Armed Polite Society
Main Forums => Politics => Topic started by: Ron on April 04, 2009, 10:00:35 AM
-
A new bill would give the President emergency authority to halt web traffic and access private data.
http://www.motherjones.com/politics/2009/04/should-obama-control-internet
Should President Obama have the power to shut down domestic Internet traffic during a state of emergency?
Senators John Rockefeller (D-W. Va.) and Olympia Snowe (R-Maine) think so. On Wednesday they introduced a bill to establish the Office of the National Cybersecurity Advisor—an arm of the executive branch that would have vast power to monitor and control Internet traffic to protect against threats to critical cyber infrastructure. That broad power is rattling some civil libertarians.
The Cybersecurity Act of 2009 (PDF) gives the president the ability to "declare a cybersecurity emergency" and shut down or limit Internet traffic in any "critical" information network "in the interest of national security." The bill does not define a critical information network or a cybersecurity emergency. That definition would be left to the president.
The bill does not only add to the power of the president. It also grants the Secretary of Commerce "access to all relevant data concerning [critical] networks without regard to any provision of law, regulation, rule, or policy restricting such access." This means he or she can monitor or access any data on private or public networks without regard to privacy laws.
Rockefeller made cybersecurity one of his key issues as a member of the Senate intelligence committee, which he chaired until last year. He now heads the Committee on Commerce, Science and Transportation, which will take up this bill.
"We must protect our critical infrastructure at all costs—from our water to our electricity, to banking, traffic lights and electronic health records—the list goes on," Rockefeller said in a statement. Snowe echoed her colleague, saying, "if we fail to take swift action, we, regrettably, risk a cyber-Katrina."
But the wide powers outlined in the Rockefeller-Snowe legislation has at least one Internet advocacy group worried. "The cybersecurity threat is real," says Leslie Harris, head of the Center for Democracy and Technology (CDT), "but such a drastic federal intervention in private communications technology and networks could harm both security and privacy."
The bill could undermine the Electronic Communications Privacy Act (ECPA), says CDT senior counsel Greg Nojeim. That law, enacted in the mid '80s, requires law enforcement seek a warrant before tapping in to data transmissions between computers.
"It's an incredibly broad authority," Nojeim says, pointing out that existing privacy laws "could fall to this authority."
Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, says that granting such power to the Commerce secretary could actually cause networks to be less safe. When one person can access all information on a network, "it makes it more vulnerable to intruders," Granick says. "You've basically established a path for the bad guys to skip down."
The bill's scope, she says, is "contrary to what the Constitution promises us." That's because of the impact it could have on Internet users' privacy rights: If the Commerce Department uncovers evidence of illegal activity when accessing "critical" networks, that information could be used against a potential defendant, even if the department never had the intent to find incriminating evidence. And this might violate the Constitutional protection against searches without cause.
"Once information is accessed, it can be used for whatever purpose, no matter the original reason for accessing something," Granick says. "Who's interested in this [bill]? Law enforcement and people in the security industry who want to ensure more government dollars go to them."
Nojeim, though, thinks it's possible the bill's powers could be trimmed as it moves through Congress. "We will be working with them to clarify just what is needed and how to accomplish that," he says. "We're hopeful that some of the very broad powers that the bill would confer won't be included."
-
Here is another link that dove-tails nicely with the above article. I posted this last week but nobody had a comment :P
I'll post the pertinent observation from the end of the blog post.
http://www.pbs.org/cringely/pulpit/2000/pulpit_20000713_000657.html
But I have my own theory about Carnivore. From a network architecture standpoint, the best location for Carnivore is right after the ISP's router. This puts Carnivore in the path of every packet entering or leaving the ISP. It's also a major reason why ISPs might not want to install Carnivore boxes — it's the network's point of greatest vulnerability. In this position, Carnivore can act as a listening and recording device, OR IT CAN ACT AS A SWITCH. If we ever hear a proposal from the FBI in which it plans to install Carnivores at all 6000 ISPs in the U.S., we'll be giving the government the power to do something it can't do right now.
Shut the Internet down.
-
A "state of emergency" is when those in control fear they might lose that control.
It is always the same dynamic: fear or freedom. We need to suck it up and choose freedom. The world isn't going to come to an end, and if it does at least we'll go out with honor.
-
That broad power is rattling some civil libertarians.
Really!!? I wonder why that would be.
-
That's not all they want to control:
http://www.chicagotribune.com/news/chi-oped0402goldbergapr02,0,2108647.story
The case before the court, Citizens United vs. Federal Election Commission, involves a documentary-style film, "Hillary: The Movie," that ran afoul of campaign-finance laws designed to censor so-called stealth ads as well as electioneering paid for by corporations or unions. To be fair, the film does amount to partisan advocacy. It's a scorching indictment of the former Democratic presidential front-runner, produced by an unapologetically conservative outfit. It's as one-sided as a MoveOn.org-produced documentary about George W. Bush would be. But, some might wonder, should partisan advocacy ever be illegal in a democracy?
Several justices asked the deputy solicitor general, Malcolm Stewart, if there would be any constitutional reason why the ban on documentaries and ads couldn't be extended to books carrying similar messages. Stewart, speaking for a president who once taught constitutional law, said Congress can ban books "if the book contained the functional equivalent of express advocacy" for a candidate and was supported, even slightly, with corporate money. Such advocacy, Stewart conceded, could amount to negatively mentioning a politician just once in a 500-page book put out by a mainstream publisher.
-
We had to burn down the village to save it.
-
Oh, noes.
Guess I'd better call up the commander of the Air Force's new Cyber Command and tell them their plans to protect the U.S. against malicious information warfare are totally off-kilter.
Because you know, sure as shinola, were the U.S. electronic data infrastructure crippled by an external or internal attack, nobody on a piddly-assed internet forum would just sit there and say, "That's ok" as their ATM cards cease to function, let alone that all-important web browser.
I understand the reason for protecting American cyberspace. Previous attacks have shown a real vulnerability.
Tin foil hattery notwithstanding, we're a cyber attack or two away from another 9/11, except we're already in a pretty bad recession this time. Let's knock out the financial institutions for a few days, and see how it goes. We'll be trading chickens and ammo in no time. Then there will be some serious belly-aching. "How come the government didn't take measures to prevent this?"
Is the cure worse than the cause? Maybe. The devil's always in the details.
-
The spying part is what gets me. Isn't this the same bunch that was screaming about wiretaps being unconstitutional? What do they call tapping into the net for info WITHOUT a warrant? I suppose it's OK now, since it's them doing the listening.
-
We all want to "protect cyberspace." And I'm sure everybody on this forum doesn't want terrorist attacks.
But this doesn't mean you need a bill like this to do that.
Then there will be some serious belly-aching. "How come the government didn't take measures to prevent this?"
There's always belly-aching. It doesn't mean the belly-achers are right. For example, I am sure that every time there is a shooting in a school or college, some people whine that the governemnt should have 'done more' to prevent it by banning more guns and introducing more psychological screening and the Good Lord only knows what else. So what?
-
MB, I believe you're not seeing the forest for the trees.
We are a piece of ripe fruit, ready for plucking, when it comes to a cyber attack against the U.S. electronic commerce infrastructure.
Were I an enterprising organization with a serious axe to grind against Uncle Sam, that's where I'd find the best bang for my buck.
It would probably do more damage, on an even longer-term basis, than the old "blowing anthrax spores into the Super Bowl" trick.
That's why the IT community was scared poopless about the recent 1 April 09 Conficker worm threat, and why Microsoft has a $250K bounty on the head(s) of those responsible.
If you dig around a bit, you'll discover that we've narrowly dodged a big cyber bullet on previous attacks, and it's enough of a threat that we're standing up a military wing to fight back in the previously uncharted territories of cyber battlespace.
I see where our two congresscritters are coming from, and contrary to popular (APS) belief, I don't think they submitted such a bill with a Snidely Whiplash sneer, aiming at subjugating minions and becoming the dark overlords we secretly knew they wanted to be.
Could this effort have been accomplished in a different manner? Oh, probably.
However, I'll go with "Never attribute to Malice", Alex, for $500.00.
The road to hell is often paved with the best intentions.
That's my take on it. It needs work, but it has merit.
-
I've voted straight Republican every year I've been eligible to vote. My first vote for Prez was for Ronald Reagan for his second term.
The one and only time I wavered was when I voted for Ron Paul and every other libertarian available in '88. Since then straight Republican.
I'm pretty sure I'm done. The Republicans are the reason we have Barack Obama and the reason our rights are eroding exponentially. I haven't relied on the Dems, never trusted them. I trusted the Republicans and they have sold me and the country down the river.
I'd rather take my chances with the chaos of freedom and liberty than continue on this course of big brotherism squared.
I've never had such little faith in or hope for this nation.
-
I see where our two congresscritters are coming from, and contrary to popular (APS) belief, I don't think they submitted such a bill with a Snidely Whiplash sneer, aiming at subjugating minions and becoming the dark overlords we secretly knew they wanted to be.
Could this effort have been accomplished in a different manner? Oh, probably.
Then why was it not. I find myself split between two camps. Bad guys are a reality. And violation of constitutional liberties are a reality. No doubt there is a need to shut down the internet in the event of a serious cyber attack. I accept the reality. I also accept the reality of governments announced intentions of limiting freedom of free speech and a large if not dominant force in the expression of said free speech is the existence of the internet.
So what do I believe? The national security argument where I ascribe pure and virtuous motive to its advocates? Or do I go with the tinfoil hat crowd where unfettered access to the internet is doomed for any number of reasons. I want to believe the national security argument but my guts tell me the tinfoil argument is primary.
-
I see where our two congresscritters are coming from, and contrary to popular (APS) belief, I don't think they submitted such a bill with a Snidely Whiplash sneer, aiming at subjugating minions and becoming the dark overlords we secretly knew they wanted to be.
Oh, I agree with you. None of these people in Congress are evil. I am quite sure all of those fine, upstanding gentlemen love America and want to see her prosper.
I have never claimed that the problem is a Giant Evil Conspiracy.
In fact, I do not claim this one law is The Last Nail in the Coffin Of Truth, Justice, and the American Way, either.
My argument is composed like this:
1. If we lived in an otherwise free society, such an infringement on our liberties would have been possibly acceptable. However, because of cultural change that has occured in the West (not just in America) over the last century or so, we seem to forget about the layers upon layers of pre-existing infringements. Every time, people seem to think that this is just-one-isolated-thing. Which it isn't.
2. This bill in and of itself is not a major problem. Nor is the current legislation limiting firearms ownership a major problem. Nor is the ban on lawn darts. Nor is the legislation regulating campaign funding. But little things add up. Start pulling hairs from your head, one after another. Eventually, you'll be bald.
3. The current knee-jerk reaction of most Western societies is to always react to everything with more regulation. DUIs? Reduce the permissible BAC level and add more rolling checkpoints. Mass shootings? Ban guns. A threat of Internet attacks? Increase regulation of the Internet. Airplane hijackings? Create an arbitrary list of persons and ban them from flying. Add this to 2 and you're going to have a problem.
-
I see where our two congresscritters are coming from, and contrary to popular (APS) belief, I don't think they submitted such a bill with a Snidely Whiplash sneer, aiming at subjugating minions and becoming the dark overlords we secretly knew they wanted to be.
Nope....more Palpatine-ly.....
-
Oh, noes.
Guess I'd better call up the commander of the Air Force's new Cyber Command and tell them their plans to protect the U.S. against malicious information warfare are totally off-kilter.
Because you know, sure as shinola, were the U.S. electronic data infrastructure crippled by an external or internal attack, nobody on a piddly-assed internet forum would just sit there and say, "That's ok" as their ATM cards cease to function, let alone that all-important web browser.
I understand the reason for protecting American cyberspace. Previous attacks have shown a real vulnerability.
Anything important is on a SCADA network. Little critical infrastructure is on internet accessible networks. The most critical stuff is only monitored by SCADA networks but cannot be given commands over SCADA. Yes, SCADA networks need to be updated to keep in line with advances made in network defense that internet facing networks almost always have.
The NSA and DISA publish good white papers and specifications for securing OS's, network devices, some applications, etc. They also cooperate with private sector manufacturers and software publishers to promote Information Assurance concepts and resources. They have a good reputation, remain strictly neutral, and usually only advise. DISA is responsible for the overwhelming amount of US military networks, and a surprising number of general government networks. DISA handles the bulk of the hands on information security on defense and national security networks. A lot of server stuff too. NSA does some stuff, but not as much hands on stuff as you'd think. Probably for the best.
I'm not convinced that the USAF's Cyber Command is little more than a money sink. What can they do that the NSA or DISA is not doing? I suspect their primary mission will be to suck up funds and maybe protect a very few number of networks. On the plus side, maybe they will do some improvements on embedded networks specific to the USAF. That'd be nice. But not critical to the security of the US infrastructure, as they run only more or less internal networks. They turn over more and more of those networks to DISA each year. While I would recommend being polite, G98, your call would not be incredibly inaccurate advice.
Disclosure: I am a former Army commo guy that did some infosec work. I also worked on a DISA Operational Support Team (OST).
Tin foil hattery notwithstanding, we're a cyber attack or two away from another 9/11, except we're already in a pretty bad recession this time. Let's knock out the financial institutions for a few days, and see how it goes. We'll be trading chickens and ammo in no time. Then there will be some serious belly-aching. "How come the government didn't take measures to prevent this?"
Is the cure worse than the cause? Maybe. The devil's always in the details.
...
I agree and strongly disagree at the same time. While there is a lot of improvement needed in the information security field, it's not catastrophically bad. Consumers need better security. That's the biggest threat at the moment. Millions of ordinary desktops and laptops. Infrastructure and corporate wise, infosec is getting better. Govt always needs to get better, but is good enough by and large. The only advice I can give that crosses private and public sector is, more applicable user training. Not the boring CYA legal-ese crap, but short good information. Put your written passwords in your wallet, don't share them, shred papers you don't need, if in doubt ask IT, don't click on stuff you think is off, if something sounds odd ask your security department, etc etc.
IT and IT Security departments need to expand beyond technical issues and also regularly interface with the users. Yes, I bloody well know how problematic this can be. But most users don't want to work around standard procedures, they just want to do their job in a way that isn't too painstaking. IT personnel should try to make their user solutions as streamlined as possible.
All of that said, a centralized body governing network security is such a bad idea I'm not sure I can make a proper analogy. "You might as well shoot yourself in the head to save time" would be the closest I can come to explaining how bad of an idea it is. Any hypercentralized NSOC (Network Security Operations Center) with legal powers to control every network in the US would be the worst security threat I can imagine. If you find a way into such a NSOC, you can take down everything. As it stands now, if somehow you could take down... say a specific hospital, that didn't mean you could automatically also take down a nuclear power plant, a jet liner or a Mom'n'Pop small business network. Decentralization means you have a wide variety of different environments. The more diverse and decentralized you make the entire US IT infrastructure, the less likely any one attack vector can do damage to a bunch of different networks using the same trick.
If you wanted to do the same thing in a somewhat secure manner, which is a bad idea, give the central telecoms a right to blacklist IP traffic without legal repercussion and the ability to void their obligation to completing contracts at their leisure but still get paid anyways. Sounds like a bad idea? It is. But it's much more secure than the hypercentralized NSOC idea.
That's why the IT community was scared poopless about the recent 1 April 09 Conficker worm threat, and why Microsoft has a $250K bounty on the head(s) of those responsible.
Really? Must be a different part of the IT community than I regularly communicate with. Oh sure, we're very concerned with users installing malware. Any one worm? Not so much. If you patch your systems regularly, have a good AV solution and hopefully a half decent firewall, there isn't a worm made yet that the IT community is 'scared poopless' over. I think you're confusing secondary effects (rush to patch an exploit, or dealing with an upsurge in spam traffic) with the worm or malware itself.
Hell, I was amazed at how much the media was playing up Conficker. The persons that designed Conficker were either really stupid, or didn't care. If you upgrade to nmap 4.85Beta7 and run the command " nmap -PN -d -p 445 --script=smb-check-vulns --script-args=safe=1 12.34.56.78 ", you can determine if the host is infected or not. (12.34.56.78 being the target IP, and obviously removing the quotes.) Why? NetpwPathCanonicalize() gives a nonstandard answer to queries. So you ask the worm if it has infected a host, and it accurately says "Yes, I did."
I'll grant you, worms are becoming more sophisticated. Storm was designed by someone with a glancing knowledge of secure programming. Not a professional level, of course. Almost, but not quite, respectable. Conficker is worrisome not because it was well written or well designed, but rather because it exploited a nasty hole in all relevant versions of Windows (See MS08-067), which is a hole that gives system level access with no authentication over a network. That's as bad as an security hole gets. If you're patched, no problem. If you're running an AV, somewhat no problem.
Instead of saying "ZOMG! Killer worm! All the geeks are in a panic and predict end of the world", the media should say "Yo, a routine worm is making it around the internet exploiting a hole patched on Oct 8th, 2008. If you haven't patched your desktop in SIX MONTHS, please do so. Go to whatever.com for details on how to do so." As we all know, rational dissemination of information ain't the media's strong point.
-
Gotta agree with RevDisk, though I've been seeing more and more "critical" infrastructure being put on the public Internet.
I currently work with Internet systems (firewalls, mail, dns, etc) for a large civilian govt project (let's just say your data traverses my network at times). Did we take Conflicker serious? Sure. Were we in a panic? Hardly.
The biggest threat to IT security has always been users who are either undereducated about security or apathetic about it. Until those users are educated and understand the ramifications of system patches, authentication, etc we will continue to have problems.
Personally, I think the best solution is some sort of understanding at the ISP level to block traffic from insecure or infected systems. At my project, we frequently perform penetration scans and present the results to stakeholders. When I was running a VPN service there, I frequently received those reports. Most of the time they were innocuous (Zomg! Your box responds to ping!), but sometimes I got good intel from the reports that helped me further refine the security of the system in question. I think ISPs might want to consider similar actions and even block networks that refuse to correct issues they've been alerted to.
BTW, the NSA guides mentioned above are fantastic. I used their NT4.0 guide back in 2000 to harden a quartet of NT4 servers running a PKI system for the VPN service I mentioned. The C&A guy said that was the first time he had no significant issues to be corrected.
Chris
-
BTW, the NSA guides mentioned above are fantastic. I used their NT4.0 guide back in 2000 to harden a quartet of NT4 servers running a PKI system for the VPN service I mentioned. The C&A guy said that was the first time he had no significant issues to be corrected.
Chris
Links!
DISA's IA site : http://iase.disa.mil/index2.html (http://iase.disa.mil/index2.html) (DoD PKI required for some stuff.)
NSA/CSS's Security Configuration repository : http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml (http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml)
OnGuard Online (for less technical folks) : http://www.onguardonline.gov/default.aspx (http://www.onguardonline.gov/default.aspx)
-
Some politician once said this (or words to this effect)
" When evaluating a new proposed law, do not do so based on the intended use of that law. Instead, think of the most perverted, convoluted interpretation possible, because THAT is how the law will be stretched to encompass new "crimes", that were not even envisioned in the original document."
(I am sure you can all think of examples)
Control of the internet, as in ability to shut off things like this forum, email, blogs, etc would be a top priority for any Gov. that wants to suppress an unruly populace. Pretty hard to demonstrate if you do not know there is going to be a demonstration. Expand this thought as you wish.
At this time we are undergoing the biggest theft the world has ever seen, as the powers that be bleed us and our future generations dry, to cover the frauds perpetrated by
JP Morgan/Chase, BoA, Citygroup, Goldman Sachs, and one or two others. - between them, they hold about 95% of all the derivatives set to fail. The same damned crew that caused the problems is now sacrificing our children 's futures to cover their own asses, using their toadies in the Gov. to open the money spigot. Compared to these guys, AQ are pikers. Wonder how many will end up dead, out in the cold, no food, no meds, no home, as a result of the impending collapse? These people are indeed "changing" America from a nation of the free to a nation of "New Lords" and serfs. Welcome to the new feudalism. Shut off the internet and and the consolidation of power is complete. Hell, we wouldn't even know the pitchfork factory had closed.
"I believe that banking institutions are more dangerous to our
liberties than standing armies. If the American people ever allow private
banks to control the issue of their currency, first by inflation, then by
deflation, the banks and corporations that will grow up around the banks
will deprive the people of all property until their children wake-up
homeless on the continent their fathers conquered."
Thomas Jefferson
"The way to crush the bourgeoisie is to grind them
between the millstones of taxation and inflation."
Lenin
-
+1
Liberty is too important to be left to the technocrats.
-
Who makes short wave radios?I think it may be time to invest in there stocks!
-
That's not how I understand Cyber Command, RevDisk. (Now 24th Air Force under U.S. Space Command)
http://www.afcyber.af.mil/
I envision it as the sharp-toothed DoD portion of our national cyberspace defense, working in conjunction with the guys at Ft. Meade, Langley, etc.
Of course, what's in one's nascent charter and what evolves out of it are often two different things. I was only a small cog in the big national defense machine, but I could see where anything had the potential for abuse, no doubt about it.
De-centralizing internet security is all well and good, assuming the individual actors can respond to a given threat simultaneously and with the appropriate amount of force to neutralize that threat while preserving the capability that was under attack. (Gawd, that sounds like it came straight from Air War College, doesn't it? =|)
We've been lucky so far, and have narrowly avoided previous cyber attacks. If I were Al Qaeda and wanted to put a serious hurt on The Great Satan, that would be a very attractive target to me.
I'll agree that the media really played up Conficker. If you're part of the system that routinely protects and safeguards systems, it was probably no big deal to you at all. You're doing your job, and have nothing to fear. I got called into my wife's work last week to help patch their 50+ systems, because their IT guy hadn't gotten around to it yet, and each machine had a piecemeal update history. (He has a hard time just doing nightly and weekly back-ups, so that explains a lot) To speed things up, I ran Auto-Patcher, downloaded ALL the MS KBXXXX patches, and went from there. Cash in my pocket for somebody else's laziness, and Conficker isn't even a rootkit bug, which is my most hated infection of all. Now, if a small business with just 50 vulnerable machines is unprepared, I don't think it's a stretch to say there are a lot more out there.
IOW, you have your s#it wired tight as an IT guy. Unfortunately, there are many that don't, and that's where the fun will begin in a large-scale cyber attack. Hopefully, critical data paths will be smarter than that, with recurring Death by Powerpoint COMPUSEC training, vulnerability analysis, up-to-the-minute software patches, the whole 9 yards. You'll never reach 100%, but perhaps we can get close. So maybe an on/off valve to throttle back the incoming hits while we scurry around like rabbits patching the holes in the dike has merit?
(Cool links, btw!)
-
Should President Obama have the power to shut down domestic Internet traffic during a state of emergency?
Except for a short period of time (months?) after 1975 the US has been in an official state of emergency since 1963 or so. Might have not been renewed by Clinton, maybe, but all it takes for the US to be in a state of emergency is for the Pres to say it is.
Senators John Rockefeller (D-W. Va.) and Olympia Snowe (R-Maine) think so. On Wednesday they introduced a bill to establish the Office of the National Cybersecurity Advisor—an arm of the executive branch that would have vast power to monitor and control Internet traffic to protect against threats to critical cyber infrastructure. That broad power is rattling some civil libertarians.
Don't the Chinese already have one of these. Hell we wouldn't even have to reinvent the wheel just go to China and copy theirs.
-
That's not how I understand Cyber Command, RevDisk. (Now 24th Air Force under U.S. Space Command)
http://www.afcyber.af.mil/
I envision it as the sharp-toothed DoD portion of our national cyberspace defense, working in conjunction with the guys at Ft. Meade, Langley, etc.
Yea, we already have one of those. DISA and NSA.
Granted, we didn't do offensive IEW (Information and Electronic Warfare), but the defensive stuff, yea. I never worked the black side, so I can't (and wouldn't) comment on our offensive IEW capacities. But, I've been doing this since I was 16 and wrote a heuristic malware scanner before mainstream AV companies actually started including antimalware components. I've now worked mil, gov and com, and I can tell ya with infinite certainty, your Cyber Command is a money soak. If it wasn't just a money soak, it'd be near useless. If it wasn't near useless, it was allowed to do stuff other than USAF networks, it'd be a security risk.
Now, there is a place for USAF IEW types, obviously. Lots of stuff they can do. Keeping an eye on USAF networks, especially field ones. Developing good security procedures for embedded networks, which will only become a greater concern as their birds get more advanced. The newest aircraft have internal networks, somewhat similiar to conventional LAN's, for all of the components to talk to each other. I very much hope SOMEONE is reviewing its passive and active information security features. I really don't want hostile governments to be able to take over, jam or feed false data to internal networks in say, a Raptor or JSF. Actually, I'd be very unhappy if someone could make the bird switch coords for friendly and hostile forces.
The USAF can't even provide decent CAS or airlift capacities to other services, and that is within their responsibility. If they can't provide their alleged core responsibilities to other services, how can they provide IEW protection to the other services? Let alone providing IEW protection to our critical infrastructure.
Of course, what's in one's nascent charter and what evolves out of it are often two different things. I was only a small cog in the big national defense machine, but I could see where anything had the potential for abuse, no doubt about it.
De-centralizing internet security is all well and good, assuming the individual actors can respond to a given threat simultaneously and with the appropriate amount of force to neutralize that threat while preserving the capability that was under attack. (Gawd, that sounds like it came straight from Air War College, doesn't it? =|)
We've been lucky so far, and have narrowly avoided previous cyber attacks. If I were Al Qaeda and wanted to put a serious hurt on The Great Satan, that would be a very attractive target to me.
Thing is, just about any IW attack pales in comparison to the average battle against malware and spam. When I say that, most infowar types say "But targetted attacks are much more dangerous than routine shotgun nature of malware and spam!" True. But that's becoming less true with spear phishing and narrow focused malware. You can thank the Russian mafia for that. They're led the way on turning hacking and malware into a money making OC enterprise.
There have been multiple foreign hostile governments that have attempted IEW attacks against government networks in recent history.
Hell, the USSR did it. I won't talk about the more modern episodes, but I can talk about some of the historical attacks. The KGB did pay European hackers to attack US companies and govt systems. They did a lot of corporate espionage stuff. We noticed it, and among one of our all-time favorite counterhacks was giving the USSR "altered" information. Every IEW type's favorite story was when the USSR built a high pressure natural gas pipeline control system built from stolen Western information. We included a small... bug. Certain folks had to warn NORAD and other folks in advance, because the resulting explosion looked like a tac-nuke detonation.
You really don't want to know much effort the USSR had to put in to double, triple, quadruple check everything they stole. Often, it would have been cheaper in resources to just build/write their own. =D
I'll agree that the media really played up Conficker. If you're part of the system that routinely protects and safeguards systems, it was probably no big deal to you at all. You're doing your job, and have nothing to fear. I got called into my wife's work last week to help patch their 50+ systems, because their IT guy hadn't gotten around to it yet, and each machine had a piecemeal update history. (He has a hard time just doing nightly and weekly back-ups, so that explains a lot) To speed things up, I ran Auto-Patcher, downloaded ALL the MS KBXXXX patches, and went from there. Cash in my pocket for somebody else's laziness, and Conficker isn't even a rootkit bug, which is my most hated infection of all. Now, if a small business with just 50 vulnerable machines is unprepared, I don't think it's a stretch to say there are a lot more out there.
IOW, you have your s#it wired tight as an IT guy. Unfortunately, there are many that don't, and that's where the fun will begin in a large-scale cyber attack. Hopefully, critical data paths will be smarter than that, with recurring Death by Powerpoint COMPUSEC training, vulnerability analysis, up-to-the-minute software patches, the whole 9 yards. You'll never reach 100%, but perhaps we can get close. So maybe an on/off valve to throttle back the incoming hits while we scurry around like rabbits patching the holes in the dike has merit?
(Cool links, btw!)
Way off topic, but your rootkit comment made me remember it. I haven't seen anything really interesting, malware or virus wise in a while. So when one of my users got infected with an unknown ailment, I was almost jumping for joy. Ran it by the usual tricks, Blacklight noticed it immediately but none of the usual AV products did. So I started dissecting. Generic rootkit delivery system, which was boring. The payload, I thought was quite clever. It modified part of the DNS handling section of Windows. Every X DNS requests, the real IP of requested system was switched for a hostile IP. So you reload Google's site 20 times and on the twentith time, your request for Google's site instead sent you to ad laden site. A mild ad click inflator, but I thought it was amusing because it was browser neutral. Sent it off to the Kaspersky folks and they had it added to the definitions within 15 minutes.
If you're really worried about national exposure to IEW attacks and want the govt to take the lead in fixing, there's a lot that can be done. Task the NSA with more public Information Assurance work. As you noticed from the nifty links, they already do a good bit. Have them make more handy and friendly configuration guides. Bribe and/or threaten Microsoft into upgrading and opening their patch system. Have the NSA write and open source a comprehensive patch management system, preferably with the capacity to plug in any third party application patches. While these patch management systems do exist, they are expensive and many are not very friendly.
Any closed source government supplied (or manditory) solutions would be counterproductive and probably illegal. Providing good, clean (ie, no Clipper chip like inclusions), open source tools would greatly help.
-
The USAF can't even provide decent CAS or airlift capacities to other services, and that is within their responsibility. If they can't provide their alleged core responsibilities to other services, how can they provide IEW protection to the other services? Let alone providing IEW protection to our critical infrastructure.
Jeez.
No need to get nasty.
Get your owned damned CAS, then. Mein Gott!
I wasn't the one coming up with CyberCommand or one of the Joint Chiefs who decided that USAF CyberCommand would be the DoD-wide agency. Give Adm. Mike Mullen a call and voice your concerns. ;)
-
The USAF can't even provide decent CAS or airlift capacities to other services, and that is within their responsibility. If they can't provide their alleged core responsibilities to other services, how can they provide IEW protection to the other services? Let alone providing IEW protection to our critical infrastructure.
You must've been Army....
:lol:
Semper Fi,
-
I had a chance to meet Gen. Elder of the Air Force Cyber Command. I have no doubts that we need a cyber command and that Gen Elder and the Air Force are the right people to run it. I have no doubts that this cyber command should protect all DoD infrastructure, as well as monitor (if not actually protect) all private communications infrastructure within the US.
About the only thing wrong with the Air Force Cyber Command is its hokey name.
I think our country really needs to take heed of what the Russians did to Estonia. We absolutely cannot afford to have something like that happen to the US.
This new law being proposed does not sound like the right way to do things, though. As the saying goes, with computer security the devil is always in the details.
-
Of course Obama should control the internets. Remember, dereggulation made the economy suck. If we cling to this notion that the internets can regulate itself, Bush/Cheney/McCain/Palin/Jindal/Satan will make it sucks to.
-
Yeah, they could've come up with a better name, at least. =D
-
I had a chance to meet Gen. Elder of the Air Force Cyber Command. I have no doubts that we need a cyber command and that Gen Elder and the Air Force are the right people to run it. I have no doubts that this cyber command should protect all DoD infrastructure, as well as monitor (if not actually protect) all private communications infrastructure within the US.
Dunno Gen Elder, but Gen. Lord (CO of the 24th Air Force, aka Cyber Command Provisional) is a good guy. Don't know much about his history or his abilities as an officer, but he seemed very straightforward about the issues facing his NAF. He used the China attacks on US networks as an example of the fact of how hindered ANY notional IEW unit would face. China is an important trade ally, and the US military can't exactly declare war on them even if they are being attacked by them. He acknowledged that it will be very difficult to draw in non-military talent. (ie, most US hackers and IEW experts won't want to wear an USAF uniform or take a drastic paycut)
To directly quote him when he was asked why the AF was trying to do this instead of DISA or the NSA (the people already doing the work the USAF wants to duplicate) as many folks have pointed out, "Our first priority is to work with DoD to defend AF military resources, but many of those resources rely on civilian entities, so we obviously have a keen interest in protecting those items as well." I think it was his way of saying without a lot of money, there's no way he could protect the entire DoD in place of the established groups already doing so.
As for the 24th Air Force monitoring, let alone protecting, the entire private infrastructure? They'd need to be ten times as large as DISA to do so. Not to meantion, repeal a lot of laws on the book and gut parts of the US Constitution. Not gonna happen.
-
Rather than tasking one or several government entities with the security of critical infrastructure, why not simply create one that does nothing but pentest critical infrastructure, without giving them operational authority over the networks they're testing? There would need to be an efficient means of communicating vulnerabilities, and depending on the severity, the NSA/DISA/AF might be allowed to intervene provisionally to patch or mitigate a new vulnerability. But I suspect that's already the case.
I very much share revdisk's reservations about any one entity being able to control all critical infrastructure.
If the worry is that critical infrastructure is vulnerable, the answer is not to give Obama or the AF operational control over it all. The answer is to test it more, and to have better procedures for dealing with security problems.
-
To hear Lt Gen Elder talk, it sounds like the AF doesn't want to operate any infrastructure. They simply want the US to have the capability to observe, defend, and attack within this peculiar domain. (So do I...)
As relates to information and communication infrastructure, they simply want to be able to monitor the infrastructure, so that they know where and when attacks are occurring, and so that the appropriate responses can be initiated.
The analogy they used is that of highways. They don't care who built our roads or who maintains our roads or who secures them. They do want someone to have the ability to see when the Red Army is rolling any tank divisions down our roads, and to have some means to defend and counterattack on the roadways.
Again, I'm not sure the legsislative bill described in the article has anything to do with this. It probably doesn't.
DISA is good, but their job description and expertise isn't applicable here. NSA, too, is valuable but ancillary.
-
Rather than tasking one or several government entities with the security of critical infrastructure, why not simply create one that does nothing but pentest critical infrastructure, without giving them operational authority over the networks they're testing? There would need to be an efficient means of communicating vulnerabilities, and depending on the severity, the NSA/DISA/AF might be allowed to intervene provisionally to patch or mitigate a new vulnerability. But I suspect that's already the case.
You'd still need the voluntary agreement of the owners of the non-government infrastructure. But yea, a central pen-tester or advice giving entity would be nice. You are right that NSA and DISA already do this (see above links), but not in any comprehensive manner. The NSA often technical review on erm... critical software. There's no official and public guidelines, but it's always done with the owner's permission. Granted, I would think any software manufacturer would be deliriously happy to get a software review by someone as technically advanced, well staffed and generally knowledgable as the NSA. To get it at no cost would be the icing on the cake.
One example is _NSAKEY built into all versions of Windows. Microsoft generated a digital signature to sign cryptographic modules. That's good. On the other hand, during the tech review, NSA mentioned it was unwise to have a single source for the key (which they did on the first key). The theory is that whoever generated the initial key knows the entire key, thus can be forced to give it up. If you're making a key for something that you really don't want anyone to ever break, you don't want anyone really knowing the entire key. If no one knows the key, there is no physical way for that key to get compromised by a single source. The trick is using secret splitting, which splits the inputs for generating the digital signature into several pieces with no single person or group knowing the entire key. So they included a second sig into a part of Windows, this time a split key generated sig.
Naturally people assigned all amounts of tin foil hattery to that episode, but it was pretty straightforward tech review.
DISA is good, but their job description and expertise isn't applicable here. NSA, too, is valuable but ancillary.
I'd agree if you were saying that DISA isn't good for this task because they're used to owning the hardware and not advising from the sidelines. I still think they'd be good at advising very large enterprises, because that's what they do. On a tech level, there's very little difference between a government or private enterprise network. Both use mostly the same products. Oh sure, config and policies are different, but the underlying tech isn't.
-
This isn't a problem of securing a few networks or generating some strong crypto algorithms. This is about recognizing that data systems represent tangible, national-security-scale infrastructure on the same order as bridges and factories and cities and whatnot. It's about recognizing that these asset exist within a domain that is entirely new to the military. Any nation that wishes to have an effective national defense is going to need to know how to operate within this domain.
This is why I was so pleased to hear LtGen Elder give his presentation. He's the first prominent military man I've seen who understands this issue in the right light. He seems to grok that some sort of cyber command (for lack of a better term) is as vital as an army, navy, and air force. A nation will need to fight on land, sea, and in the air in order to defend itself. It will also need to fight on the cyber plane. Just ask Estonia and Georgia.
DISA and NSA do not know how to fight within this new domain. They each have a piece of the puzzle, but they aren't anywhere near sufficient for this problem.
-
I still say Obama SHOULD control the internet. His Merciful Suaveness controls all other things; tides, crops, economic realities...
-
DISA and NSA are not warfighters.
They never have been, and they never will be.
Cyber Command is a step in the right direction, if we want to defend against hostile foreign attacks and fight back with some measure of success.
It will require the joint cooperation of all the agencies named in this thread to provide a useful, multi-layered capability.
I know that hurts some people's feelings, and they may even feel like their toes are being stepped on, but Information Warfare is nothing to be discounted in this day and age.