Internet Czar and Regulation Bill? - Taem - 04-21-2009
Quote:Senate Proposal Could Put Heavy Restrictions on Internet Freedoms
A proposed bill that would give the president widespread power to shut down the Internet in the event of a cyberattack could have sweeping implications on civil liberties.
By James Osborne
FOXNews.com
Tuesday, April 21, 2009
The days of an open, largely unregulated Internet may soon come to an end.
A bill making its way through Congress proposes to give the U.S. government authority over all networks considered part of the nation's critical infrastructure. Under the proposed Cybersecurity Act of 2009, the president would have the authority to shut down Internet traffic to protect national security.
The government also would have access to digital data from a vast array of industries including banking, telecommunications and energy. A second bill, meanwhile, would create a national cybersecurity adviser -- commonly referred to as the cybersecurity czar -- within the White House to coordinate strategy with a wide range of federal agencies involved.
The need for greater cybersecurity is obvious:
-- Canadian researchers recently discovered that computers in 103 countries, including those in facilities such as embassies and news media offices, were infected with software designed to steal network data.
-- A Seattle security analyst warned last month that the advancement of digital communication within the electrical grid, as promoted under President Obama's stimulus plan, would leave the nation's electrical supply dangerously vulnerable to hackers.
-- And on Tuesday the Wall Street Journal reported that computer spies had broken into the Pentagon's $300 billion Joint Strike Fighter project and had breached the Air Force's air-traffic-control system.
Nonetheless, the proposal to give the U.S. government the authority to regulate the Internet is sounding alarms among critics who say it's another case of big government getting bigger and more intrusive.
Silicon Valley executives are calling the bill vague and overly intrusive, and they are rebelling at the thought of increased and costly government regulations amid the global economic crisis.
Others are concerned about the potential erosion of civil liberties. "I'm scared of it," said Lee Tien, an attorney with the Electronic Frontier Foundation, a San Francisco-based group.
"It's really broad, and there are plenty of laws right now designed to prevent the government getting access to that kind of data. It's the same stuff we've been fighting on the warrantless wiretapping."
Sen. Jay Rockefeller, D-W. Va, who introduced the bill earlier this month with bipartisan support, is casting the legislation as critical to protecting everything from our water and electricity to banking, traffic lights and electronic health records.
"I know the threats we face." Rockefeller said in a prepared statement when the legislation was introduced. "Our enemies are real. They are sophisticated, they are determined and they will not rest."
The bill would allow the government to create a detailed set of standards for cybersecurity, as well as take over the process of certifying IT technicians. But many in the technology sector say the government is simply ill-equipped to get involved at the technical level, said Franck Journoud, a policy analyst with the Business Software Alliance.
"Simply put, who has the expertise?" he said. "It's the industry, not the government. We have a responsibility to increase and improve security. That responsibility cannot be captured in a government standard."
A spokeswoman from Rockefeller's office said neither he nor the two senators who co-sponsored the bill, Olympia Snowe, R-Maine, and Bill Nelson, D-Fla., will answer questions on cybersecurity at a later date.
Obama, meanwhile, is considering his own strategy on cybersecurity. On Friday, the White House completed a lengthy review of the nation's computer networks and their vulnerability to attack. An announcement is expected as early as this week.
"I kind of view [the Rockefeller bill] as an opening shot," said Tien. "The concept is cybersecurity. There's this 60-day review underway, and some people wanted to get in there and make their mark on the White House policy development."
IT leaders hope the president will consider their argument that their business is not only incredibly complex and static, but that it also spreads over the entire globe.
If the United States was to set its own standard for cybersecurity, they say, it would create a host of logistical challenges for technology companies, virtually all of which operate internationally.
"Any standards have to be set at an international level and be industry led," said Dale Curtis, a spokesman for the Software Business Alliance. "This industry moves so fast, and government just doesn't move that fast."
Many Silicon Valley executives remain hopeful that the White House's recommendations will be more industry-friendly, following what Journoud said was a good dialogue with former Bush administration official Melissa Hathaway, who is leading the White House review and is considered a likely candidate for cybersecurity czar.
First I've ever even heard of this before. Anyone got more information on this? As usual, Fox News exceptionally vague trying the fear-mongering technique, but it article makes it sound like America's internet could become the next China in terms of what we can and can't do on the internet.
Internet Czar and Regulation Bill? - kandrathe - 04-22-2009
Quote:First I've ever even heard of this before. Anyone got more information on this? As usual, Fox News exceptionally vague trying the fear-mongering technique, but it article makes it sound like America's internet could become the next China in terms of what we can and can't do on the internet.
Check out Internet2. Technically, there really is a need for something more secure than the free for all we have now. I don't agree that the government should need a czar to control it, but they could give the project a big kick in the butt to keep it moving forward. Essentially, a smart hacker can sniff data off the network and given a beefy laptop, decrypt (if needed) most of it on the fly. Look into GhostNet for reasons why we need something better in order to move forward. I've already had my rant here on how my cable system is unsecured. So much so, that the day they hooked me up, I was able to hack into my home machine from work in under 5 minutes. I stopped by the store on the way home to get a firewall router to secure my home.
Every responsible organization connected to the internet needs to be security aware, but still the biggest threats are the foolhardy people who are inside that organization. At a C2 secure facility I worked at, the only breach we ever had was by an executive who brought his tainted home laptop to work one day and plugged it into the wall. The tripwires fired immediately as the malware in his system tried to attack our servers. I thought we had been hacked through the firewall, so I pulled the plug on the hard line to the internet. It didn't stop, so we brought down all the servers, and fired up the sniffers until we found the machine that was compromised. The malware did find another unsecured system to infect, and it was the phone system that we had an external vendor install and manage, which was only connected to the net for printing reports. After that incident, we took over the security for the phone systems as well. The problem with ubiquitous computing is that as we move toward intelligent and wireless everything, people do not recognize that cool gizmo in their purse or backpack as a potential threat.
The hardest place I've had to secure though was a college. Everyone on the inside of the network wants total freedom and total security. They had a packetshaper and extensive VLAN topology. We also set up many monitoring scripts, including one that would automatically remove ports from the network that originated any problem. Then, you just need to deal with the help desk call from the professor or student who caused the issue. In order to get back onto the network, they would need to allow us to re-certify their computer to insure it was not compromised or a zombie (automated using Cisco Campus Manager).
I think there needs to be a tiered system. One network for government, one for education, and one for commerce. You might have an address in multiple networks, but you wouldn't easily get from one to another. Right now we just have the one big network that should always be considered insecure. I believe that hackers broke into computer systems of companies working on the JSF, not the Pentagon itself. It would make sense that if someone were able to break through the security of one embassy, then all with that same architecture would be compromised. This is one reason I like to use non-standard and heterogenous suppliers for network security appliances.
|