So, when you look at something like this, I think you have a choice to make: you can put on the tinfoil hat and concede any relevance you might have to the discussion, or you can recognize the real weaknesses of this bill and the process that is producing it and comment rationally on whether the government is capable of legislating improved security for its own systems when those systems are by necessity constructed from COTS pieces created by unregulated technology companies.
1.
The thing that everyone is going to talk about here is the definition of a "nongovernmental critical information system". The term is defined broadly in this bill: the President designates them. But I think the intent here is pretty clear: private industry operates the E911 system, the cellular phone network, all our financial exchanges, and a good chunk of the power grid.
Most of these systems are in some way connected to public networks: for instance, a generic Cisco VPN vulnerability could get you a telco, which would get you to private leased lines. Before you shrug that off, read up on "Operation Sun Devil", and the state of the art of teenage hacking in 1991.
I think it's hard to say that the NSC, given a secret update that, say, all Cisco IOS versions were vulnerable to a pre-auth generic TCP remote code execution vulnerability, should NOT have the capability to ensure that exposed power grid systems were locked down.
On the other hand, I agree that the wording is overbroad. I'm interested in what HN people think good wording would be for what would qualify as a nongovernmental critical information system.
2.
What sucks about this situation is this:
The broad intention of this bill, to improve "cybersecurity" across all of US industry and government systems, is going to fail. You can't legislate it.
But narrowly, this bill is going to define what it means to work with systems at DOD, law enforcement, and energy. And I don't care that much, except that the existing processes in these areas are arcane, arbitrary, and exclude a lot of talent and ideas. Relative to financial services, DOD does not have excellent security.
But since everyone is going to get ratholed in the meaningless broad intention of the bill, nobody's going to get into the nitty-gritty of secure software accreditation, procurements, certification of personnel, funding for technology and technology grants, and so on. Those topics are boring, but they're more important than whether you can outlaw insecurity.
The reason that broad discretionary powers over many should not be granted to a few has little to do with the intentions of those pushing for the law to be passed (which are presumably honest, if misguided).
Once the law is on the books, the intention of its authors will be forgotten, and the powers the law grants will be used broadly simply because it will be more convenient for an administration to use those powers than to achieve its ends in some other way.
I agree. The language is overbroad. But some kind of legislation is inevitable. What's the narrow capability you think the government should have? Because just repeatedly pointing out that the government sucks at technical legislation is boring. We all know that.
Networks are housed in buildings. There are likely existing laws allowing the state to take over private-sector buildings that are being used criminally. Why not utilize these laws instead of creating buggy new laws that, in their vagueness, invite future abuse?
Dunno. That might be a good point. Or perhaps they're envisioning cases where a cooperating telco could instantly eliminate a threat that could take hours to eliminate physically, or a threat in which taking over a building would disclose something that would damage operational security. We have a lot of secrets in our corner of this industry, most of them boring, almost all of them necessary.
I wouldn't want to give the impression that I'm simply sticking up for the bill. Especially not in its entirety. I agree, I don't see the compelling reason to have a new law allowing the government to disconnect critical infrastructure.
But that's just a tiny portion of what the bill does. Among other things, tt also tries to harmonize the hodgepodge of security measures we already have, revamp procurement standards (a sucking chest wound in current security practice), and it funds academic research into secure programming.
" ... created by unregulated technology companies."
As best I can tell there is not a single company in the US that is not regulated in some way. Whether the regulations are good, bad, sensible, inane, is a different matter, but regulation is as American as apple pie.
I think the meaning of unregulated here is related to the context. The vendors of the off-the-shelf hardware are not regulated with regard to the security of certain critical systems which rely on them.
They may be under numerous safety, employment and financial regulations that apply to the company.
So, when you look at something like this, I think you have a choice to make: you can put on the tinfoil hat and concede any relevance you might have to the discussion, or you can recognize the real weaknesses of this bill and the process that is producing it and comment rationally on whether the government is capable of legislating improved security for its own systems when those systems are by necessity constructed from COTS pieces created by unregulated technology companies.
1.
The thing that everyone is going to talk about here is the definition of a "nongovernmental critical information system". The term is defined broadly in this bill: the President designates them. But I think the intent here is pretty clear: private industry operates the E911 system, the cellular phone network, all our financial exchanges, and a good chunk of the power grid.
Most of these systems are in some way connected to public networks: for instance, a generic Cisco VPN vulnerability could get you a telco, which would get you to private leased lines. Before you shrug that off, read up on "Operation Sun Devil", and the state of the art of teenage hacking in 1991.
I think it's hard to say that the NSC, given a secret update that, say, all Cisco IOS versions were vulnerable to a pre-auth generic TCP remote code execution vulnerability, should NOT have the capability to ensure that exposed power grid systems were locked down.
On the other hand, I agree that the wording is overbroad. I'm interested in what HN people think good wording would be for what would qualify as a nongovernmental critical information system.
2.
What sucks about this situation is this:
The broad intention of this bill, to improve "cybersecurity" across all of US industry and government systems, is going to fail. You can't legislate it.
But narrowly, this bill is going to define what it means to work with systems at DOD, law enforcement, and energy. And I don't care that much, except that the existing processes in these areas are arcane, arbitrary, and exclude a lot of talent and ideas. Relative to financial services, DOD does not have excellent security.
But since everyone is going to get ratholed in the meaningless broad intention of the bill, nobody's going to get into the nitty-gritty of secure software accreditation, procurements, certification of personnel, funding for technology and technology grants, and so on. Those topics are boring, but they're more important than whether you can outlaw insecurity.