Use access key #2 to skip to page content.

Cyber Security Bill: Killing Information Security to Save It

Recs

18

June 29, 2010 – Comments (19)

The Government Isn't Killing the Internet,  but It Will Weaken CyberSecurity

You've probably heard of the "Internet Kill" bill that authorizes the Executive branch to shut down the Internet for up to 120 days.  Well, sort of.  After reading the bill summary, it appears that the bill supercedes an old law that already allowed the Executive branch to shut down all communications in a national emergency. This bill limits the President's authority to critical assets concering the Internet.  The assets are covered broadly.  This leaves a lot of room for interpretation and the blogoshpere is ripe with that.  Joe "I Heart Authoritarianism" Biden didn't help the government's case when he said the bill was modeled after China's cyber security policy - a model of censorship he clearly appreciates. (Search for his speech on YouTube.)

Does It Really Kill or Just Mortally Wound? 

But the overlooked part of the bill, at least by Drudge et. al, is that it will reorganize the business of cyber security from its current decentralized model of cooperation and improvement to a centralized top-down approach emanating from the Cyber Czar or whatever goofy name they picked for this position of psuedo-authority.

I Know Some. They Know More. Thankfully, We Agree

Now we are playing in my ballpark.  As I mentioned earlier, information security is a significant aspect of my work, and I just spent a year studying every facet of this enormously complex industry to attain one of the most highly sought after accreditations in information security.  There are definitely experts in the field whose knowledge dwarfs mine.  Those experts agree with what I am about to tell you:

A centralized, top down approach to cyber security will weaken the nation's information security, weaken business information security, and weaken consumer information security.

State of the Market

Let me paint you a picture of how security technology and standards currently arise in this field.  In the infant stage of information security (IS), let's say around the time the Bell-LaPadula model arrived in the mid 1970's I think, different standards for IS that addressed different aspects of the problem were popping up all around the world.  Government organizations, private organizations, and universities were all working to make sense of these ideas and how they applied to security.  At the same time, products for different aspects of IS were coming into existence in intense compeition.  I'm talking about network products like firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), sophisticated routers with robust access control customizations, etc.  There were host-based systems, a market dominated by Norton and McAfee, which soon became inundated with rival products such as AVG and BlackIce and countless others.  Homemade encryption kits for email and hard drive encyption started appearing, most famously PGP, while encryption of electronic transactions are secured end-to-end for any business transaction on the web.  Some of the companies creating these technologies have adapted to consumer demands.  Others did not and disappeared.   In the meantime, individual IS professionals have developed a common language, a common base of fundamental IS principles, and a common framework for assessing IS issues. I could literally go on for another 10,000 words describing how this framework has evolved, but I hope you are getting the picture.

Fixing What Ain't Broke

All of this has happened with government planning.  Yes, governments have been involved, for the most part, in a helpful way. But they have not driven the process. Consumers have driven the process.  And the process has worked beautifully.  Since protecting information security has become a concern of market participants (about the mid 1990's, shortly after the Internet revolution began), technologies and standards have evolved that are customizable to meet just about every IS need under the sun, for any size organization and any level of security required.

Ostensibly, the govenrment claims that certain critical elements of the nation's infrastructure are not protected.  That may be true, but that is not because the technology or expertise is unavailable.  It is not because the market has failed to deliver what is required.  It is because the government has failed to properly implement well-known, industry accepted standards and technologies that would protect America's critical assets.

Let me be perfectly clear.  There is and never will be any technology that completely eliminates the risk of compromise.  However, the govenrment's current lack of protection has nothing to do with that.  It was to do with the failure of government to keep up with evolving technologies and ideas.

Devolving the Evolution

The key part to understand here is the "evolving" part. When allowed to operate without government direction, IS evolved quickly to a state of extreme competitiveness and ultimately ensured a far safer information sharing environment for all market participants.

Turning this paradigm upside down is foolish and ignorant.  This is particularly obvious when the main reason for government insecurity is that it has not been able to keep due to its inability to evolve quickly.

What do you suppose will be the end result of the shift in Information Security from a decentralized model to a centralized one?

Denial of Intelligence

One final point: if it is true that the government plans to shut down parts of the Internet during an attack, then America's bureaucrats/politicians are dumber than I thought.  The most common form of attack on governmnet networks is something called a Denial of Service Attack.  The purpose is this type of attack is to shut down critical features of the network, making them unresponsive or corrupting them in a way that they are no longer available.  If you shut down the network in response to such an attack, all you are doing is completing the attack for them.  That's "burning the village to save it" as applied to information security. 

David in Qatar

19 Comments – Post Your Own

#1) On June 29, 2010 at 5:55 AM, whereaminow (21.85) wrote:

Ahhhhh, I found two significant errors that slippped past my self-editing. (It always happens)

First, the speech I'm referring to in the opening was delivered by Joe Lieberman, not Joe Biden.

Second, in the Fixing What Ain't Broke:

All of this has happened with government planning

Should obviously read:

All of this has happened without government planning. 

So... that would be confusing lol.  Sorry about that!

David in Qatar

Report this comment
#2) On June 29, 2010 at 9:36 AM, Melaschasm (54.38) wrote:

I am confused.  I thought a government run central planning committee is always superior to a competitive market... 

Report this comment
#3) On June 29, 2010 at 10:11 AM, cthomas1017 (97.24) wrote:

Melaschasm,

It is... (For those on the committee, and often their immediate family and "friends".) :) 

Report this comment
#4) On June 29, 2010 at 10:14 AM, cthomas1017 (97.24) wrote:

David, I agree with what you wrote almost entirely.  One thought on the "macro" view of the situation.  The top-down's will try to control the Internet, but inevitably the genie is out of the bottle.  Sure the federal governments and international governing bodies will win battles, but the war is already over.  It's just that D.C. hasn't realized it yet.

Report this comment
#5) On June 29, 2010 at 12:54 PM, whereaminow (21.85) wrote:

Melaschasm,

Appearantly, I was confused for a second too LOL!  

cthomas1017 ,

LOL, and I am in agreement with you too. The cat is out of the bag, so to speak.  Right now, tactically speaking, the worst thing the American government could do - if indeed they wish to take control of information on the net - is shut it down. 

Within weeks, perhaps sooner, it would be back up in a totally new, even less controllable way.  The little superdorks at 4chan probably have it all figured out already.  The government IT sector is no match for the amount of intelligence and expertise that is out in the private market.  It would be like Mike Tyson fighting an infant. (To steal a line from "Grandma's Boy")

David in Qatar

Report this comment
#6) On June 29, 2010 at 12:56 PM, whereaminow (21.85) wrote:

Here's Dictator Lieberman in his own words.

David in Qatar

Report this comment
#7) On June 29, 2010 at 12:57 PM, whereaminow (21.85) wrote:

via LewRockwell:

Brad Gushurst writes:

“As a system administrator for my company, I understand how often systems get probed. My servers—which are nothing compared to some of the bigger names on the web—get probed thousands of times a day, and this is something that we live with on the web. It’s nothing to be alarmed about. To equate it to something more people are familiar with, imagine a thousand people drive by your house every day. If your door is wide open, a thousand people know that they could come back and rob your house. That is all that is happening when people are probing these servers (from a high level, it’s actually much more complex to see if a “door” is open on a server). Obviously this is a threat, one that the private sector has dealt with for a long time. In fact, there are software and hardware already out there which deal with these threats—it is called a Firewall. You give it a list of rules and everyone who wants to talk to your server has to follow by those rules or else. See—problem solved.

Now the problem I have is if our networks which control the banks/telecom/electric grid/gas/… don’t already have firewalls, then we have BIG problems (trust me they have firewalls)—which leads me to believe if we already have the tools in place to protect these networks which must remain secure, then the idea of taking control of the internet has other purposes. If these senators did an ounce of research they would know that almost all attacks are carried out by “bots,” which are normal everyday computers which are infected with a virus. These “bots” are around the world and right here in the US. So an attack would emanate from everywhere, not just once country. So that leaves them with the only “weapon” against these attacks is shutting down what you are trying to protect, which seems—dare I say—stupid. If you shut down the internet, you just completed the attack. Think about it: if these devices didn’t need the internet, then why would they be connected to it?

What I think is happening is they will use this to “attack the recruitment” activities of the war on terror and use that as a disguise for filtering the information available on the web in the US—at which point our freedom will be no different than China’s. Anything the government doesn’t want you to know about won’t be accessible. Joe comes right out and says he wants the same thing China has. How much louder does this guy have to say it: he wants to control America’s minds.”

 

Report this comment
#8) On June 29, 2010 at 12:57 PM, FleaBagger (28.88) wrote:

I'll try to embed the video for you (since I had a little trouble finding it).

And here's the link and the url in the all-too-likely event that my embed failed:

http://www.youtube.com/watch?v=JUpq8idF1ow 

Report this comment
#9) On June 29, 2010 at 12:57 PM, whereaminow (21.85) wrote:

Again, via LewRockwell

Eric Fields writes:

“By profession I am a logistician.  I formerly “served” in the military until I saw the light and moved to the “real world”.  My background really brings to light the effects that a kill switch would have on American commerce.  Ignoring the fact that shutting down the internet is the same as ending freedom of speech and association in a “free” society, I am amazed that the media coverage of this ignored the fact that shutting down the internet means an end to all commerce within the limits of the United States?  Beyond the obvious things like shutting down online sales and credit card transactions, most long distance, bulk logistics activities require one kind of automated IT system or another.  If you shut down the internet, you have eliminated the ability of commercial distributors to coordinate for the delivery of fuel, food, electricity (coal) and pretty much any of the behind-the-scenes precursors to commercial products.  Even if the “plan” took those activities into consideration, it would ignore the thousands of day to day interactions that use open sourced internet tools to make the processes of daily life happen.”

Report this comment
#10) On June 29, 2010 at 12:58 PM, FleaBagger (28.88) wrote:

Oops! You already posted it while I was fumbling with the embed code.

Report this comment
#11) On June 29, 2010 at 12:59 PM, whereaminow (21.85) wrote:

Butler Shaffer with an excellent writeup on the political ramifications of Lieberman's power grab.

"The Internet is a destabilizing force to established interests in the world. It is premised on the free exchange of information which, in turn, is an expression of the liberty of individuals to act in furtherance of their particular interests. Government schools, the mainstream media, and other institutional voices, relentlessly work to condition the minds of people to think and to act within limits that are consistent with institutional purposes. Ideas or actions that do not challenge established interests may be welcomed (if supportive of such ends) or tolerated (perhaps as entertainment). But as the institutional order continues its decentralizing collapse into alternative social systems and practices, its domination of humanity continues to weaken. The struggle confronting mankind comes down to the question of whether human beings are to be the masters of their own lives, or whether they are to remain as resources to be exploited for institutional ends."

David in Qatar

Report this comment
#12) On June 29, 2010 at 1:00 PM, whereaminow (21.85) wrote:

FleaBagger,

Thanks Flea!  It was a busy day today and I totally flubbed a couple key points in the post as I indicated in comment #1.  Well, they can't all be winners, right?  

Thanks again for the assist!

David in Qatar

Report this comment
#13) On June 29, 2010 at 2:00 PM, ttboydxb (28.87) wrote:

Very interesting write up!  A+

Report this comment
#14) On June 29, 2010 at 2:35 PM, whereaminow (21.85) wrote:

ttboydxb,

Thanks!  Glad you enjoyed it.

David in Qatar

Report this comment
#15) On June 29, 2010 at 3:31 PM, cthomas1017 (97.24) wrote:

"It would be like Mike Tyson fighting an infant."  Then again...

 

Report this comment
#16) On June 29, 2010 at 11:55 PM, ajm101 (31.97) wrote:

It sounds like a lot of people haven't actually read it.  http://edge.networkworld.com/graphics/2009/0402%20Rockefeller%20cybersecurity%20bill.pdf

Enjoy, it's like reading a story about paint drying.  But I think anyone that reads it will come away more sympathetic to the government, the intent is clearly to address a system security weakness in this country.  

All that said, it's a bad bill and Joe Lieberman is a freedom hating embarassment to the Senate.

Report this comment
#17) On June 30, 2010 at 12:07 AM, whereaminow (21.85) wrote:

ajm101,

I agree somewhat.  I stated in the post that exact intent. I didn't try to paint this as a government power grab (except that Lieberman may hope it is.)  I have linked in follow up comments to points that don't make sense and would lead you to believe it could be a power grab.

But my point was clear.  The reason there is a system security weakness is because the government has failed to implement well-known industry standards and technologies.  The capability of securing the government's critical infrastructure is already there.  They're just not doing it.  Turning cyber security development upside down is foolish.

I'm glad we see eye-to-eye on Lieberman :)

David in Qatar

Report this comment
#18) On June 30, 2010 at 1:43 AM, FleaBagger (28.88) wrote:

I probably don't say this enough: good job, David. What you write encourages me. 

Report this comment
#19) On July 03, 2010 at 3:56 PM, FreeMortal (29.44) wrote:

The bill proposes establishing a agency for standardizing security on government networks as well as a certification for professionals who work on those networks.  All cybersecurity professionals are not required to get a G+. The agency will do its own research and is designed to share information with the public sector, but I don't see how this changes the decentralized model in the private sector.

From ajm101's link, here are the "scary" parts:

may declare a cybersecurity emergency and
order the limitation or shutdown of Internet traffic
to and from any compromised Federal government
or United States critical infrastructure information
system or network;

and

may order the disconnection of any Federal
government or United States critical infrastructure
information systems or networks in the interest of
national security;

This is not really a kill-the-internet switch, nor is it much like the Great Firewall of China. It's more about isolating government networks during attack. 

Report this comment

Featured Broker Partners


Advertisement