Readers with long memories might recall that it was in May last year that the White House announced that the nation's critical infrastructure was "at risk" and called on Congress to move forward with plans to protect it. Launching the administration's own cybersecurity legislative proposals, President Obama almost pounded the table:
Just as we failed in the past to invest in our physical infrastructure -- our roads, our bridges and rails -- we've failed to invest in the security of our digital infrastructure... This status quo is no longer acceptable -- not when there's so much at stake.
Right. Fix it -- and fast. Well, let's see where we're at, some nine months later.
The Senate this week revealed a new bill aimed at achieving some of the White House's goals. Specifically, it tackles the thorny problem that the infrastructure on which we all rely is largely in private hands, and would require enterprises responsible for key elements of the infrastructure -- like power plants and oil pipelines -- to meet cybersecurity standards.
The cherry on the cake is that enterprises complying with the regulations would enjoy liability protection.
Even so, to say that lawmakers are tentative about regulating private enterprise would be an understatement. Although the bill enjoys bipartisan support, industry -- together with its predictable Congressional chorus of support -- is lobbying hard against it. Burdensome. Why throw out what's working? Let's have incentives rather than more rules. You could write the script.
Seven bold senators have already asked majority leader Harry Reid to slam on the brakes. Kay Bailey Hutchison of Texas, John McCain of Arizona, Charles Grassley of Iowa, Saxby Chambliss of Georgia, Lisa Murkowski of Alaska, Jeff Sessions of Alabama, and Mike Enzi of Wyoming have signed a letter calling for hearings upon hearings:
This is not the kind of legislation that can result in a carefully balanced solution unless the full process is afforded.
Understand: nobody is actually against cybersecurity. Everyone just wants to have a conversation. In other words, for "full process," read "not this year." (Reid had hoped to bring the bill to a vote next month.)
It was left to Senator Jay Rockefeller, the West Virginia Democrat, to sound a note of sanity:
We are on the brink of what could be a calamity. A widespread cyber attack could potentially be as devastating to this country as the terror attacks that tore apart this country 10 years ago.
Maybe not. After all, as security analyst Bruce Schneier has observed, the cybersecurity environment for the last several years has been one of makeshift, uncoordinated, and unattributable attacks, rather than organized terrorism, state-sponsored or otherwise.
But then again, maybe. If hackers can enter the security systems of our banks through so many revolving doors, there can be little doubt that they could damage the nation's infrastructure. The only question is: how seriously?
Rather than treat the situation with the gravity it deserves, a few senators -- with the approval of the US Chamber of Commerce and other lobbying groups -- seem happy to play their fiddles. As if that wasn't enough, well-intentioned -- but misguided -- analysts have stirred up concern that Harry Reid might use the new bill as a vehicle to inject SOPA-type provisions back into the legislative process.
The truth is, this bill, or something very much like it, is one we actually need.
Great. McCain has further fouled up the works by announcing an alternative bill. There's a lot of talk about procedural complexities, but what it comes down to is this:
Unelected bureaucrats at the DHS could promulgate prescriptive regulations on American businesses – which own roughly 90 percent of critical cyber infrastructure. The regulations that would be created under this new authority would stymie job-creation, blur the definition of private property rights and divert resources from actual cybersecurity to compliance with government mandates. A super-regulator, like DHS under this bill, would impact free market forces which currently allow our brightest minds to develop the most effective network security solutions.
Ideology, in other words, supported by powerful business lobbies. And where are these brightest minds developing effective network solutions? They're not working for Citibank or Sony or RIM or the FBI or, for that matter, The Senate.
Are they really working in the infrastructure sector?
I agree that economics is a big part of the solution, and rather than offer the incentive of removing liability if companies fail to comply with standards, I'd like to see the big stick of sanctions if they don't.
The problem here is a political one. Congress is hesitant about telling companies how to run their businesses, and a big lobby is already gathering to oppose any extra costs or burdens arising from cybersecurity legislation.
It's worrying because, as you imply, it hardly seems likely that the private enterprises involved in maintaining the national infrastructure have unassailable security in place. After all, the banks, law enforcement and the military don't.
Time to grow some tough skin, you're sure to be flamed for this post. I'm in 100% agreement with you. As a long time reader of Bruce Scheiner, I understand that this is not a simple problem. People will claim that a quick solution is needed. But complex problems like this one cannot be solved with the passing of laws. The first and more important thing is education on the issue. Most of the time security problems occur with the user of the computer itself and not with some malformed code. Yes bad coding happens. What happens more though is sloppy security from a user, followed by failure to properly use code and apply pacthes. I cant count the number of times I've seen code implemented by a company thats several years out of date and dozens of patches out of date from what their 'vendor' supplies. When companies use bad code and configure it properly... a disaster is bound to happen.
Yes Anon is out causing mayhem, but to be honest what Anon does is petty internet crime. DDOS doesnt take much skill. I'm not saying Anon isnt skilled, There are members of anon that are utterly amazing in what they can do. But thats not the whole. Flashing Anon around as the reason for new laws is ridiculous.
To quote Bruce Schneier again the economics of security are all wrong. And until that is fixed nothing will move foward. Until companies have an economic incentive to be secure, spending man hours to secure their systems is wasted money. Currently its the public that are shouldering the loss when a system is broken and database stole. Companies usually operate by profit motive, and until their profit is threated by liability of failure to secure consumer data, and liability for incrmential damages occuring from when thier systems are broken, you wont see much of a change in the corp minset.
Is the solution more legislation from the government. I would say no. If the last 50+ years of federal criminal law have taught us anything, penalizing an activity does not cause it to end. It just puts more people in jail.
So what is the solution? I have no idea. I'd think we'd be better off trying to fully understand what Bruce has been telling us for the past 20 years. Hopefully one day we'll understand it.
Good post, I hope it sparks meaningful discussion.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
When David E. Sanger of The New York Times broke the news that the United States was responsible for the Stuxnet malware exploit against Iran's nuclear program, Senator John McCain accused the administration of deliberately leaking the story to enhance President Obama's national security record.
The Gamma Group's business of supplying surveillance technology exclusively for use by government agencies may be legitimate. But not when it poses as the popular, free, open-source web browser Firefox.
Yesterday's hack of the official Associated Press Twitter feed demonstrated the enormous risk attached to the platform's lazy, single factor approach to security.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
President Obama may soon earn the badge as "Mayor" of the White House, thanks to his joining the mobile check-in service, FourSquare. Let's all sigh in unison, shall we?
Anonymous retaliated against recent arrests of its members on a large scale but apparently engaged in pointless hacks of rural police forces in the United States.
Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
Cyber Warfare may be the next frontier for tactical hacking. It has already reared its head in Estonia, Russia, and Georgia, and some say it has been used by North Korea, China, and other world powers. The implications and the potential are both fascinating and scary.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
