Congress Ponders Cybersecurity Power Grab

from the no-cybersecurity-licenses-please dept

There was a lot of attention paid last week to a new "cybersecurity" bill that would drastically expand the government's power over the Internet. The two provisions that have probably attracted the most attention are the parts that would allow the president to "declare a cybersecurity emergency" and then seize control of "any compromised Federal government or United States critical infrastructure information system or network." Perhaps even more troubling, the EFF notes a section that states that the government "shall have access to all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access." Read literally, this language would seem to give the government the power to override the privacy protections in such laws as the Electronic Communications Privacy Act and the Foreign Intelligence Surveillance Act. Thankfully, Congress can't override the Fourth Amendment by statute, but this language poses a real threat to Fourth Amendment rights.

One clause that I haven't seen get the attention it deserves is the provision that would require a federal license, based on criteria determined by the Secretary of Commerce, to provide cybersecurity services to any federal agency or any "information system or network" the president chooses to designate as "critical infrastructure." It's hard to overstate how bad an idea this is. Cybersecurity is a complex and fast-moving field. There's no reason to think the Department of Commerce has any special expertise in certifying security professionals. Indeed, security experts tend to be a contrarian bunch, and it seems likely that some of the best cybersecurity professionals will refuse to participate. Therefore, it's a monumentally bad idea to ban the government from soliciting security advice from people who haven't jumped through the requisite government hoops. Even worse, the proposal leaves the definition of "critical infrastructure" to the president's discretion, potentially allowing him to designate virtually any privately-owned network or server as "critical infrastructure," thereby limiting the freedom of private firms to choose cybersecurity providers.

When thinking about cyber-security, it's important to keep in mind that an open network like the Internet is never going to be perfectly secure. Providers of genuinely critical infrastructure like power grids and financial networks should avoid connecting it to the Internet at all. Moreover, the most significant security threats on the Internet, including botnets and viruses, are already illegal under federal law. If Congress is going to pass cybersecurity legislation this session (and it probably shouldn't) it should focus on providing federal law enforcement officials with the resources to enforce the cyber-security laws we already have (and getting the government's own house in order), not give the government sweeping and totally unnecessary new powers that are likely to be abused.

Timothy Lee is an expert at the Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

14 Comments | Leave a Comment..

The Internet Isn't 'Critical Infrastructure'

from the cyber-hysteria dept

A new report (PDF, via Slashdot), by a security analyst named Gadi Evron, analyzes the recent Estonian "cyber-attacks" and makes recommendations about how to deal with such attacks in the future. While it makes some good suggestions, it also rather dramatically overstates the nature of the threat. For example: "The Estonian authorities need to revise some of their former preconceptions and define the Internet as critical infrastructure, equally strategic to national security as its electricity grid and water supply." This is rather silly. If the water supply is cut off, people can die of thirst or sanitation problems. If the electricity grid fails, it can lead to the death of old people dependent on their air conditioners or medical devices. If the Internet fails, it's a big headache for a lot of people, but it's unlikely to be a life-threatening emergency.

The report points out that some mission-critical activities, including voting and banking, are carried out via the Internet in some places. But to the extent that that's true, the lesson of the Estonian attacks isn't that the Internet is "critical infrastructure" on par with electricity and water, but that it's stupid to build "critical infrastructure" on top of the public Internet. There's a reason that banks maintain dedicated infrastructure for financial transactions, that the power grid has a dedicated communications infrastructure, and that computer security experts are all but unanimous that Internet voting is a bad idea. The Internet's architecture is optimized to be cheap and ubiquitous; such a network is never going to be perfectly secure or reliable. There are too many botnets, incompetent administrators, and other problems on the Internet. And so transactions that absolutely have to be done correctly and on time need to be done on a dedicated network, or at least the people doing them need to have a backup plan in case the Internet has problems.

But the report takes the opposite approach, essentially concluding that because people do important things on the Internet, the Internet needs to be treated as an essential national security asset. This reaches absurd lengths when Evron writes that because attacks often originate from botnets consisting of compromised personal computers, "personal computers need to be reprioritized and considered as critical infrastructure." He doesn't discuss what that means in any detail -- maybe they can post soldiers with automatic weapons outside peoples' home offices. Evron concedes that "the attacks in Estonia did not hurt critical infrastructure, energy, and transportation," but nevertheless insists that "an Internet-staged attack on energy could easily disrupt entire supply and distribution chains, prompting severe shortages." He never elaborates on how that would work, but if he's right, the solution is to do a better job of separating critical infrastructure from the public Internet.

Wide-scale cyber-vandalism is a real problem, and it's good to be talking about ways to respond to it more effectively. But we need to keep a sense of perspective. Launching a distributed denial-of-service attack -- even a really big one -- is nothing like conventional warfare or a terrorist attack. Terrorism and warfare lead to massive loss of life and destruction of property. Internet vandalism rarely involves more than a few hours' inconvenience and lost productivity. That's certainly something we should try to prevent, but we shouldn't blow it out of proportion.

Timothy Lee is an expert at the Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

51 Comments | Leave a Comment..