach. Ex-CIA director Michael Hayden thinks the private sector may not wait for the government to act. He expects to see the emergence of a 'digital Blackwater,' or the emergence of firms that could be hired to go all mercenary on online intruders."
digital Blackwater eh? (Score:2)
That sounds like a particularly nasty mess right there, as most of the attacks originate from foreign soil.
Re:digital Blackwater eh? (Score:4, Interesting)
That sounds like a particularly nasty mess right there, as most of the attacks originate from foreign soil.
Given the complications of anonymity, subterfuge, and just outright corruption that could complicate an e-mercenary squad, the implications of this sort of thing proliferating will be HUGE. I don't like the idea of the government getting involved where they aren't needed, but at least they are typically either amenable to openness (via the FOIA or similar), or they are large enough to have a whistleblower ecosystem pre-installed (e.g. Bradley Manning). A private third party, whose allegiance might literally even be to a foreign state, is a very scary thought.
Re: (Score:1)
Bradley Manning wasn't a whistleblower, he just dumped anything he could get his hands on like a spy.
Re: (Score:2)
That sounds like a particularly nasty mess right there, as most of the attacks originate from foreign soil.
Interestingly, I had that idea (offensive cyber security) about 5 years ago, but was told by the TLA I approached that implementing such a strategy would do nothing but earn me a long sentence in a federal prison...
Re:digital Blackwater eh? (Score:5, Insightful)
Interestingly, I had that idea (offensive cyber security) about 5 years ago, but was told by the TLA I approached that implementing such a strategy would do nothing but earn me a long sentence in a federal prison...
As well it should.
Security is one thing, chasing criminals is quite another.
Protecting your network does not include attacking others. Packets arriving on your router are in no way like bullets arriving on your front door.
What's needed is a fast, focused, obligitory repsonse from upstreams.
Too often complaining about an attack, even when the source is a known single point, results in no action at all from your provider.
Black ICE [Re:digital Blackwater eh?] (Score:2)
Interestingly, I had that idea (offensive cyber security) about 5 years ago, but was told by the TLA...
And William Gibson talked about offensive cyber security quite a few years before that [tangentonline.com]-- he called it Black ICE. (ICE = Intrusion Countermeasure Electronics)
Re: (Score:2)
Why is that an issue if the response is digital? (Score:1)
That sounds like a particularly nasty mess right there, as most of the attacks originate from foreign soil.
It doesn't matter where the attack comes from, if the response is to counter-attack the computer system attacking you digitally.
You can imagine a team expert is taking over control of botnets or discovering control servers and using exploits to disable them.
In the end the owner of a system on a network has the responsibility to keep a system they control from attacking other systems on the network. If
Re: (Score:3)
the network being attacked should have the right of self-defense
Be careful what you wish for. You might just get it.
A packet is not a bullet. Don't equate the two metaphorically.
When you start giving people attack authorization in an effort to curb ping floods you are asking for the same
type of unfettered authority that big media used to go after Kim Dotcom. You will rue the day such a
provision became the law of the land.
Not the same thing (Score:1)
A packet is not a bullet. Don't equate the two metaphorically..
Metaphorically speaking, it can be identical. It is not always so, but a system being flooded by a botnet is under attack just as surely as a fortress with a thousand bullets flying at the walls.
When you start giving people attack authorization in an effort to curb ping floods you are asking for the same type of unfettered authority that big media used to go after Kim Dotcom.
We are talking self-defense of a server being attacked over a network.
Re:Not the same thing (Score:4, Insightful)
You've totally misse the point here.
The point is that big media used copyright laws to goad big government into taking world scale action, including armed response, arrest, seisure, all in response to a little phrase in the law about "defending their copyright".
Can you imagine what might happen if you gave an Electric Power utility the right to counter attack rather than simply taking their plant control systems off of the public network?
Can you assure me you can write legislation authorizing counter attacks that will never result in more loss of freedom, more abuse of authority? Can you assure me that If I write a blog complaining about brownouts and post a link to the Power Companies complaints page, that I won't have jack booted thugs arriving at my door step simply because other people went to that page and complained also? Can you write legislation that will not be stretched to point of labeling encryption a munition?
The issue here is infrastructure serving entire cities and states, not some web site that goes down meaning you have to drive to your bank rather than banking on line.
A thousand bullets hitting the wall of a fortress does nothing. 50 million hitting the wall in the same place may make a little hole after awhile.
But the minute I unplug the router and take my oil refinery off the public network, all those "dangerous packets" go nowhere.
Exxon does not need counter attack authority. Anyone thinking they do is a very dangerous person.
Re: (Score:1)
The point is that big media used copyright laws to goad big government into taking world scale action
Yes they did, and that is utterly unlike private companies taking action for virtual defense. There is nothing whatsoever similar about the two things. I'm not missing anything; you are confusing everything.
all in response to a little phrase in the law about "defending their copyright".
Defense of copyright is an abstract concept with a huge legal and regulatory structure built around it. What it is not at
Re: (Score:1)
People who live in digital houses shouldn't throw packets...
Re: (Score:3)
You do know that the Internet doesn't guarantee the authenticity of source IP addresses, right? Among the dozens of other ways you can be misled about the source of something?
Not too smart to let your adversary control your targeting.
You do know that most "computer systems" are shared hosting, right?
I can't imagine a "team expert" doing very damn much good in most cases, but I can sure imagine a team cowboy doing a whole helluva lot of damage to disposable tentacles, and whole helluva lot of collateral dama
Re: (Score:1)
You do know that the Internet doesn't guarantee the authenticity of source IP addresses, right?
Presumably a "digital blackwater" would be able to double check before attacking.
You do know that most "computer systems" are shared hosting, right?
Yes, I also know that the shared hosting can impose processor and memory limits on slices so impact of attacking that share would not affect the other shares (unless you are talking about a reverse denial of service, which I am not).
I am not talking about a nuclear ne
Re: (Score:2)
Here [wikipedia.org] is the kind of double checking we got from "analog blackwater". You may have noticed it caused kind of a bit of concern at the time.
Why would one expect "digital blackwater" to be better, exactly? Cowboys are cowboys.
It's not that easy to get into just anything on demand. This team of yours is go
Re: (Score:3)
Which is precisely the problem. If you are a corporation then US law prohibits you from striking back. So all you can do is play defense defense defense. You can harden your systems all you want but being a stationary and fallible target it's almost inevitable that you'll be compromised. It's too easy to compromise a system. And even if you identify the attackers it's unclear if the judicial system simply doesn't care or the government is the attacker. It's incredibly difficult to press charges ag
Re: (Score:2)
Maybe the " defense defense defense" approach is flawed also (or perhaps the way that people "play defense" is flawed). Perhaps you start by looking at what technologies have been compromised most frequently and you avoid those technologies.
Re: (Score:2)
Perhaps you start by looking at what technologies have been compromised most frequently and you avoid those technologies.
That technology is usually a person.
Re: (Score:2)
That sounds like a particularly nasty mess right there, as most of the attacks originate from foreign soil.
This is terrible terrible news for the coffee shops of the world that offer free wifi.
Because if someone can break in, either the company broken into is completely incompetent at their own security, or the attacker is good enough to have the foresight required to not to launch an attack from their own network.
We should almost always be thankful (Score:1)
" and, for once, we all should be thankful for our lawmakers' inability to act."
We should almost always be thankful of our lawmakers' inability to act. Consider how many times each day you say to yourself how glad you are that someone else decided something on your behalf.
Re: (Score:1)
Don't use logic on the libertardians, it only infuriates them.
The free market will sort *that* out, too...
Re: (Score:2)
I believe you forgot the part where "the motherland will provide!"
But you're probably too young to know what that's referencing.
The government already has security requirements (Score:1)
Uncle Sam already plays a heavy hand by defining standards that apply to software products that are sold to the US government. Ever hear of FIPS 140-2? The document that says exactly which encryption algorithms are allowed and not allowed? Both Microsoft and Linux vendors (RedHat, SuSE) have incorporated FIPS mode in their operating systems. Not surprisingly, these modes are generally turned off...
Re: (Score:2)
Not surprisingly? Do you have ANY clue on this subject at all?
What is wrong with mandating someone use a validated, tested algorithm and implementation instead of pulling one out of their ass and claiming their "proprietary solution" is superior?
The only thing turning off FIPS 140-2 compliance mode does is allow users to make stupid choices. FIPS mode prohibits that.
What's your issue?
Re: (Score:2)
His/her issue is probably the concept that one government can set a mandate on a piece of software used internationally.
Re:The government already has security requirement (Score:4, Informative)
It doesn't. It mandates the use of FIPS 140-2 validated components when doing business with or for the Federal Gov't.
Most people wouldn't even know if it was turned on. All it really does is set a configuration where when you use crypto all that is available to choose from is 3DES and AES. And for hashes, SHA-1 or SHA-2 suite. You can't use MD5, Blowfish, DES, or some proprietary crap the vendor is trying to pawn off to lock you in.
And it must be a validated implementation. That is, you can't code up your own version of AES in Javascript and use that. Yes, OpenSSL has a validated version and that is the core module used by almost everyone in FOSS land.
I'm having a hard time understanding why, of all the things gov't mandates, picking on THAT one as a bad example.
Re: (Score:1)
I have lots of issues with FIPS 140-2. Number one on the list is the fact that the list does more to constrain algorithms than to guarantee a good algorithm will be used. Number two... people are afraid to upgrade to a newer OpenSSL with security patches for fear of loosing their precious $50,000 validation. I also have issues with the self-testing requirements. It's a waste of CPU time. Why make people wait an extra half-second every time they open a program that uses encryption?
Re: (Score:2)
I'm not sure I understand. By constraining algorithm choice to good algorithms it guarantees a good algorithm will be used. Are you saying that the SHA-2 suite and AES are not good algorithms?
The recent validation of OpenSSL FIPS Object Module 2.0 should address fear of patches. If it doesn't, then they are either dicking with the code themselves and are rightfully fearful, or don't understand the process.
As for self-testing requirements, wow. That explains the issue. That mentality right there is why secur
Re: (Score:1)
What possible good is re-encrypting the same test data every time you load the library? Either the algorithms are correct, or they're not.
Re: (Score:2)
To ensure that the module itself hasn't been tampered with once it has been validated.
Verifying correctness of the algorithms and their implementation was the purpose of the lengthy NIST validation process.
After that, before each use, they're checking to make sure someone hasn't pulled a fast one and modified the code.
Ken Thompson's ACM classic Reflections on Trust [bell-labs.com] back in 1984 really laid this issue to bare. He was discussing compilers, and considering OpenSSL's validation is for source code and you can co
What should that look like? (Score:5, Insightful)
Yes, we must do SOMETHING! Dunno what, but SOMETHING! And don't anyone think of the children?
Seriously, though. What kind of "action" does the honorable senator expect from Obama? I dunno, it seems Obama isn't just seen as some kind of magic worker by some voters (akin to "we gotta get economy back on track, Obama, go an fix!"), it seems the honorable senator seems to have fallen for the same spell. Great wizard Obama, swing your magic wand and DO SOMETHING!
There is no legal solution for it, though. First of all, you can't just outlaw hacking. That's already the case, you know? What do you want? More severe punishment? Doesn't faze the guy in Iran, China or $whatever-stan who wants to blow up your power plant. The only thing that might accomplish is to quench "hacktivism" akin to Anonymous with the drawback that everyone who actually knows a thing or two about hacking will keep their mouth shut instead of actually informing the relevant authorities.
Require companies to tighten their security? Then we are where we are already: Where security is a topic for risk management, not for IT. How much does it cost to implement security? How much is the fine? How likely is it going to happen? Now you can either lower the fine to a ridiculous amount where no halfway large company takes it serious or jack it up to a level where doing online business becomes Russian roulette for smaller companies.
Because, and here's the actual problem, there is no such thing as perfect security. If everything else fails, your admin might double cross you.
Still, the ONLY place where you can put the lever is the target of attacks, not the source, since the source, as has been stated above, is often outside of your jurisdiction. But is putting the burden on the victim really the way to go? I kinda doubt it.
Bottom line, as long as people and companies have no interest in security, no law you could draft will change their attitude towards it.
Re: (Score:3)
The point is that you can sponsor it all you want, government cannot take this problem off you. Sorry, some things you gotta sort out for yourself, no wizard of Washington will fix it for you.
Re: (Score:1)
But some examples I can imagine: pick an ISP who quarantines infected computers, use VPN to create a virtual network of secure machines on an insecure network, build a more secure OS (see security design in modern mobile OSes, or isolation in modern browsers), use alternate net
Didn't Lieberman help make PGP? (Score:1)
In the 1990s, didn't the same senator demand laws against all crypto, causing PRZ to make PGP in the first place?
Wasn't he also behind the push for the Clipper chip, key escrow, and other GAK (government access to keys) measures?
*sigh* I wish I could vote for a Tim May and Black Unicorn ticket.
There is more concern than most people think (Score:2)
There was no threat before 9/11 either (Score:2)
The threat of terrorist attacks before 9/11--I'll interpret that to mean "the impending threat leading up to 9/11"--is nothing. It's akin to the threat of getting hit by a meteor, or lightning. It'll happen -eventually-, for sure; there's always been terrorists, lightning, and meteors. Here's the thing: Terrorists hit shit with the planes because of dumb luck. They've been in and out and tried this stuff for decades, finally got one through, and haven't since. TSA is ineffective as hell, but locked c
Re: (Score:2)
The threat before 9/11 was well known, not only by our own people, but by other mid-east countries that tried to warn us, and even tried to hand over Bin Laden. Clinton was too busy getting BJs by Lewinsky to even worry about what everyone was telling him. After all, two previous bomb attempts on World Trade were merely petty criminals, right?
Means and methods were not discovered until after the fact, but they were there and these particular terrorists were already being watched. One was already in jail.
T
Re: (Score:2)
2 previous bomb attempts on the WTC, also the Oklahoma City Bombing, some other random crap from here or afar.
You make my point for me though. There was terrorism before 9/11. There is terrorism after 9/11. 9/11 wasn't special, it wasn't the beginning of a trend, it wasn't a new thing; it was the exercised probability that you'll get hit by lightning. Yeah, okay, maybe somebody dropped the ball; eventually somebody always drops the ball.
In this case it looks like they were dropping the ball so hard th
TSA (Score:3)
For once be thankful for inability to act? (Score:4, Insightful)
... for once, we all should be thankful for our lawmakers' inability to act ...
Only once? While gov't does occasionally get things right, getting it wrong is hardly a rare instance.
Think about how often gov't gets it wrong with respect to tech issues. The truth is they get it wrong just as often in other domains as well. We merely don't understand those other domains so we don't see the problems, we read some news article and all we see is legislation with good intentions. I'm sure some non-techie is reading an article about gov't going to increase cybersecurity and is thinking "sounds like a good idea".
IMHO we in the U.S. are judging our politicians too often by their good intentions rather than their actual performance, and politicians have adapted to this environment accordingly. All they really care about is that they hold the "correct" stand on an issue, not actually accomplishing anything. Until we start voting out people because they supported well intended but poorly thought out legislation little will change.
The rigger died. (Score:4, Funny)
the emergence of a 'digital Blackwater,' or the emergence of firms that could be hired to go all mercenary on online intruders.
I've played that Shadowrun module.
why trust the government (Score:4, Insightful)
I am constantly amazed at arguments in favor of whatever government action folks want that base their premise on the trustworthiness of government. Why does anyone think they can trust a government? Now I am certainly not an anarchist, however I take the same view of centralized government that the founders of the US took - powerful central governments will inevitably grow and be corrupted because they are comprised of humans who are imminently corruptible.
It amuses me to see folks distrust a corporation and turn to the government as if the people in a government job are somehow more moral or ethical than those in private sector. They are all made of the same human stuff, all just as corruptible - the only meaningful difference is that the humans in government wield the power of massive force to accomplish their goals.
The government has NO business getting involved with cyber security any more than they do getting involved with how I secure my house or car. The government sucks at doing things efficiently and using best practices - the examples are legion.
People need to take personal responsibility for their systems and decisions.
Re: (Score:2)
I'll be brief.
THE GOV'T DOES THIS. NIST 800-137 is all about "Continuous Monitoring" which means "set baseline configs, make sure they're followed". USGCB is used for Windows 7 and RHEL Desktops, and CIS commonly used for most everything else. (USGCB and CIS for Win7 are almost identical.)
Let me repeat that. CIS is frequently used as the config gold standard for Windows, Linux & Solaris servers as well as Cisco equipment. For the things CIS doesn't have, they use DISA STIGs, which are just as good but m
Re: (Score:2)
How you secure your house or car has little to no bearing on 990100% of your neighbors. How the electrical grid and power plant, sewer treatment system, municipal water system, natural gas pipelines and the like are totally different.
Damage to those can cause severe impacts to the community as a whole. The size of the community can vary depending on the system. For example your municipal water system could impact your city, whereas the power plant in your neighborhood could potentially bring down the entire
Re: (Score:2)
This.
But just as when you locked door isn't enough, governmental police power should be available to apprehend the culpret, if nothing else than to prevent our heighborhoods from becoming running gun battles. This discussion is about allowing power company goons bash down your door in swat gear carying M16s because you 14 yearold hacker son was in the basement shutting down trubines with his iPad.
Just as local police serve as a (supposidly) impartial refferee between victim and perpetrator, there has to be
Re: (Score:2)
It amuses me to see folks distrust a corporation and turn to the government as if the people in a government job are somehow more moral or ethical than those in private sector.
You're not thinking it through. Look at the difference between CWLP and Amerin. Both are electrical monopolies in Illinois. CWLP is run by the city of Springfield, Amerin is a publically held company. CWLP has the lowest electric rates in the state, the least downtime, and the best customer service. Why? Because Amerin in not beholden
They are not talking of the same thing (Score:2)
Now the scenario on a digital blackwater is not needed due to a lack of laws, rather the problem is that officials will not investigate most cases
He Said What? (Score:1)
"Go all mercenary"
What the hell is that supposed to mean?
All Your Bits Are Belong To U.S.?
seriously, wtf government?
Say what, mothafukka? (Score:2)
Becau
pown to own - power plants and factories (Score:4, Funny)
Just legislate that every 3 years an industrial site must open itself to a 1 week pown to own event. If anyone can pown the control system they get to own the plant.
Would make for some nice corporate-on-corporate events to gain control. Even enviro-on-corporate.
Yes this is quite silly. But might as well have it happen in the open rather than behind closed doors.
Having worked with Chabinsky and Henry... (Score:2)
Having worked with Chabinsky and Henry previously, I'm glad they're not in charge any longer.
let's not forget the profit motivate (Score:1)
Stunner tag (Score:2)
When I hear the cybersecurity people talking about taking offensive action against intruders, I can't help thinking about Miles, "Brothers in Arms" and the infamous stunner tag sequence.
Hey, what's the problem? (Score:2)
Don't you think cybernetic systems should be secure?
And by the way, so should be cyborgs!
DDOS amplification without DNSSEC (Score:2)
F'n idiot bureaucrats treating cyber as if it is analogous to the real world.
If you thought DNSSEC was pure awesome tool to amplify your DDOS attacks kids just wait till you get to direct US government resources to attack your targets for you. Won't that be swell?
If you ever tire of getting your "friends" swatted at 3:00 in the morning just for laughs uncle sam has your back.
How about liability? (Score:2)
If companies that went about gathering and/or storing sensitive information for others, then screw it up and allow that information into the wrong hands faced real liability for their failures perhaps more companies would do a better job of protecting their information. Or even better, some may opt to not gather/store the data in the first place.
The Infinite Wisdom of Congress (Score:2)
Things that can go wrong (Score:2)
1) One of the links in the summary http://blogs.cio.com/security/17430/air-force-chief-ex-fbi-agent-cybersecurity-policy-cant-wait [cio.com] has a quote...
> He thinks companies that find proprietary data on an external server should be
> legally able to take actionâ"to delete or encrypt the data. A company could
> then report the crime to the authorities so the government could search for the hacker.
Remember how a NASA video was mis-identified as property of Scripps Local News http://science.slashdot.org/ [slashdot.org]
Legislative solution? (Score:1)
Regarding incentives to do better, corporations already have them, as security attacks are PR nightmares which push consumers to competitors and losing money is bad business.
Congress on the other hand has incentives to over-estimate the risk and over-spend (since it's tax mone