Cyber Security Bill: Killing Information Security to Save It
The Government Isn't Killing the Internet, but It Will Weaken CyberSecurity
You've probably heard of the "Internet Kill" bill that authorizes the Executive branch to shut down the Internet for up to 120 days. Well, sort of. After reading the bill summary, it appears that the bill supercedes an old law that already allowed the Executive branch to shut down all communications in a national emergency. This bill limits the President's authority to critical assets concering the Internet. The assets are covered broadly. This leaves a lot of room for interpretation and the blogoshpere is ripe with that. Joe "I Heart Authoritarianism" Biden didn't help the government's case when he said the bill was modeled after China's cyber security policy - a model of censorship he clearly appreciates. (Search for his speech on YouTube.)
Does It Really Kill or Just Mortally Wound?
But the overlooked part of the bill, at least by Drudge et. al, is that it will reorganize the business of cyber security from its current decentralized model of cooperation and improvement to a centralized top-down approach emanating from the Cyber Czar or whatever goofy name they picked for this position of psuedo-authority.
I Know Some. They Know More. Thankfully, We Agree
Now we are playing in my ballpark. As I mentioned earlier, information security is a significant aspect of my work, and I just spent a year studying every facet of this enormously complex industry to attain one of the most highly sought after accreditations in information security. There are definitely experts in the field whose knowledge dwarfs mine. Those experts agree with what I am about to tell you:
A centralized, top down approach to cyber security will weaken the nation's information security, weaken business information security, and weaken consumer information security.
State of the Market
Let me paint you a picture of how security technology and standards currently arise in this field. In the infant stage of information security (IS), let's say around the time the Bell-LaPadula model arrived in the mid 1970's I think, different standards for IS that addressed different aspects of the problem were popping up all around the world. Government organizations, private organizations, and universities were all working to make sense of these ideas and how they applied to security. At the same time, products for different aspects of IS were coming into existence in intense compeition. I'm talking about network products like firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), sophisticated routers with robust access control customizations, etc. There were host-based systems, a market dominated by Norton and McAfee, which soon became inundated with rival products such as AVG and BlackIce and countless others. Homemade encryption kits for email and hard drive encyption started appearing, most famously PGP, while encryption of electronic transactions are secured end-to-end for any business transaction on the web. Some of the companies creating these technologies have adapted to consumer demands. Others did not and disappeared. In the meantime, individual IS professionals have developed a common language, a common base of fundamental IS principles, and a common framework for assessing IS issues. I could literally go on for another 10,000 words describing how this framework has evolved, but I hope you are getting the picture.
Fixing What Ain't Broke
All of this has happened with government planning. Yes, governments have been involved, for the most part, in a helpful way. But they have not driven the process. Consumers have driven the process. And the process has worked beautifully. Since protecting information security has become a concern of market participants (about the mid 1990's, shortly after the Internet revolution began), technologies and standards have evolved that are customizable to meet just about every IS need under the sun, for any size organization and any level of security required.
Ostensibly, the govenrment claims that certain critical elements of the nation's infrastructure are not protected. That may be true, but that is not because the technology or expertise is unavailable. It is not because the market has failed to deliver what is required. It is because the government has failed to properly implement well-known, industry accepted standards and technologies that would protect America's critical assets.
Let me be perfectly clear. There is and never will be any technology that completely eliminates the risk of compromise. However, the govenrment's current lack of protection has nothing to do with that. It was to do with the failure of government to keep up with evolving technologies and ideas.
Devolving the Evolution
The key part to understand here is the "evolving" part. When allowed to operate without government direction, IS evolved quickly to a state of extreme competitiveness and ultimately ensured a far safer information sharing environment for all market participants.
Turning this paradigm upside down is foolish and ignorant. This is particularly obvious when the main reason for government insecurity is that it has not been able to keep due to its inability to evolve quickly.
What do you suppose will be the end result of the shift in Information Security from a decentralized model to a centralized one?
Denial of Intelligence
One final point: if it is true that the government plans to shut down parts of the Internet during an attack, then America's bureaucrats/politicians are dumber than I thought. The most common form of attack on governmnet networks is something called a Denial of Service Attack. The purpose is this type of attack is to shut down critical features of the network, making them unresponsive or corrupting them in a way that they are no longer available. If you shut down the network in response to such an attack, all you are doing is completing the attack for them. That's "burning the village to save it" as applied to information security.
David in Qatar