Note to poorly-informed HN readers: the conflict playing out here isn't --- IS NOT --- between the GOP which wants intrusive monitoring of Facebook and the Obama camp which wants government to keep its grubby paws off private data.
Instead, what's happening is that policy people in the Administration believe we need extensive further legislation and rulemaking to ensure that computer systems which are in any way "vital to the national interest" are kept "secure", where a final definition of "security" is sure to rest on "XXX hours of $400/person/hour time from a Raytheon or Lockheed subcontractor".
Restated†:
The GOP:
* Wants Government to keep its hands off private networks
* Does not currently see "cybersecurity" as a subject worth increasing Executive power over (possibly a side effect of who controls the Executive)
* Is, true to form, pursuing a policy of finding minimalistic ways of allowing private industry to self-regulate the problem away
* Is marginally more likely than the Democratic Administration to want to concede privacy concerns to private industry and away from end-users in the service of this goal
The Democratic Administration:
* Generally believes itself to be at (undeclared, cold) war with China over information systems
* Believes Government intervention is going to be required to protect utilities, communications, military, and trading exchange networks
* Is marginally more likely than the GOP to want to enact rules regarding information privacy that protect end-users from private industry --- but not from the Government.
The animating concern regarding CISPA to HN readers is privacy. You should be aware that privacy is a third- or fourth- tier concern of both factions in this policy debate. The real concern is: does private industry tackle the "China hacker problem" itself, or does the Government step in?
Excepting that the only mechanism the government has to add security to any network (private, public, or military) is to purchase blocks of Raytheon hours, I don't even disagree with Obama: the security of many networks that are prima facie vital to the public interest are not only a shambles, but continue to degrade in quality as rounds of purchasing and infrastructure upgrades continue to execute without any serious attention given to software security quality. Look at the "Smart Grid" for the most obvious example, but there are more, such as SCADA networks that are "modernizing" into web-based systems with circa-2005 levels of application security. The Administration is not wrong that CISPA doesn't go far enough --- and again: that is the central conflict here, that CISPA does.not.go.far.enough --- but they have no effective mechanisms to bring to bear to improve the situation either. Their vantage point implies a bonanza for giant government contractors like Lockheed and SAIC.
Be careful what you wish for, especially if all your opinions about CISPA came from EFF. For the first time, my perception is that the EFF is running with this CISPA issue not out of genuine concern over policy, but because it's a vehicle for fundraising off Internet rage. And look at the result: stories where the Democratic Administration looks like a white knight. Wow, is that ever the opposite of what's actually happening.
† (and please note I'm a dollars-donating supporter of the Democratic party; I support public schools and believe in single-payer health care --- but party identification is unavoidable here and vital to understanding what is happening)
I'm intrigued by your analysis of the dated "modernizations" the government has implemented, ie the SCADA networks. Iirc, this president was the first to have a "CTO" (I forget the exact title); any comment on the effect6 of this position existing?
Among people who actually operate companies or top the commit charts on major projects, "CTO" is already a stigmatized title. Tom Preston-Werner is clearly not a do-nothing status-obsessed hanger-on at Github, but truly excellent people who hold the CTO title may actually be the exception. At any rate: the joke is that CTO is the title you get when your team stops letting you commit to the main branch anymore.†
The stigma to holding the title "CTO" in any Government is way, way worse.
At any rate, whichever private sector notable is promoted to whatever vanity "technology" role in the government is of little impact to the security of SCADA networks, which are virtually all operated by private companies. The Secretary of Energy had more impact on utility security than any other person in government, and that impact was (from what I can tell) largely negative.††
† Again: I'm sure Tom can commit to whatever branch he wants.
†† I'm not myopic or tunnel-focused on my own field; the social value of getting responsive billing and utilization deployed may end up dwarfing the cost of widespread utility vulnerabilities or breaches. Steven Chu is probably an excellent Secretary of Energy.
The United States government has spent and will continue to spend untold millions understanding these threats and studying the situation and techniques. In addition they are targeted by both more numerous and more advanced attacks than any group in the private sector by far.
Without a doubt no organization in the world knows as much about cybersecurity as the United States government, and up until now all of that knowledge has been held from the private sector behind many layers of classification. Don't you feel that it could be beneficial for the public to have a path for the two groups to work together?
The "US Government" isn't a coherent whole when it comes to information security, so I find your comment hard to respond to. However:
"Without a doubt no organization in the world knows as much about cybersecurity as the United States government"... I've been a practitioner in this field since the early '90s; I know not one other practitioner who shares that opinion.
Yeah, the parent makes the point not to conflate the NSA with 'the US Government'. There's the adage that a team is only as good as its least able member - guess that would apply to the US Government's knowledge of IT security.
CISPA provides those paths, but, crucially important, it allows each private company the freedom to decide whether to walk down the path, and how far. tptacek's analysis is clear-eyed and accurate; the goal of the Obama administration is to make participation mandatory for certain companies.
I'm a principal at exactly the kind of company you'd expect to end up benefiting from such a requirement.
And, I agree that this is a policy vector that is in the discussion mix. In fact, I think it's much of what the Administration has in mind.
But I strongly oppose this policy, because companies like mine almost certainly wouldn't end up doing the audit work.
Mandated scheduled audit is a race to the bottom. Look no further than PCI-DSS to see the end result of audit done for audit's sake: the winners are the ones who can deliver the most audits with the best cost structure, and once they gain a foothold, the winners can roll their previous success like a snowball to capture more market share regardless of the quality of the end result. The major credit card breaches of the last few years were all audited by reputable PCI-DSS audit firms.
In the Government, the problem is even worse. Government contracting is procedurally tricky. Most companies that do significant government contracting have entire GSA and DoD business units to handle the sales cycle. When it comes to "security" x "services", the overwhelming majority of the dollars go to a few giant companies (Raytheon, Lockheed, SAIC). These companies aren't winning business because they deliver results; whether any of them ever do or don't, you can look at the security of government networks today to see that mandated audit- for- audits- sake isn't working.
What's needed is liability, or at least toothsome penalties.
People respond to incentives. The problem we have today is cleanly illustrating by looking at the incentive structure, which overwhelmingly favors getting ambitious systems fielded as fast as possible, offseted poorly (if at all) by post-deployment risk of any sort. From a careerist perspective: it is much better to get something deployed --- especially if it will appear to work long enough to soak up credit --- than it is to delay deployment for ambiguous "security" objectives. It's so much better that it's still better to get something deployed even if 2 years from now it's going to cough up 20 million credit card numbers.
To try and shine at least something of a positive light, there is a wide difference in overall fuckededness among different government agencies.
Yesterday I was sent the testing methodology requirements document for a specific agency that was littered with footnotes pointing mostly to TAOSSA. That was good to see, at least.
I agree auditing isn't a silver bullet, and I honestly don't think the federal government should be doing anything here. If they care about the security of "critical infrastructure", whatever that is, they can provide funding for compliance and then demand accreditation before the system is deployed.
But CISPA, is just a way to funnel data about every person in the world into a giant government database in secret. It dwarfs the NSA wiretapping scandal and it allows companies to violate their own privacy policies and shelter them from justified lawsuits.
That is absolutely not what CISPA is about. If the government wanted to funnel private data to giant government databases, their best move would be to do nothing, because that action is already mostly lawful under ECPA. ECPA provides unchecked latitude for service providers to disclose private data so long as it's done in the course or protecting or maintaining the service. CISPA adds restrictions to this process.
(I don't support CISPA, but not for this bullshit tinfoil hat reason).
The amount of misinformation circulating around CISPA is very dispiriting. People are being deluded into thinking there's some giant conspiracy, and the only reason that's happening is so that unscrupulous interest groups can fundraise or drive ad revenue from rageviews.
Why was that downvoted? The guy has a track record. He was dead-set against telecom immunity, before he voted to support it (back when he was a senator). He was for repealing the Bush tax cuts until he wasn't. He caved on budget negotiations when he agreed that the deficit was the biggest budget problem. He was all for closing Gitmo until he wasn't. He was against signing statements until he got into office. His record on civil liberties (domestic spying, FOIA, strip searches -- he argued for the majority opinion, domestic use of drones) has been in stark contrast to the sort of things he was saying when he was a candidate.
I think he has proven that statements beginning with the words "I will" must be taken with a large grain of salt. In fact, with CSIPA you can already see it happening -- the weasel words to note are "in its current form".
How can you believe his progressive-leaning statements any longer without being completely naive?
I downvoted it because the comment was content-free. "Backs down" from what? What's the likelihood that a random HN commenter intends to communicate support for the 2012 White House "Cybersecurity" agenda with a comment like that? Epsilon.
As for your "in their current form" innuendo: that would be clever, except that the Administration has for several years communicated loud and clear what their agenda is on this subject. That it is surely something you will not approve of (likelihood that random sampling of HN readers will go apeshit over what the Obama Administration wants to do vis a vis cyberspace: 99.999%) doesn't make it "weaselly". They've been anything but weaselly on this topic.
Probably initially DVed b/c it doesn't add anything to the discussion, and partisan, unbacked assertions generally aren't welcomed. Poisoning the well fallacy might apply here.
There are plenty of technically smart people who are politically completely naive, geophile! Most of them are also blissfully unaware of Oblabla's statements that he would veto the NDAA, until the last moment, of course, when in the dead of night on New Year's Eve, he had a "sudden change of heart", and signed it. Oops!
Instead, what's happening is that policy people in the Administration believe we need extensive further legislation and rulemaking to ensure that computer systems which are in any way "vital to the national interest" are kept "secure", where a final definition of "security" is sure to rest on "XXX hours of $400/person/hour time from a Raytheon or Lockheed subcontractor".
Restated†:
The GOP:
* Wants Government to keep its hands off private networks
* Does not currently see "cybersecurity" as a subject worth increasing Executive power over (possibly a side effect of who controls the Executive)
* Is, true to form, pursuing a policy of finding minimalistic ways of allowing private industry to self-regulate the problem away
* Is marginally more likely than the Democratic Administration to want to concede privacy concerns to private industry and away from end-users in the service of this goal
The Democratic Administration:
* Generally believes itself to be at (undeclared, cold) war with China over information systems
* Believes Government intervention is going to be required to protect utilities, communications, military, and trading exchange networks
* Is marginally more likely than the GOP to want to enact rules regarding information privacy that protect end-users from private industry --- but not from the Government.
The animating concern regarding CISPA to HN readers is privacy. You should be aware that privacy is a third- or fourth- tier concern of both factions in this policy debate. The real concern is: does private industry tackle the "China hacker problem" itself, or does the Government step in?
Excepting that the only mechanism the government has to add security to any network (private, public, or military) is to purchase blocks of Raytheon hours, I don't even disagree with Obama: the security of many networks that are prima facie vital to the public interest are not only a shambles, but continue to degrade in quality as rounds of purchasing and infrastructure upgrades continue to execute without any serious attention given to software security quality. Look at the "Smart Grid" for the most obvious example, but there are more, such as SCADA networks that are "modernizing" into web-based systems with circa-2005 levels of application security. The Administration is not wrong that CISPA doesn't go far enough --- and again: that is the central conflict here, that CISPA does.not.go.far.enough --- but they have no effective mechanisms to bring to bear to improve the situation either. Their vantage point implies a bonanza for giant government contractors like Lockheed and SAIC.
Be careful what you wish for, especially if all your opinions about CISPA came from EFF. For the first time, my perception is that the EFF is running with this CISPA issue not out of genuine concern over policy, but because it's a vehicle for fundraising off Internet rage. And look at the result: stories where the Democratic Administration looks like a white knight. Wow, is that ever the opposite of what's actually happening.
† (and please note I'm a dollars-donating supporter of the Democratic party; I support public schools and believe in single-payer health care --- but party identification is unavoidable here and vital to understanding what is happening)