Forum Post: Executive Order On Cybersecurity Planned By White House
Posted 11 years ago on Sept. 24, 2012, 11:43 p.m. EST by richardkentgates
(3269)
This content is user submitted and not an official statement
SAN FRANCISCO (Reuters) - The White House is preparing to direct federal agencies to develop voluntary cybersecurity guidelines for owners of power, water and other critical infrastructure facilities, according to people who said they had seen recent drafts of an executive order.
The prospective order would give the agencies 90 days to propose new regulations and create a new cybersecurity council at the Department of Homeland Security with representatives from the Defense Department, Justice Department, Director of National Intelligence and the Department of Commerce, a former government cyber-security official told Reuters.
"It tells those who have the ability to regulate to go forth and do so," said the person, who is currently outside the government and spoke on condition of anonymity in order to preserve access to government officials.
The draft executive order includes elements of what had been the leading cybersecurity overhaul bill in the Senate, which was defeated this summer amid opposition from industries opposed to increased regulation.
Senate Homeland Security Committee Chairman Joe Lieberman, an independent and one of the principal authors of that bill, on Monday urged the White House to issue such an order.
"The Department of Homeland Security has clear authority, if directed by you, to conduct risk assessments of critical infrastructure, identify those systems or assets that are most vulnerable to cyber attack and issue voluntary standards for those critical systems or assets to maintain adequate cybersecurity," Lieberman wrote to President Barack Obama.
The document has been circulating among the agencies and might go to top officials for their comments as soon as this week, another person involved in the process said.
A spokeswoman for the administration's National Security Council, Caitlin Hayden, confirmed that an order was being considered but would not provide details. "We're not commenting on the elements," Hayden said.
PUBLIC-PRIVATE COOPERATION
Former White House cybersecurity policy coordinator Howard Schmidt said the proposed order would also ask DHS to confer with independent agencies, such as electric regulators and others that don't answer to the president, to see who would take responsibility on cybersecurity.
The hope, said Schmidt, who has seen a recent draft, is that if those agencies won't let DHS act they would do it themselves, as the Securities and Exchange Commission did in October when it issued guidance on when companies should disclose cyber attacks.
The Commerce Department and the Pentagon declined to comment. Spokespeople for Lieberman and for Senator John Rockefeller, another Democratic leader on the issue who has asked for an executive order, said their offices had not been given copies of the draft.
Cybersecurity has become a major issue in Congress and for the White House, with intelligence officials warning of constant exploration of protected computer systems by hackers and both past incursions and the likelihood of more damaging future attacks on electric plants, banks and stock exchanges.
As of two weeks ago, the planned order did not include any penalties for companies that fail to adhere to the standards. or rewards for those who do. "There are no carrots or sticks," one person with a recent copy said.
If the order emerges before the election in November, it could become an issue in the campaign. Leading Republicans faulted the Lieberman bill as too onerous. The U.S. Chamber of Commerce, which also criticized that bill, declined to comment on Monday on the merits of a prospective order.
But Lieberman said his bill had been watered down in pursuit of a compromise and asked in his letter Monday that Obama explore means for making the standards mandatory.
Both Lieberman and administration officials have said they will still seek legislation, which could go further in many ways. It might, for example, provide liability protection for companies that share information with government officials or that meet the standards but still get hacked.
My Comments
I'm not interested in the police state argument here although it does apply as it's DHS that is being charged with managing the regulation so this EO goes far beyond a typical add-on of a simple bureaucratic office. This EO does however, in addition to the police state argument, adds regulations that stifle small up-starts and the self employed.
The article states that initially there will be no fines or fees for non-compliance but we've seen this slippery slope before and when the fees do materialize, the hype will be gone and businesses will silently pay the cost. Those that cannot will give way to large corporations that can, furthering the corporate takeover of the internet in this case. Could Mark Zuckerberg have created facebook with thousands of dollars worth of fees and lawyer costs to even understand his legal liability for his social network? The answer is no, there would be no facebook and probably no myspace or twitter.
It's pretty well understood on this forum that I'm what the 1% call the little people, aka poor. This is my golden ticket http://mcms.richardkentgates.com Just finished it a few days ago. I started work on it shortly after I found this forum almost a year ago. This EO and any of the proposed legislation to do with cyber security that has thus far been offered, is a threat to the success of my social mobility because of red-tape roadblocks and potential fees and/or additional operating costs. I cook for a living, I just ain't got the extra money.
It is also in this example where you can see both Republicans and Democrats as creating potential problems and solutions for me on this issue.
power plants ran fine before computers
an astute observation.
A modern power plant can't operate without computers any more than a modern bank can. And a modern power grid can't operate without computers any more than the Internet can.
The issue here is that contrary to popular American belief, the US does not possess an overall strategic advantage in a cyber war. That's because in a cyber war, it's very easy to attack. But defense is nearly impossible. The US is one of the four most-dominant nations in the world in terms of offensive cyber attack capability. But because the US is more dependent on computers and computer networks than any of our potential adversaries, we are the most vulnerable. Strategically, we stand to lose the most from cyber war. Cyber war creates a new opportunity for a whole new kind of asymmetrical warfare against an empire, which is not a good thing for the United States.
In addition to that problem, cyber attacks are fundamentally different from traditional kinetic military attacks because it can be virtually impossible to conclusively identify the attacker. The largest cyber attack in the history of the planet was aimed at the US for years and we still only assume that we know who did it. We can't be sure. When Russia paralyzed the entire country of Estonia with a cyber attack that shut down banks and mobile phones and media web sites and connections to the outside world for days, we only found out for certain that Russia did it when they admitted that they did it. To this day, nobody knows for certain which country (countries?) attacked Iran with the Stuxnet worm.
The reason why this is relevant is that if the US were to be hit with a cyber attack and we were to respond with a traditional kinetic military attack, then we might retaliate against the wrong opponent. China could hit us with a false-flag cyber attack that's designed to look like it came from Russia, we could respond with missile attacks against Russian infrastructure, and the result could be a very kinetic WWIII between three nuclear-armed nations. Unfortunately, a key policy decision by the Obama Administration was that the US might respond to a cyber attack with a kinetic military attack, over the objections of cyber warfare experts like Richard Clarke.
We can't capture the genie and stuff it back into the bottle. It's way too late for that. So because we're the most vulnerable target on Earth and because every attacker has everything to gain and little to lose from attacking us, enhancing cyber security for critical national infrastructure is a crucial national security issue.
that's not true
That is a truly fascinating rebuttal. Would you care to elaborate on that?
Here's my response:
no. elaboration is often used to obfuscate
This is a bit of a distraction from the topic of cyber security regulations because power grids are just one example of critical national infrastructure. During Russia's cyber attack on Estonia in 2007, they successfully crippled banks, web media, newspapers, broadcast media, government ministries, and phone networks.
Arguing for a return to some kind of agrarian or Luddite society that doesn't depend on computers for all of those things is futile. You can't stuff the genie back into the bottle. The United States is the most computer-dependent and network-dependent nation in the world, and is therefore the most vulnerable. Which is very alarming, considering how easy it is to attack but how difficult it is to defend.
I thought we talking about power plants
...in the context of cyber security for critical national infrastructure. But the argument that you can't stuff the genie back in the bottle applies specifically to power plants as well. We are dependent on computers and networks and that's irreversible.
the knowledge to build networks can be propagated in independent laboratories
Yes, that's where networking technology tends to come from. Your point?
i was making a correction when a post
falsely declared the power grid was in danger of a cyber attack
don''t care for liars
[Removed]
"Electric plants, banks and stock exchanges". Whatever. How much is my electric bill going to go up? That's all I want to know.
as much as they can get away with without causing too much outrage
I'm a little confused about why it is that you think that cyber security regulations would affect your content management system?
Because developers are the people that make the web operate
I'm one of those people. And that was not an answer to my question.
My question was: why does Richard think that his blogging software would be considered critical national infrastructure? And what kind of regulation does he fear that would cost him so much money that he couldn't run a small business like that on the Internet?
[Removed]
Yes, I can read, thank you. But I still don't understand why Richard would think that his content management system would ever be classified as critical national infrastructure.
I happen to have an professional interest in this. One hour and 33 minutes of my life tonight was consumed by responding to a DDoS attack. The fifth so far this month against that server cluster. But I'm not concerned about cyber security regulations creating significant additional costs for my company and I really don't think that Richard needs to worry about it either.
All the EO does is give regulating authority to DHS. There is nothing to limit what those regulations are or who they pertain to. The "critical national infrastructure" is only a selling point, on of those "included but not limited to". The concept is pretty simple and since you're a self proclaimed Republican you should be used to hearing it, "unwarranted expansion of government". Aside from spending, the term also applies to regulation, the EPA targeting is a recent example. You can plug your ears if you like but you and I both know the examples of expanding regulation killing off small biz is a long long list.
Can you provide an example of the kind of regulation that you're worried would affect you?
Did it cost you a lot of money to comply with COPPA, for example?
That was targeted regulation with specific language in the legislation. This EO gives no such details and instead places the authority of such decisions in the hand of DHS. The justice department may enforce COPPA but they are not the evolving authors of it. Can you really not separate details or are you just hoping to raise the burden of proof and justification for my concerns until I can no longer decipher or articulate them? ...because the latter isn't going to come to fruition on this topic.
So your answer is no. You can't give me an example of the kind of regulation that you're imagining that would affect you.
You obviously don't actually own or run any business. Thx for bumping the thread anyway.
Because I don't think that blogging software would ever be considered critical national infrastructure?
I want to know what kind of regulation you're afraid of?
You don't think that there should be regulations that, for example, require that the control room in a nuclear power plant not be connected to the Internet?
I've already explained this part you you and now you're running in circles. Place my first name in your company website and give me the link, otherwise we're done. I'm not going to waste my time on a fraud who just wants to stir the pot and not actually discus the topics of the threads.
Read my comments in this thread. I've been discussing cyber security regulations here all day.
What I'm asking you is: what kind of regulation do you imagine would apply to your content management software?
I also asked you a very serious and very pertinent question that is the topic of this thread: do you not think that there should be security regulations on things like the control rooms at nuclear power plants?
I sent you a link to my LinkedIn profile via private message and I'm asking you politely to not share that publicly on this forum. I've always treated you with respect and you have always treated me with respect and I hope that you can honor that.
The EO hands all decisions about who and how to regulate over to DHS. DHS in it's short time has a long abuse record already. Because they would be given such authority over the language of the regulation, it is almost a grantee that regulations will reach far beyond infrastructure. Power grids are not explicit in the proposed EO, it's a selling point, nothing more and nothing less. Regulations that I see coming down the road from this EO or other legislation on the matter are things like mandatory certifications that make profit for private testing and permits by the state or federal gov to work as a developer that will also cost more money. I have addressed these concerns in my initial comments in the OP (maybe you missed it). Again, placing it in the hands of DHS with no specific guidelines leaves it open-ended. DHS and the justice dept are there to enforce the law and should never be given the authority to create law, complete conflict of interest and bypasses the checks and balances of our democracy.
If infrastructure is really the issue, they should be running and intranet instead. Secondly, the US gov use SQL in all branches, which is the biggest pile of hole riddled shit on the web. 97% of hacks use basic SQL injections yet the federal government continues to take this flawed path and cry wolf when the obvious risk become a reality.
http://news.techworld.com/security/3331283/barclays-97-percent-of-data-breaches-still-due-to-sql-injection/
So you're afraid that the Department of Homeland Security is going to make it illegal for you to deploy a web application without getting state certification? Like Bar Association membership for attorneys? ANY web application?
That seems exceedingly unlikely and I don't think that any of this is a threat to your upward mobility. Unless you plan to pursue government contracts. But those are already full of red tape and mandatory certifications.
Unlikely? Once DHS has open-ended ability to regulate, things like this will be the justification to begin expanding beyond the selling point of infrastructure, and it only needs to pass as an excuse to the public because they won't need our democracy to approve their actions.
I'm sure 15 years ago it seemed unlikely that our government could kill american citizens by assassination without any approval beyond the president's word, but what is likely and unlikely seems to change with the times.
There is no real need to regulate the internet for infrastructure security considering the ease with which the gov could deploy a secure intranet via encryption and government satellites already in orbit. But like I said, it's not the real focus, it's just a selling point to scare the public into acceptance.
There is no need to regulate infrastructure security because the government can just create their own secure network? What about truly critical infrastructure that isn't government-owned? Did you read the quote that I posted up higher on this page from Richard Clarke about power plant control rooms? Requiring air gaps in scenarios like that seems like very reasonable and necessary regulation to me.
Because there is such a fuzzy line between doing web software development and not doing web software development, I can't imagine how a federal certification requirement for software developers could ever possibly work. Are you "programming" when you use IFTTT? What about if you use Tropo to make an answering machine? If using one of those services to trigger actions in the future is "programming" then are you "programming" when you set an alarm on your iPhone to wake you up the next day? How about if you tell Siri to remind you about something when you get home? Are you "programming" when you play with Aniomagic toys? Where do you draw the line? It's impossibly fuzzy and indistinct.
And it also seems infeasible because of the diversity of the software field. How could the government certify a developer who uses bleeding-edge tools like Haskell Cloud or CoffeeScript? Software disciplines don't fit into neat little boxes and so standardization and regulation seems impossible either politically or logistically.
[Removed]
lol, that was a pretty good call-out. ^
[Removed]
As you know, I base everything on the quality of the argument. I only hold grudges against users who make no argument but rather chose to party bait.
Your "GOTCHA" that you're imagining that you posted seems to be based on the idea that you think that I'm against "regulation". Which apparently you assume because you think that all Republicans oppose all regulation? Do you think that Republicans oppose speed limits? Building codes?
[Removed]
Contort? You assume that I oppose all regulations because you know that I'm a Republican? And so when I'm in favor of building codes or speed limits or cyber security regulations for nuclear power plants, then you think that you've uncovered hypocrisy? Is that what's going on here? When have I ever said anything about being opposed to all government regulation?
You have an image of a laissez-faire, free-market-fetishist Tea Partier in your mind and you're gloating because you think that you've found a contradiction. But there is no contradiction.
I notice that you have no input whatsoever into the topic of cyber security regulations. You're totally preoccupied with your prejudice and unable to even participate in the conversation at hand. YET AGAIN.
on regulation
if hand outs were ever free, I would not have to say a lie to the bureaucracy
[Removed]
So you admit that you had a knee-jerk reaction to the word "regulation" and you didn't even bother to think about the topic at hand.
I sometimes suspect that you're a professional propagandist also, because if the Koch brothers or the Rothschilds or the Bavarian Illuminati or somebody really were going to pay psy-ops agents to infiltrate this web site and disrupt it to ensure that it will never amount to anything, then I have to think that those agents would behave exactly like you do.
just reminded me of something I was thinking about
[Removed]
Apparently they do need to be told, yes. That's the point here. I agree with you on both points. Did you happen to read the Richard Clarke quote that I posted above on this page?
[Removed]
You have completely derailed every single conversation that I have ever attempted to engage in with you, diverting the discussion from the topic at hand to ad-hominem attacks. Even though most of the time I'm trying as hard as possible to agree with you and find common ground.
Do you think that there should be government regulations that require that nuclear power plant control rooms should not be connected to the Internet for security reasons?
[Removed]
duh
What tiff? I've been trying to agree with you as hard as possible. The only thing that I consistently reject is your blanket prejudice against all Republicans and the entire ideological right in general.
Congratulations for devolving yet another thread into idiotic partisan squabbling. Your determination to derail every single conversation on this site is why I said that if this site really were worth having somebody finance its infiltration with psy-ops agents intent on obstructing progress, then they would behave exactly like you.
Do you think that the government should require that the control rooms in nuclear power plants NOT be connected to the Internet? What's your opinion on that?
[Removed]
[Removed]
Are you hinting at calling me a religious nut now? And you seem to be assuming for some reason that I'm a laissez-faire, free-market Tea Partier? Which has nothing at all to do with cyber security regulations. Are you capable of any sort of non-ad-hominem contribution to any conversation on this site? Do you think that your behavior is productive?
[Removed]
An observation. What observation led you to believe that I'm a religious nut?
Actually, never mind, nothing good can come from that. You're determined to turn this into yet another ad-hominem diversion instead of discussing the topic at hand. How do you feel about cyber security regulations? Have you ever been hit with a cyber attack? You've got the CTO of a cloud-based SaaS company who has been hit five times this month and countless times this year with cyber attacks who is trying to provide some input into a conversation about cyber security regulations, and yet you're totally preoccupied with positioning me as your ideological enemy and accusing me of being a religious nut and/or a social conservative, which has nothing at all to do with the topic at hand. (And I'm not even a Christian!) Your behavior would be known as "trolling" on any other web forum, but on this site your behavior is considered acceptable for some reason.
Really? You're a tech junkie and you can't understand how regulations of the internet could impact independent or freelance web developers? I can't see you as owning the business you've made claim to so many times. In fact, I can't see you as even managing any sort of business at all. I certainly wouldn't hire you for IT.
What I'm curious about is why you think that an independent or freelance web developer's work would ever be classified as critical national infrastructure.
(I'm the CTO of a cloud-based SaaS company that was hit by a DDoS cyber attack for an hour and a half tonight, for background.)
See comment