Full Internet Control
POLICY REVIEW: ANOTHER STEP TO INTERNET CONTROL
By John 'J' Trinckes
May 31, 2009
http://www.newswithviews.com:80/Trinckes/john101.htm
A recent report entitled Cyberspace Policy Review: Assuring a Trusted and
Resilient Information and Communications
Infrastructure<http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf>just
came out of the White House.
This report was written by a team of government cybersecurity experts
that “inventoried
relevant presidential policy directives, executive orders, national
strategies, and studies from government advisory boards and private-sector
entities.” The comprehensive review occurred over 60-days and intended
to “assess
U.S. policies and structures for cybersecurity.” The team came up with ten
(10) recommendations (or near-term action plans) that are ultimately
supposed to mitigate cybersecurity-related risks. (Note: The report was not
conducted by an independent group or even provides the names or affiliations
of the individuals on the team of experts.)
Reading through the seventy-six (76) page report, I couldn't help myself
critiquing the quality of work that went into the report. First, the run-on
sentences were plenty and confusing. I found myself reading sentences two
and three times just to make out what the author(s) were trying to explain.
I consider myself to be an intelligent individual and a published author as
well. I guess the old saying that 'it is good enough for government work,
still applies.'
Second, the report states that “the engagement process included more than 40
meetings and yielded more than 100 papers that provided specific
recommendations and goals.” If this were the case, then why are most of the
ten recommendations provided general in anture and rather vague in
substance?
It is hard for me to believe that a comprehensive report could be completed
in 60-days with as much information that would have to be reviewed from 40
meetings and over 100 papers on the topic of cybersecurity policy. This is
especially true when the report defines cybersecurity policy to include:
“strategy, policy, and standards regarding the security of and operations in
cyberspace, and encompasses the full range of threat reduction,
vulnerability reduction, deterrence, international engagement, incident
response, resiliency, and recovery policies and activities, including
computer network operations, information assurance, law enforcement,
diplomacy, military, and intelligence missions as they relate to the
security and stability of the global information and communications
infrastructure.”
Wow! That was a mouthful. Don’t worry, the scope of the report did not
include “other information and communications policy unrelated to national
security or securing the infrastructure.” I’m not really sure what this
means since the report defines cyberspace as pretty much all encompassing:
“as the interdependent network of information technology infrastructures,
and includes the Internet, telecommunications networks, computer systems,
and embedded processors and controllers in critical industries.”
The definition further goes on to say that “common usage of the term also
refers to the virtual environment of information and interactions between
people.” (Interesting, government control of the interaction between
people.)
Why was this review necessary?
“America’s failure to protect cyberspace is one of the most urgent national
security problems facing the new administration.” (Source: Report by the
Commission of Cybersecurity for the 44th Presidency, December 2008). The
report also states that:
“our digital infrastructure has already suffered intrusions that have
allowed criminals to steal hundreds of millions of dollars and nation-states
and other entities to steal intellectual property and sensitive military
information.”
Really, we had sensitive military information stolen? When? Where? Who? Why
was this not reported to us earlier? (I usually try to keep up on these
types of things, but never heard about this one. While other sources were
referenced in the report, this sentence had none.)
It is a known fact that “information and communications networks are largely
owned and operated by the private sector, both nationally and
internationally.” In addition, the private sector “designs, builds, owns,
and operates most of the digital infrastructures that support government and
private users alike.” The report indicates that there are many ways that the
Federal government can work with the private sector. One way is by examining
“existing public-private partnerships to optimize their capacity to identify
priorities and enable efficient execution of concrete actions.” That’s nice,
but it is nothing new. I mean, let's keep doing the same things that we have
been doing and hopefully, we will get a different result. [How many times
has that been tried !...C]
What are some of the other ways that the Federal government can work with
the private sector? How about setting up an "incentive mechanism," per the
report, to make more secure products and services available to the public?
“Include adjustments to liability considerations (reduced liability in
exchange for improved security or increased liability for the consequences
of poor security), indemnification, tax incentives, and new regulatory
requirements and compliance mechanisms.”
OK, we need more regulations to make cyberspace safe, right? Of
course, “protecting
cyberspace requires strong vision and leadership and will require changes in
policies, technologies, education, and perhaps laws.” (You can be assured
that there will be more 'laws' coming down the pipe as I already hinted to
in my last column Proposed Bill: Cybersecurity Act of 2009 (SB773) – How the
President of the United States Can Control the
Internet<http://www.newswithviews.com/Trinckes/john100.htm>
.)
No report from the government would again be complete without including the
part about how much it is going to cost us (The American People). “The
Federal government should initiate a national public awareness and education
campaign informed by previous successful campaigns.” (If these campaigns
were successful in the past, then why are we at the point of urgency now in
terms of our cybersecurity risks?) “The government needs to increase
investment in research that will help address cybersecurity vulnerabilities
while also meeting our economic needs and national security requirements.”
“Appoint a cybersecurity policy official…” and “designate a privacy and
civil liberties official…” (Just curious what the salaries and benefits
would be for these two positions, heck, if it’s good, I may apply…. NOT!)
Let me digress for just a moment and explain how we’ve gotten to this point.
According to the report, “the impact of technology on national and economic
security needs has led the Federal government to adapt by creating new laws
and organizations.” (Not a shock here.) The report indicates that even back
to 1918, Congress authorized the President, through a Joint Resolution, to
assume control of any telegraph system in the US and operate it as needed
during World War I. [Boy, can't let these guys do anything once - before
they make it a permanent policy !...C]
In 1934, The Communications Act formed the Federal Communications Commission
(FCC) to establish a broad regulatory framework for all communications, by
wire and radio. In 1957, the Soviet Union launched Sputnik, the first
man-made satellite. It was the peak of the cold war and the US and the
Soviet Union considered each other 'enemies'. Americans were scared of this
news and thought that since the Soviet Union was able to launch a satellite
into space, they could launch a missile at us. In response to this and to
give the US a technological edge over other countries, President Dwight D.
Eisenhower (not Al Gore) created the Advanced Research Projects Agency
(ARPA) in 1958. ARPA enlisted help from Bolt, Beranek and Newman (BBN) to
create the first computer network connecting four computers running
different operating systems. They called the network ARPANET. A lot of the
protocols used on the Internet today were developed through ARPANET. As soon
as larger networks joined, the Internet was born. (Source:
computer.howstuffworks.com<http://computer.howstuffworks.com/internet-start.htm>)
The Brooks Act of 1965 gave the National Bureau of Standards (NBS), now the
Department of Commerce’s National Institute of Standards and Technology
(NIST), responsibility for developing standards and guidelines for federal
computer systems. In 1984, 'Executive Order' 12472 re-chartered the National
Communication System (NCS) to include telecommunication assets owned or
leased by the Federal government. (In 2003, the Department of Homeland
Security inherited the NCS.) In 1994, the Foreign Relations Authorization
Act authorized the Department of State control over international
communication and information policy. Now, we have the Cybersecurity Act of
2009 sitting in committee to give the President (or his designee) full
control of the Internet under the disguise of security. (Or mabye it is War
since we are still fighting two wars abroad and a war 'against terrorism',
in all forms and on all fronts, at home.)
Back to the topic at hand, the report recommends “leading from the top” and
appointing a cybersecurity policy official; however, “the cybersecurity
policy official should not have operational responsibility or authority, nor
the authority to make policy unilaterally.” What? Let’s assign someone
responsibility for cybersecurity, but not give them any authority to
implement any changes. Maybe we need to run our government like successful
private companies do. Most large companies have a Chief Executive Officer
(CEO) (i.e. the President) that has full authority to run the company
governed by the Board of Directors (i.e. Congress) that reports to the
business Owners (i.e. the People). They put Chief Information Officers (CIO)
or Chief Technology Officers (CTO) in charge of technologies to align with
business goals. They also have Chief Security Officers (CSO) or Chief
Information Security Officers (CISO) that report to Security Committees
(made up of high level executives) or the Board of Directors directly to
create an independence element. Security is normally in direct conflict with
operations, but they both need to work together to create effective systems
for continued business prosperity.
I found this to be pretty interesting as the report goes on to say:
“A paucity of judicial opinions in several areas poses both opportunities
and risks that policy makers should appreciate—courts can intervene to shape
the application of law, particularly in areas involving Constitutional
rights. Policy decisions will necessarily be shaped and bounded by the legal
framework in which they are made, and policy consideration may help identify
gaps and challenges in current laws and inform necessary developments in the
law. That process may prompt proposals for a new legislative framework to
rationalize the patchwork of overlapping laws that apply to information,
telecommunications, networks, and technologies, or the application of new
interpretations of existing laws in ways to meet technological evolution and
policy goals, consistent with U.S. Constitutional principles. However,
pursuing either course risks outcomes that may make certain activities
conducted by the Federal government to protect information and
communications infrastructure more difficult.”
Well we can’t have laws enacted to make the Federal government’s job more
difficult, can we? I guess that is one of the reasons why President Obama
nominated Judge Sonia Sotomayor. Judge Sotomayor is first nominee with
cyberlaw record<http://pblog.bna.com/techlaw/2009/05/judge-sotomayor-is-first-nominee-with-cyberlaw-record.html>.
Coincidence? I think not.
The report does a fairly good job in pointing out some hesitations
thatprivate sector industries have in partnering with the federal
government. “Industry
has also expressed reservations about disclosing to the Federal government
sensitive or proprietary business information, such as vulnerabilities and
data or network breaches.” “Industry may still have concerns about
reputational harm, liability, or regulatory consequences of sharing
information.” You think?
As a former police officer, one of the ploys we used was to have the suspect
tell on themselves. We would give the suspect some false sense of hope that
we were on their side, they should trust us, and things would go easier if
they would just tell us ‘the truth’. (More times than not, the information
the suspect provided to us created the case against them in the first place.
Until the suspect started talking, we didn’t really have anything on them.)
Do you think it would be any different if a company admitted to not
following certain laws? Or, if they did, would the government grant some
additional protection as the report puts it: “The civil liberties and
privacy community has expressed concern that extending protections would
only serve as a legal shield against liability.” So if a company is not
keeping to its obligations in protecting their client's information, but as
long as they tell the government about it and followed their standards in
'good faith' (although these standards may have been lacking or not followed
during a specific time frame that led to the security breach), they will be
protected from lawsuits? [Don't hold your breath on it !..C]
Here is another statement in the report that concerned me:
“Responsibility for a Federal cyber incident response is dispersed across
many Federal departments and agencies because of the existing legal, but
artificial, distinctions between national security and other Federal
networks.”
If my interpretation is correct, the report writers are pretty much saying
that there is NO distinction between national security and 'other Federal
networks', thus any Federal department or agency would be considered under
the umbrella of a national security incident even if the department or
agency doesn’t deal in national security related activity. Interesting, no?
I really like this one, “the government needs a reliable, consistent
mechanism for bringing all appropriate information together to form a common
operating picture.” Computer systems and networks have been around for about
50 years now and although technology has advanced, the government still
hasn't gotten a good operating picture of their systems? This brings to my
mind Cybernet in The Terminator movies. (I’m not saying we will have metal
robots come to life to kill all humans, but if you recall the basis of the
Cybernet program, it was to effectively monitor/control all government
systems under one system. Unfortunately, Cybernet took over all these
systems. It also contained some ‘artificial’ intelligence components. Wait,
haven’t I heard this word 'artificial' before somewhere else?)
The report indicates that “we cannot improve cybersecurity without improving
authentication, and identity management is not just about authenticating
people.” It isn't?
“The Nation should implement, for high-value activities (e.g., the Smart
Grid), an opt-in array of interoperable identity management systems to build
trust for online transactions and to 'enhance privacy'.” [They are joking
right ? ..C]
I bolded the ‘opt-in’ since I always take this as meaning optional. We all
now how easy optional becomes mandatory through varied mechanisms of
control. We are all to familiar with the Federal government 'enhancing
privacy' matters. What privacy means to me is not what privacy means to the
government.
“The Federal government also should consider extending the availability of
Federal identity management systems to operators of critical infrastructure
and to private-sector emergency response and repair service providers for
use during national emergencies.”
Again with the 'national emergencies' since we all know how well the Federal
government has handled these in the past.[Choke]. As far as I’m aware, the
current administration still hasn’t got anyone in control of the Federal
Emergency Management Agency (FEMA).
There are fourteen (14) additional mid-term action plans, but again, they
are all pretty general and vague with no direct guidance on how or what
impact these recommendations would ultimately have in the real world or on
cybersecurity.
As a point of reference, I highlighted the words ‘global’ and
‘international’ above. I counted at least 35 times that ‘global’ was used
throughout this report and at least 76 times that ‘international’ was used.
Coincidence? I think not. (Can anyone say New World Order?)
In conclusion, I’m a huge proponent of Information Security and making the
Internet (i.e. cyberspace or whatever you want to call it this week) more
secure. It is very important to me. I live it, I breath it, and I know some
of the risks and threats are real; however, I don’t believe this report to
provide a clear, concise solution to the problems. It appears more to me to
be some sort of mission statement or one group’s agenda on how to take
control of the Internet (i.e. cyberspace) under the disguise of assuring a
trusted and resilient information and communication infrastructure. (I don't
know about you, but my Internet (i.e. cyberspace) connection has been on and
running pretty well over the last few years. I mean, there are those moments
that it doesn't work just the way it should, but these occassions are rare
and far in between.) Isn't this the reason why we need more regulations and
control, from the government to ensure a 100% uptime, right?
I do have to agree with at least one statement from the report: “The Federal
government is not organized to address this growing problem [cybersecurity]
effectively now or in the future.”
"This is just one of those reasons why I hate stupid people."
*
Posts
