Emergency control of Internet?

[AZRedhawk44]

Internet companies and civil liberties groups were alarmed this spring when a U.S. Senate bill proposed handing the White House the power to disconnect private-sector computers from the Internet.

They're not much happier about a revised version that aides to Sen. Jay Rockefeller, a West Virginia Democrat, have spent months drafting behind closed doors. CNET News has obtained a copy of the 55-page draft of S.773 (excerpt), which still appears to permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency.

The new version would allow the president to "declare a cybersecurity emergency" relating to "non-governmental" computer networks and do what's necessary to respond to the threat. Other sections of the proposal include a federal certification program for "cybersecurity professionals," and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.

"I think the redraft, while improved, remains troubling due to its vagueness," said Larry Clinton, president of the Internet Security Alliance, which counts representatives of Verizon, Verisign, Nortel, and Carnegie Mellon University on its board. "It is unclear what authority Sen. Rockefeller thinks is necessary over the private sector. Unless this is clarified, we cannot properly analyze, let alone support the bill."

Representatives of other large Internet and telecommunications companies expressed concerns about the bill in a teleconference with Rockefeller's aides this week, but were not immediately available for interviews on Thursday.

A spokesman for Rockefeller also declined to comment on the record Thursday, saying that many people were unavailable because of the summer recess. A Senate source familiar with the bill compared the president's power to take control of portions of the Internet to what President Bush did when grounding all aircraft on Sept. 11, 2001. The source said that one primary concern was the electrical grid, and what would happen if it were attacked from a broadband connection.

When Rockefeller, the chairman of the Senate Commerce committee, and Olympia Snowe (R-Maine) introduced the original bill in April, they claimed it was vital to protect national cybersecurity. "We must protect our critical infrastructure at all costs--from our water to our electricity, to banking, traffic lights and electronic health records," Rockefeller said.

The Rockefeller proposal plays out against a broader concern in Washington, D.C., about the government's role in cybersecurity. In May, President Obama acknowledged that the government is "not as prepared" as it should be to respond to disruptions and announced that a new cybersecurity coordinator position would be created inside the White House staff. Three months later, that post remains empty, one top cybersecurity aide has quit, and some wags have begun to wonder why a government that receives failing marks on cybersecurity should be trusted to instruct the private sector what to do.

Rockefeller's revised legislation seeks to reshuffle the way the federal government addresses the topic. It requires a "cybersecurity workforce plan" from every federal agency, a "dashboard" pilot project, measurements of hiring effectiveness, and the implementation of a "comprehensive national cybersecurity strategy" in six months--even though its mandatory legal review will take a year to complete.

The privacy implications of sweeping changes implemented before the legal review is finished worry Lee Tien, a senior staff attorney with the Electronic Frontier Foundation in San Francisco. "As soon as you're saying that the federal government is going to be exercising this kind of power over private networks, it's going to be a really big issue," he says.

Probably the most controversial language begins in Section 201, which permits the president to "direct the national response to the cyber threat" if necessary for "the national defense and security." The White House is supposed to engage in "periodic mapping" of private networks deemed to be critical, and those companies "shall share" requested information with the federal government. ("Cyber" is defined as anything having to do with the Internet, telecommunications, computers, or computer networks.)

"The language has changed but it doesn't contain any real additional limits," EFF's Tien says. "It simply switches the more direct and obvious language they had originally to the more ambiguous (version)...The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There's no provision for any administrative process or review. That's where the problems seem to start. And then you have the amorphous powers that go along with it."

Translation: If your company is deemed "critical," a new set of regulations kick in involving who you can hire, what information you must disclose, and when the government would exercise control over your computers or network.

The Internet Security Alliance's Clinton adds that his group is "supportive of increased federal involvement to enhance cyber security, but we believe that the wrong approach, as embodied in this bill as introduced, will be counterproductive both from an national economic and national secuity perspective."

http://news.cnet.com/8301-13578_3-10320096-38.html

If the nation's power grid (as one example) is vulnerable to an attack from broadband.... then the grid needs to be taken off the internet and either made stand-alone, or run on a private network (possibly via radio or satellite).

Always struck me as impressively dumb in that last season of "24" where the nuclear reactors were all slaved to one device over the innernetz.  Unplugging the CISCO (blatant product placement plug!) router that acted as the gateway at each nuke plant would have stopped the whole damned thing.

It'd be like Red China trying to hack my disassembled 486 out in the garage... good luck with that.  It ain't connected to anything.

There is NO emergency justification for turning off nationwide or global communication.

Hooray, DARPA invented the innernetz.  Military was one of the early adopters, along with universities.  But the internet has superseded those uses and proven itself to be insufficient to sensitive/secure work on the scale of nukular reactors and power routing.  Nothing wrong with using the exact same technology to build a parallel network that is completely disconnected from the internet, though.

Hell, HAMmers do it all the time.  I've heard of radio modems used for amateur telecom.

[charby]

Nothing wrong with using the exact same technology to build a parallel network that is completely disconnected from the internet, though.

Time for a www3.whatever.secret to be the secure network for all those devices.

[Fjolnirsson]

Darnit AZ, ya beat me to it.

[charby]

I little google fu showed me that there already is a www3 out there, so I say give them www4 then.

[AZRedhawk44]

I little google fu showed me that there already is a www3 out there, so I say give them www4 then.

Yer missin' the point.

No need for extending name resolution to cover .secret domains or obfuscating DNS entries if the physical infrastructure of such a network is never EVER EVER EVER joined to the "real" internet.

Build a small office network in your house that has no internet access.

Now run a nuclear reactor off it.

Now plug in a wireless access point with a tightly focused yagi antenna to your neighbor's house across the street, implement WEP encryption and build a second nuclear reactor network over there that is also not on the internet.  Or just run cat5 or fiber.  Or bounce it off a satellite in orbit if you have the resources.

Jack Bauer's nemesis o' the week can't hack your reactor because it's not on the internet.  Nor your neighbor's reactor.  Unless he can tap the physical transmission media (radio, copper, fiber, satellite).

Physical layer OSI model security trumps Federal Bureaucracy e-v-e-r-y time.

You can't hack something that you can't touch.

[mtnbkr]

There's a reason secure networks are airgapped from unsecure ones.

Chris

[Gewehr98]

Yup. Chris speaks true.

JWICS

SIPRNET

NIPRNET

etc.

[charby]

I was trying to be humorous.

I guess it failed.

I did really mean that gov build their own private internet that isn't connected to the www for things that are mentioned above.

[Nick1911]

There's a reason secure networks are airgapped from unsecure ones.

Chris

SNEAKERNET links ALL networks!
 

[mtnbkr]

Smartarse. :)

Seriously though, in an airgapped system (or any secure system, airgapped or not), sneakernetting from unsecure to secure will get you in hot water quickly.

Chris

[Nick1911]

Smartarse. :)

It's Friday, and I'm waiting on others before I can move forward with my project.  So, I'm a bit hyper and ornery today.  Lucky for you!

[MechAg94]

I don't see any good reason why a nuclear reactor control system would need to be available across the internet regardless of security.  They aren't going to un-man those facilities.  If someone needs to see what is going on, there are other ways to get data that are output only. 

[mtnbkr]

I don't see any good reason why a nuclear reactor control system would need to be available across the internet regardless of security.  They aren't going to un-man those facilities.  If someone needs to see what is going on, there are other ways to get data that are output only. 

I suspect it started out with private circuits until someone realized they could achieve the same thing with VPNs over the Internet or something similar.  It was likely a cost cutting measure.

Chris

[BrokenPaw]

Seriously though, in an airgapped system (or any secure system, airgapped or not), sneakernetting from unsecure to secure will get you in hot water quickly.

Going the other way will get you in hot water even quicker.

BTW, AZ:

implement WEP encryption

WEP is only enough encryption to keep honest people honest and to deter the extraordinarily unmotivated.  And if the reports I'm reading are right, WPA's no longer likely to be safe for long.  WPA2 with AES is looking like the best current alternative.

The problem with networks is that the only totally secure network is...no network at all.

-BP

[MechAg94]

I suspect it started out with private circuits until someone realized they could achieve the same thing with VPNs over the Internet or something similar.  It was likely a cost cutting measure.

Chris

I use VPN to connect to my company's network for email and stuff.  I guess I could also access a separate firewalled network to access the control computers at our plant.  Even then, it would take a great deal of effort/no how to defeat the electronic safety interlocks to make anything bad happen.  Then the hard wired interlocks and pressure relief valves would still shut the plant down safely. 

Then again, maybe I am making a mistake of applying reality to a TV show.  :)

[mtnbkr]

Going the other way will get you in hot water even quicker.

True.  I was thinking about an acquaintance of mine when I wrote that.  :)

Chris

[AZRedhawk44]

Going the other way will get you in hot water even quicker.

BTW, AZ:
WEP is only enough encryption to keep honest people honest and to deter the extraordinarily unmotivated.  And if the reports I'm reading are right, WPA's no longer likely to be safe for long.  WPA2 with AES is looking like the best current alternative.

The problem with networks is that the only totally secure network is...no network at all.

-BP

I understand WEP is weak, but I also mentioned it being focused tightly via a yagi antenna.  If it is focused onto a receptor dish in both directions, it isn't "broadcast" at all and is difficult to see/hear/interrupt/hack.

I'm not suggesting we move all nukular plants to WEP rather than Cisco VPN over public internet.

I'm suggesting that laser-like line of sight communication or other tightly focused datastreams can eliminate problems with broadcast radio security so that hard-lines aren't really mandatory... a focused radio cone from a satellite that impacts a 1/4 mile area around a nuke plant, and a similar focused radio cone from that same satellite that impacts a 1/4 mile area around a command and control structure, would be quite secure I would think.  Physically secure the grounds so no one can snoop the radio traffic and attempt to decipher it... use an encryption methodology... you can't tap it unless you are physically in 1 of 3 places:  the command center, the satellite, or the nuke plant.

[Zardozimo Oprah Bannedalas]

If the nation's power grid (as one example) is vulnerable to an attack from broadband

Live Free or Die Hard is getting more realistic every day. Well, except for the flying car.

[Harold Tuttle]

pigeon Net FTW

[RocketMan]

Harold owes me a keyboard.  Watermelon bits all over the place.

[RevDisk]

If the nation's power grid (as one example) is vulnerable to an attack from broadband.... then the grid needs to be taken off the internet and either made stand-alone, or run on a private network (possibly via radio or satellite).

Always struck me as impressively dumb in that last season of "24" where the nuclear reactors were all slaved to one device over the innernetz.  Unplugging the CISCO (blatant product placement plug!) router that acted as the gateway at each nuke plant would have stopped the whole damned thing.

It'd be like Red China trying to hack my disassembled 486 out in the garage... good luck with that.  It ain't connected to anything.

There is NO emergency justification for turning off nationwide or global communication.

Hooray, DARPA invented the innernetz.  Military was one of the early adopters, along with universities.  But the internet has superseded those uses and proven itself to be insufficient to sensitive/secure work on the scale of nukular reactors and power routing.  Nothing wrong with using the exact same technology to build a parallel network that is completely disconnected from the internet, though.

Hell, HAMmers do it all the time.  I've heard of radio modems used for amateur telecom.

Infrastructure is typically run on a SCADA network.  Most of the time, for the really critical stuff, the SCADA is just for monitoring.  You could haX0r the SCADA network and be able to see the sensor readings of a nuclear reactor.  You couldn't order the reactor to melt down because the monitoring sensors are passive read only.  Yes, there ARE some folks who unwisely connected stuff to SCADA where you can influence stuff.  It's the exception, not the norm.

Radio and satellite comms are not intrinsicly more secure than the internet.  Trust me on that one.  Most companies don't route their internal traffic over the internet.  They order a private virtual circuit from their telcom.  For example.  Suppose company A wants their office in San Francisco to talk to their office in Boston.  Their network engineer calls up Verizon, AT&T, whomever and orders two T1's.  (A T1 is a big pipe to the telecommunication company's networkm.) One in San Fran (SF-T1), the other in Boston (B-T1).  He asks that that circuits B-T1 and SF-T1 be virtually connected at such and such bandwidth.  Day or two later, B-T1 and SF-T1 can talk to each other and no one outside of the circuit can listen in.   You can connect up as many T1's or DS3's as you want. 

That is how the overwhelming majority of wide area networks function.  Few folks run their own fiber optic across the country, as there is no real reason to do so.  If you're worried about the telcom snooping, tunnel the traffic through an encrypted channel. 


Technically 'internet traffic' is running through the same hardware as the WAN traffic.  The internet traffic is just another virtual network.  The same physical device runs phone (cell and landline), WAN traffic, internet traffic, etc.  Doesn't matter, you can't hop between virtual networks.  The traffic is just traffic, it's all up to the routing.

Assuming the network engineer for $NUKEPLANT isn't a muppet, you don't have to jury rig some kind of ad-hoc radio packet network.  It's stupid, less efficient, less secure and more expensive unless you're within walking distance of the other sites.  In which case, you dig up the road and lay down encased fiber.  You call up AT&T, order a few T1's, specify the routing perimeters (ie not connected to anything else), and program your routers accordingly.  Viola, immune to internet traffic.  This ain't that difficult.

Don't get me wrong, there are probably some muppets calling themselves 'network professionals' that'd VPN over the internet.  That's a fine and reasonable solution for a small office.  Medium or large company?  Not so much, and not so likely.  Routing a critical infrastructure R/W SCADA over a VPN over the internet?  That doesn't deserve a "emergency powers bill", it requires someone to be shot for having a lower than room temperature IQ.  I'm sure it's happened, but it's pretty rare.

[Perd Hapley]

Remember; if they don't take over your computer - THE TERRORISTS WIN!!

[RevDisk]

Yup. Chris speaks true.

JWICS

SIPRNET

NIPRNET

etc.

I was trying to be humorous.

I guess it failed.

I did really mean that gov build their own private internet that isn't connected to the www for things that are mentioned above.

NIPR and SIPR are not airgapped.  They are private virtual circuits, exactly like commercial WAN's.  They are just better encrypted.  The only difference are a handful of stub networks going to remote facilities.  Some go over commercial commsats, some go over military commsats.  They touch the internet at various DISA facilities around the world.

I won't speak of the network design of any TS networks. 

The govt does have private networks, but the overwhelming majority of domestic traffic is done over leased lines from regular telecommunication companies. 

Disclosure:  I worked for DISA, who runs basically any and all DOD/intel/etc networks.  I'm not going into any further detail of classified government networks than what I just posted.  Everything I posted is already publically available and I will not post anything that is not.



Anyways.  Re the bill.  It's stupid.  Just allow telcomms to be able to kill their connection to a particular customer, without losing common carrier status.  Currently, the law says that big telcos must act as a common carrier and not discriminate on their traffic.  This gives them immunity from prosecution for any illegal content crossing their network.  That's why the RIAA can't sue AT&T for illegal MP3 downloads on their network, and the FBI can't arrest Verizon for a customer downloading child porn.  If telcos were to shut off without a court order someone haX0ring a nuke plant, they could lose their common carrier status.  Then they would be liable for any and all traffic on their network.  So if the FBI told AT&T to turn off the connection for some script kiddie in Ohio who was haXoring Three Mile Island (or APS), and AT&T did so, the FBI could bring up charges against AT&T the next time someone haX0red another person over AT&T's network.  Sound rediculous?  Well, that's our legal system. 

Places like YouTube, flickr, etc that employ moderation and whatnot are not common carriers as they discriminate what is allowed.  They can and have been sued for copyright infringement and the like.  Google is going through some interesting lawsuits at the moment on just that. 

How do you fix this?  Allow common carriers to shut off folks haX0ring without losing common carrier status.  Which is allowed already, it just requires a court order.  I prefer the current system, obviously.  Allowing the President to shut down network connections without oversight or judicial involvement is a direct violation of the Constitution in addition to being a bad idea.

There are many, many ways to improve critical network security.  This is not one.  If implemented, it would threaten critical infrastructure and not protect it.  The NSA has done the best job thus far by publishing their superb configuration guides.  Toss them some money and tell them to write more guides.  Publize them.  Heavily.  Heck, ask the manufacturers to include the guides with their product documentation.  Most would be happy to do so.


And as always, much credit goes to the EFF for fighting bad ideas like this legislation.  Do yourself a favor and give them a couple bucks. 

[Fly320s]

Doesn't Al Gore still have The Internet switch at his house?

[AZRedhawk44]

Radio and satellite comms are not intrinsicly more secure than the internet.  Trust me on that one.  Most companies don't route their internal traffic over the internet.  They order a private virtual circuit from their telcom.  For example.  Suppose company A wants their office in San Francisco to talk to their office in Boston.  Their network engineer calls up Verizon, AT&T, whomever and orders two T1's.  (A T1 is a big pipe to the telecommunication company's networkm.) One in San Fran (SF-T1), the other in Boston (B-T1).  He asks that that circuits B-T1 and SF-T1 be virtually connected at such and such bandwidth.  Day or two later, B-T1 and SF-T1 can talk to each other and no one outside of the circuit can listen in.   You can connect up as many T1's or DS3's as you want.

That is how the overwhelming majority of wide area networks function.  Few folks run their own fiber optic across the country, as there is no real reason to do so.  If you're worried about the telcom snooping, tunnel the traffic through an encrypted channel.

That's no different than a large-scale VLAN.

With a VLAN, you still have access to the physical switch where the other traffic is happening.

Hack the switch and you can alter the VLAN or packetsniff on the other network.

If you can packetsniff, then you can break encryption after enough analysis.

I still insist that there's no reason to not be running separate physical networks for these resources that are so vital.  If AT&T, Global Crossing, Verizon and others can run fiber or other backbone, then the FedGov can do it also.

After all... I doubt the communication channels to naval vessels are VPN-tunneled or VLAN-circuits across the innernetz.