Ever since W started tacking "Homeland" onto everything he could find, the presence of that word on ANYTHING has been a guarantee that that thing a) sucks, b) is unnecessary, and c) is a grave threat to civil liberties.
The civil liberty to which you refer in this comment is "the right to run a region electric grid provider free from government intervention". Hardly the stuff of Thomas Paine.
Is it really so unreasonable to suppose that politicians and bureaucrats will, when convenient, interpret this vague bill in such a way as to allow them carte blanche to regulate whatever they want?
One way I would improve the bill is to target a list of specific industries. They can amend that list later if gaps are identified. They can even have someone write up reports about which other industries ought to be on the list.
It's boring because it's so very common. It's the boring risks that hurt the most people (e.g. heart disease). It's the boring risks that we ignore, making them the worst risks most of us will ever take.
You're a security guy. You of all people should appreciate this stuff.
Of all the ways that George W. Bush has been disrespected, calling him by his middle initial doesn't really register.
On the broader point, presidents are politicians, not gods. More to the point, they are our employees, and they should be treated with the dignity and respect appropriate to that position. You don't bow and scrape to your employees, but you don't call them rude names and spit at them either, even if you disagreed with the decision of the hiring committee to hire this particular candidate for the job.
Never confuse the person with the office he or she occupies. Also, as hugh3 pointed out, your president works for you (he was never my president), not the other way around. Do you have the same respect for your mayor? Or your building manager? It's the same job, with a different scope.
The bill might have changed since this was written.
Current I see "(1) IN GENERAL- The owners and operators of covered critical infrastructure shall have flexibility in their cybersecurity plans to implement any cybersecurity measure, or combination thereof, to satisfy the cybersecurity performance requirements described in subsection (c) and the first-party regulatory agency or sector-specific agency may not disapprove under this section any proposed cybersecurity measures, or combination thereof, based on the presence or absence of any particular cybersecurity measure if the proposed cybersecurity measures, or combination thereof, satisfy the cybersecurity performance requirements established by the Director under subsection (c)." ( http://thomas.loc.gov/cgi-bin/query/F?c111:1:./temp/~c111l3R...: )
Which seems to specifically state you can choose any approach you want as long as you secure the site.
They can simply require a security measures that is protected by existing IP, thus leaving network security up to the biggest patent-trolls with a lobbying budget. I would much rather entrust security to market-driven solutions, not some herp derp government agency.
Market-driven security is failing us. It's luck, not sound engineering, that is preventing catastrophe. I can respect that regulation would be even worse than catastrophe, but have a hard time dignifying the argument that there's no tradeoff.
I think you're confusing market-driven security levels with market-driven security products.
Big-website-taking-lots-of-citizen-data: I don't need security, the market hasn't demanded it.
The-State: I'm demanding it. Go buy good security, I don't care how.
Big-website-taking-lots-of-citizen-data: Ah, Ok, I think I've found it.
The-State: good, just give me outline so I know.
Big-website-taking-lots-of-citizen-data: here you go.
While the anarchist in me might just hate the state and the large corporations, here no one has yet shown how any of these are doing dastardly deeds. And that's a fine exception to the rule, really.
This bill isn't about "big-website-taking-lots-of-citizen-data". To save us a really pointless and boring argument, let's stipulate that it's about Exelon and not about eBay, and to the extent it isn't, that's a flaw that needs to be corrected.
There's plusses and minuses to PCI. On the plus side, it has absolutely increased awareness of web security at commerce companies, and further it has pushed people from trying to do their own credit card handling to outsourcing that function to companies that can keep on top of it.
On the minus side, it's spawned a small industry of checkbox consultants who do companies a disservice by allowing them to believe they've been audited and assured when really nothing of the sort has happened. It's not hard to trace public incidents back to the PCI auditors who OK'd those companies.
Just remember this, kids: Did any of you imagine TSA would lead to crotches being grabbed in the name of "national security"? There will come a day when all computing purchases will be "routinely" reported to DHS. And every member of IT staff will need a Fed license.
> Did any of you imagine TSA would lead to crotches being grabbed in the name of "national security"?
In general, yes. Not that specifically, but it was pretty clear from the start that it would be invasive and ineffective (because it's always been about theater rather than results).
> There will come a day when all computing purchases will be "routinely" reported to DHS.
That's completely unrelated to the bill at hand here, and the DHS will not be involved. (It will be the IRS, and it won't be at all specific to computing.)
> And every member of IT staff will need a Fed license.
IT is too ill-defined and general for that to happen, but I could see some positions on some specific kinds of projects requiring licensing just like Plumbers, Electricians, real Engineers, Lawyers, etc have.
Instead of resting on "government is bad, m'kay", how about taking a crack at suggesting something to improve the bill? That's something people can actually debate productively.
Bills are not written by people on discussion boards. They are written by lobbyists, and then adopted by legislators who rarely even read the bills on which they vote.
Then perhaps you might like to campaign and vote against legislators you believe are representing your opinion so poorly? With primary elections it's far from impossible to get rid of bad candidates.
Cynicism is a free pass for bad legislators to continue operating badly. Reasoned, constructive, informed opposition is needed to get the desired outcomes.
* List specific industries that they plan to regulate.
* Gather reports on what, specifically, is needed in those industries (before going off to mandate it).
* Those reports, of course, should indicate performance metrics (as well as how to measure them) and dictate what levels of service the companies must provide and must NOT mandate specific means of achieving those mandates.
That's just for starters.
I'm sure I could think up more. The point is to avoid a "we have to do something!" mentality and think things through and figure out what good can and should be done before deciding that we need to hire a bunch of people who will soon work on justifying their existence and expanding their organizational mission.
The government already has some (somewhat toothless) regulation over grid operators (NERC and FERC).
The problem becomes, what if we're taken by surprise by some piece of infrastructure that nobody expected was critical, but that clearly is? How likely is that to happen? It's virtually guaranteed.
> The problem becomes, what if we're taken by surprise by some piece of infrastructure that nobody expected was critical, but that clearly is? How likely is that to happen? It's virtually guaranteed.
Well, such an event will either be an emergency or it will not be an emergency.
If it's an emergency, it's going to be far too late to bolt on some kind of half-ass emergency security and there's really nothing we can do anyhow. The notion that we could have some kind of oversight is, after all, not at all dependent on whether or not there's a list of industries in the bill. The same thing can (and will) happen if the agency makes up its own list with no public discussion at all. On that note, I'd like to quote something aristus wrote just over a week ago that's apropos: "Policies implemented under the gun have two unfortunate properties: they are wasteful and hard to change after the fact."
And there's nothing stopping them from consulting with that industry on proper security measures. If they're under attack by terrorists and they need help, well, who is going to refuse expert help? (This assumes the government hires real experts and not some congressman's golfing buddy... being able to refuse that "help" is a design feature.)
That leaves us considering the non-emergency case. If that happens, they can go back and amend the law after giving the problem consideration. The advantage this has over the new agency updating its internal list is that it has to go through public discussion. They can't just pass the buck off to an unelected agency with no accountability.
If the question is how can we prevent the attacks we will fail to prevent, we won't. After all, we will fail to prevent them.
The problem becomes what can we do to ensure every piece of infrastructure can be put back on-line in reasonable time. There is a lot of people dedicated to that task, even if, when asked whether their little feud is a piece of critical infrastructure, they may scratch their heads and say "what?".
There absolutely is a problem: nothing the FedGov can do proactively can secure the power grid. I speak from direct personal experience when I say that specific target is a problem.
I think the bill should specifically define the levels of security needed for various types of infrastructure, and avoid allowing a government department to be able to change it.
All this comment says is "Phillip Rhodes doesn't think we should regulate cybersecurity for private networks". That's kind of not super interesting. Try giving your opinion some teeth.
Both the FSF and CNet's sources are making the same complaint about the proposed bill: that it allows DHS to designate private networks as "critical national infrastructure", and that the terminology in the bill is so broad that it would allow (say) eBay to be declared critical infrastructure.
The reality is, while the bill sucks and the language is fuzzy, the intent is clear: critical private national infrastructure means air traffic control and the power grid. Maybe, under the broadest interpretation, they might call the NASDAQ ECNs part of the "nation's information infrastructure".†
The bill makes no mention of proprietary software or hardware. The FSF is apparently reacting to the notion of DHS having any authority over the operation of networks; the notional concern is, "if they can dictate operational terms, they can dictate Cisco and Microsoft". They could just as well dictate Linux or Apache.
It is a fair critique of this bill that DHS has virtually no expertise in this area (despite repeated appeals to US-CERT, which, respectishly, doesn't have the requisite expertise either).
Personally, while virtually everyone else on HN is going to disagree with me, I think it's less fair to criticize the notion of FedGov nationalizing the security of private networks in an emergency. I have several reasons for arguing this:
* * * It is simply the truth that vast amounts of our critical infrastructure are privately owned and operated, and while reasonable and mostly hands-off regulation may enable utility operators to serve the public good using their own best judgement, that same regulation does nothing to deal with malicious adversaries.
* * * The government already has the "shadow" authority to accomplish these goals. Does anyone seriously believe the President lacks the ability to nationalize power grid security in the event that an attack makes the midwest go dark? Of course he can. It's better to be explicit about that authority now, when we're not panicking over an actual technological attack, than it will be for us to create de facto new rules in a crisis.
* * * There is a real risk that companies managing critical infrastructure might not realize that their networks are critical infrastructure, or, worse, might not care. We have decades worth of track record for companies not disclosing horrible incidents for fear of economic consequences. It's one thing when a retail chain delays disclosure of credit card leaks; it's another when a grid operator gets owned up.
† Systems can be designated if "the destruction or the disruption of the reliable operation of the system or asset would cause a national or regional catastrophe"; specific factors that must be considered include whether an attack would cause "a mass casualty event with an extraordinary number of fatalities", "severe economic consequences", "mass evacuations with a prolonged absence", or "severe degradation of national security capabilities, including intelligence and defense functions".
The bill makes no mention of proprietary software or hardware.
The bill references Common Criteria certification procedures for the software running the network. This potentially could be used to exclude the use of custom operating systems and reconfigurations of, say, Linux or BSD, without them undergoing certification.
the intent is clear: critical private national infrastructure
means air traffic control and the power grid
Linux has been EAL4 certified under the ludicrously weak and pro-forma common criteria. You can sell to DoD, on the real DoD secure networks, at EAL2. The bill also doesn't require everyone to run CC-certified OS's.
> while the bill sucks and the language is fuzzy, the intent is clear
Is it so hard to believe that a bill could be interpreted in such a way that unexpected and undesired consequences happen? Rather than waving off criticism by claiming "intent is clear", I think it's best to make the language clear.
Unfortunately, courts do not decide on the intent of legislation. Courts decide on the language of the legislation and the facts of the case. The fact that this legislation has such broad language is something to be feared, regardless of its intent.
Perhaps an analogy is in order. The intent of intellectual property legislation (specifically, patent law) was to promote innovation. However, the outcome of the legislation has been almost exactly the opposite when such legislation has been applied to computer and information technologies. How can you say that the same thing will not happen with this legislation? As the aphorism goes, "The road to hell is paved with good intentions."
To be honest, the language doesn't really matter. The US government can already do all of the things in the bill under the Commerce Clause in the Constitution. Note how the Commerce Clause is used as the justification for requiring that citizens purchase healthcare [1]. It's has been used to justify laws related to sex offenders registries [2]. We ultimately are going to have to rely on the courts to develop precedents that limit the power of the government in this area.
Between the debate over cyber security and the debate over healthcare, the Commerce Clause may well prove to be the most significant part of the Constitution for the next decade.
Um, the Commerce Clause didn't unilaterally impose ObamaCare on the country. It simply (arguably) authorized Congress to pass legislation regulating health care. What we're arguing about is whether Congress should exercise its power under the Commerce Clause to give the executive branch more power over the Internet. The language of the statute determines how much, and what kinds, of power the executive branch would get.
Um, the Commerce Clause didn't unilaterally impose ObamaCare on the country.
What? I never claimed that it did.
It simply (arguably) authorized Congress to pass legislation regulating health care.
Yes, key word arguably.
What we're arguing about is whether Congress should exercise its power under the Commerce Clause to give the executive branch more power over the Internet. The language of the statute determines how much, and what kinds, of power the executive branch would get.
You missed the point of my post and I apologize for expressing myself poorly. The act of passing legislation is irrelevant to whether the executive branch will exercise the powers in question. Even if we pass legislation with an explicit enumeration of powers, the executive branch will still step outside those enumerations and use the Commerce Clause as the legal basis. My point is that the only thing which will actually limit the powers the executive branch takes is legal precedence, which we don't have right now. We wont see true limits on what the executive branch can do until we see some Supreme Court rulings in this area.
No, it's not hard to believe that; it clearly has been interpreted that way; what makes you think anyone here would disagree with that?
How would you improve the language of the bill? I agree with the suggestion downthread: "economic damage" is too broad. I think they should just strike that.
I prefer the 'shadow' authority of presidential suasion. In a crisis, the President makes reasonable requests, and infrastructure operators will cooperate with authorities and collaborate with each other, out of common interest and reasonableness.
But, as the crisis passes, operators then have the freedom to adjust their cooperation, without a permanent obligation that could be abused. That's flexible and includes natural checks on abuse in the diversity of citizens' opinions and decentralization of decisionmaking.
No explicit language can achieve the same broad flexibility; when it tries through vagueness, it opens the door to both abuse and paranoia. And it encourages clumsy ass-covering overbroad orders from overreaching politicians, given in a dictatorial spirit, rather than considered requests offered in a spirit of community coordination.
In practice it may also be better for the government to exceed its proper bounds temporarily in emergencies, then be snapped back by calmer minds shortly thereafter, than to enshrine in law the maximal authority that might ever be needed. Lincoln, Wilson, FDR, and Bush-43 all overstepped their legal or constitutional authority in wartime, and then pulled back (or were pushed back) by the courts and public opinion later. Preauthorizing what they actually did would have made it harder in each situation to return to normalcy afterward.
'severe economic consequences' is too vague. By this definition, the US government could have seized control of Visa/MasterCard/Paypal during the recent DDOSes.
Can we seize control of all remaining Bush appointees in influential positions, too? I'm deeply concerned about severe economic consequences, if we don't.
1.) I agree with your argument that a free market with some govt intervention is the proper system for solving such market inefficiencies (i.e. coordination problems amongst infrastructure providers who have different interests than the general public in emergencies).
However, it's not a binary decision between the Wild West and nationalization. The scale goes from:
* Standards ("Here's the minimum." - building codes)
* Checks ("Ask us if it's okay." - gun background checks)
* Certification ("Tell us, and we'll make you more legit." - LEED [non gov't I know])
* Licensure ("You must tell us." - Liquor License)
* Incentives ("Do this and we'll help you." - Tax Credits)
* Nationalization ("Only we can do it." - Post Office)
You gain coordination of public interests and lose long-term innovation as you go down the list. Looking at how many disasters are handled with WalMart, Home Depot, FedEx having better response times - due to their economic incentives.
I'd propose solving this market inefficiency via standards, certification, and perhaps incentives - primarily because this will align incentives without the government needing to know the business and without the moral hazards politicians controlling companies brings. Think of building codes: builder's incentives now are "build cheap, but safe" - not just "build cheap" like 100 years ago.
2.) Most people can see that constitution has been largely deprecated and is more of a talking point than real power restriction. It doesn't mean we don't keep fighting for the new laws to be defined as open as possible (as you mention).
3.) Very true, but this doesn't automatically mean they should nationalize. There are lesser powers that will accomplish the same goal and more efficiently.
You know what bothers me the most? When people say that it's for the government to regulate things a bit and that the regulation is little and it has more advantages than disadvantages. What such people fail to see is that in the long run regulation brings more regulation and unanticipated issues arise for which you must again create more regulation, etc. Look at all the areas of life that have been regulated over time. The regulation increased. Healthcare, sexual life, food and drinks,property laws, etc. Why just not keep it deregulated in the first place? There's no risk of more deregulation then.
What bothers me is that it doesn't really help us if people can sue power grid operators for negligence after the grid is taken down for double-digit days because NERC and FERC weren't stringent enough and somebody (I'd prefer NSA, but hey, DHS, whatever) had actionable intel they were unable to apply.
I believe companies and people alike should be responsible without outside coercion. I know it is utopian to wish for such things, but if consumers would start demanding more from the companies maybe then the government would not have to step up and regulate all aspects of our lives.
> I believe companies and people alike should be responsible without outside coercion.
The trouble is, in the absence of prior action, some people or organisations cause harm that can be undone, but some cause harm that cannot be undone and for which mere financial compensation is insufficient. The question is which is more damaging, a harm that cannot be undone or the consequences of preemptive regulation to prevent that harm from occurring.
Individual possession of weapons is a crude but effective example. In some jurisdictions, individual citizens are free to carry personal firearms. In some jurisdictions, they are not. There is a political difference of opinion on whether the damage caused by irresponsible individuals abusing that freedom is outweighed by the benefits. However, I know of no jurisdiction where an individual citizen may lawfully carry around a nuclear weapon that would allow them to unilaterally destroy an entire city. The consequences of abuse are just too severe.
In all such matters, there will be grey areas, but it seems very clear from the state of the world today that commercial incentives do not automatically coincide with guaranteeing the continued provision of essential services in the face of attacks that are relatively unlikely but would cause vast disruption if carried out successfully.
That's true, but the headline is am understatement. This line of legislation will kill Silicon valley. Who can afford $100k/day when you are just two guys in a garage? Or even writing cyber defence plans and submit them to DHS?
Thanks for the useful shorthand, W!