Congresswoman Diane E. Watson, who serves as Chair of the House Government Management, Organization, and Procurement Subcommittee, has just introduced new legislation proposing the creation of a “National Office for Cyberspace” within the Executive Office of the President. Rep. Watson’s bill, “The Federal Information Security Management Act of 2010” (H.R. 4900) amends the Federal Information Security Management Act (FISMA) of 2002 in an attempt “to strengthen and harmonize the federal government’s efforts to ensure the integrity of its information infrastructure.”
It’s hard to argue against that goal, and I won’t here. Clearly, our government needs to get it’s own house in order when it comes to network and data security. Nonetheless, an “Office for Cyberspace” gives me pause. Although I always try to be careful with slippery slope arguments (per Eugene Volokh’s excellent advice here), I think there are good reasons to fear that any Executive Branch-level “Office for Cyberspace” would quickly come to take on a wide variety of other policy matters beyond just federal cyber-security issues. The Federal Communication Commission’s past and recent history of regulatory mission creep is not encouraging in this regard. The agency has always looked to grow its mission and powers, and it has often succeeded. Of course, to be fair, the fundamental ambiguity of certain clauses and phrases within the agency’s charter document– the Communications Act of 1934 — left the door open to creative readings of things like what was in “the public interest,” or what constituted “fair and non-discriminatory” practices.
If, by contrast, the powers of this new “National Office for Cyberspace” are tightly limited to the mission of simply ensuring that the federal government keeps its own house in order — and doesn’t try to regulate our digital houses at the same time — then perhaps we have nothing to worry about. But, I remain a bit paranoid about these things and fear that the old “Hands Off the Net!” dream dies a little more each day because of bills like this.
Brilliant column from William Jackson on GCN.com debunking “cyberwar”:
“The United States is fighting a cyberwar today and we are losing it,” former National Security Agency chief and national intelligence director Mike McConnell wrote in a recent op-ed column in the Washington Post. “It’s that simple.”
It is neither simple nor true. Failure to distinguish between real acts of war and other malicious behavior not only increases the risks of war, but also distracts us from more immediate threats such as online crime.
The habit of threat inflation is harmful to the country. Jackson’s welcome take on “cyber” threats earns an accolade I rarely give out: Read the whole thing.
Update: Tim Stevens, a researcher in the Department of War Studies, King’s College London, has—ahem—attacked “cyberwar” rhetoric multiple times. (1, 2, 3, 4, 5) Kudos, Tim.
White House cybersecurity chief Mike McConnell had a 1,400-word piece in the Washington Post on Sunday in which he stressed a public-private partnership as the key to a robust cyber-defense. One paragraph caught my attention, though:
We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options — and we must be able to do this in milliseconds. More specifically, we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable. The technologies are already available from public and private sources and can be further developed if we have the will to build them into our systems and to work with our allies and trading partners so they will do the same.
I’m not sure what he’s talking about, and I’d love if a knowledgeable reader would chime in. I’m not sure how such a spoof-proof geolocation system would work without a complete overhaul of how the internet works.
From my undulating perch on an elliptical machine last night, I saw that CNN was broadcasting a strange roundtable event called “cyber.shockwave”—they occasionally displayed a subhead saying something like “you were warned.”
It was a group of (mostly) former Bush Administration officials sitting around making their pitch that we should be frightened about yet another menace and that our salvation is to run to the arms of government (especially if it’s controlled by their party). The CNN airing of it was illustration of how politics and public policy are collapsing together with entertainment—reality TV, specifically. The government “experts” were actors in a play dressed up as a newscast.
This post at “Crabbyolbastard Ruminates” captures my sense of what was going on. (“I see that we as a country are being led by blithering Luddites . . .”) As reported by Crabbyol’, the ideas they discussed included: pulling the plug on the Internet, pulling the plug on the cell phone networks, and nationalizing the telco and power companies.
D33PT00T tweets, cleverly, “ok my phn doesn’t work & Internet doesn’t work – ths guys R planning 2 run arnd w/ bullhorns ‘all is well remain calm!'”
Maybe it’s coincidence that Republicans dominated the scene. It was an event put together by the “Bipartisan Policy Center.” But that just goes to show that there is bipartisan agreement on one thing in Washington, D.C.: The government should control more of the society.
The U.S. federal government is not where the action is on “cybersecurity.” It is the responsibility of coders, device manufacturers, network operators, data holders, and ordinary computer users. The CNN broadcast of this event mislead viewers into thinking that cybersecurity is the government’s responsibility and that the government will lead any response to security failures.
Heaven help us if that becomes the reality.
This morning at the Newseum in Washington, DC, U.S. Secretary of State Hillary Rodham Clinton delivered remarks on Internet freedom and the future of global free speech and expression. [Transcript is here + video.] It will go down as a historic speech in the field of Internet policy since she drew a bold line in the cyber-sand regarding exactly where the United States stands on global online freedom. Clinton’s answer was unequivocal: “Both the American people and nations that censor the Internet should understand that our government is committed to helping promote Internet freedom.” “The Internet can serve as a great equalizer,” she argued. “By providing people with access to knowledge and potential markets, networks can create opportunities where none exist.”
Unfortunately, however, “the same networks that help organize movements for freedom… can also be hijacked by governments to crush dissent and deny human rights.” Echoing Winston Churchill’s famous “iron curtain” speech, Sec. Clinton argued that “With the spread of these restrictive practices, a new information curtain is descending across much of the world.” She noted that virtual walls are replacing traditional walls in many nations as repressive regimes seek to squash the liberties of their citizenry. That’s why the Administration’s bold stand in favor of online freedom is so essential.
Importantly, Sec. Clinton made it clear that the Obama Administration is ready to commit significant resources to this effort. She said that, over the next year, the State Department plans to work with others to establish a standing effort to promote technology and will invite technologists to help advance the cause through a new “innovation competition” that will promote circumvention technologies and other technologies of freedom. Sec. Clinton also challenged private companies to stand up to censorship globally and challenge foreign governments when they demand controls on the free flow of information or digital technology.
That is particularly important because Secretary Clinton’s speech comes on the heels of the recent news that Google and at least 30 other Internet companies were the victims of cyberattacks in China, which raises profound questions about the future of online freedom and cybersecurity. Sec. Clinton’s remarks will make it clear to online operators that the U.S. government stands prepared to back them up when they challenge the censorial policies of repressive foreign regimes.
Continue reading →
The headline strikes fear: “House Takes Steps to Boost Cybersecurity,” says the Washington Post.
What boondoggle are they embarking on now?
Cybersecurity is hundreds of different problems that should be handled by thousands of different actors. The federal government is in no position to “fix” cybersecurity, as I testified in the House Science Committee earlier this year.
But this is a good news story. Realizing that its own cybersecurity practices are not up to snuff, the House of Representatives will be ramping up training for its staff.
Better awareness of the ins and outs of securing computers, data, and networks will disincline Congress to undertake a rash, sweeping “overhaul” of the systems and incentives that produce and advance cybersecurity.
Wordpress has experienced a major security vulnerability, with a worm making its way around the ‘Net, attacking earlier versions of WordPress. Fortunately, because of the hard work of the Wordpress open source community, the current (2.8.4) and most recent (2.8.3) versions are immune. Yet as with any piece of program, some users haven’t upgraded. In the case of Wordpress (which we use at the TLF), upgrading can be difficult for sites that rely on plug-ins that aren’t always updated quickly when a new version of WordPress is released.
While my heart goes out to my fellow Wordpress bloggers who may have experienced an attack, I’m just glad that, for once, the message isn’t that somehow we need the
government to protect us all from cyber-catastrophes, but, instead, a little good-old-fashioned digital self-help! From the Wordpress Blog:
WordPress is a community of hundreds of people that read the code every day, audit it, update it, and care enough about keeping your blog safe that we do things like release updates weeks apart from each other even though it makes us look bad, because updating is going to keep your blog safe from the bad guys. I’m not clairvoyant and I can’t predict what schemes spammers, hackers, crackers, and tricksters will come up with with in the future to harm your blog, but I do know for certain that as long as WordPress is around we’ll do everything in our power to make sure the software is safe. We’ve already made upgrading core and plugins a one-click procedure. If we find something broken, we’ll release a fix. Please upgrade, it’s the only way we can help each other.
As with parental controls and privacy, protecting your security online begins at home. Government can help to educate and promote empowerment solutions, and industry certainly has a role to play in both, and communities like Wordpress can offer invaluable support, but at the end of the day, only you can protect yourself online!
Internet policy Shame Artist extraordinaire Chris Soghoian has struck again! Chris recently shamed the online advertising industry into improving their privacy practices with his Targeted Advertising Cookie Opt-Out (TACO) plug-in for Firefox. Now Chris has set his sight on the security practices of cloud service providers.
A letter released this morning, signed by 37 leading online security experts (and organized by Chris), calls on Google to offer persistent SSL (HTTPS) encryption by default for all Google services—or at the very least, to make more visible the option currently given to users to opt-in to use SSL for all communications. Google, in its response, indicated that it was already “looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.”
While Google’s response identifies some clear problems with implementing persistent SSL for all users (esp. connection speed), few would deny that it makes sense for webmail providers to encrypt all traffic using SSL, rather than sending email data “in the clear,” which risks interception by hackers. We at PFF hold no brief for Google, in fact we have found ourselves disagreeing with them on many other occasions on a range of issues (most notably net neutrality mandates). Nonetheless, on this front, Google has long been a leader, having offered SSL since Gmail launched and having begun providing the persistent HTTPS option last summer while most of their competitors still use SSL only for the initial authentication that occurs when a user first signs in. While the letter focuses on Google and webmail in particular, this issue has far broader implications for all online cloud service providers.
No Free Lunch: The Costs of Encryption
Gmail, Yahoo! Mail, Hotmail, etc. are, of course, “free” (
i.e., ad-supported). Google in particular has lead the way in increasing the functionality offered in Gmail, not just constantly increasing the total storage space provided to every user (now over 7GB), but regularly adding innovative new features—at no charge to users. Continue reading →
As if the financial crisis and government bailout isn’t already a bit fishy to some taxpayers, now it’s the subject of a social engineering phishing exploit. The Federal Trade Commission issued a warning that
Phishers (pronounced “fishers’) may send attention-getting emails that look like they’re coming from the financial institution that recently acquired your bank, savings and loan, or mortgage. Their intent is to collect or capture your personal information, like your credit card numbers, bank account information, Social Security number, passwords, or other sensitive information. Their messages may ask you to “update,” “validate,” or “confirm” your account information.
October is Cyber Security Awareness Month and in celebration NetChoice will hold a lunch event at the Russell Senate Building on Thursday, Oct. 16 from Noon – 1:30pm. Panelists include:
- Ken Silva, Chief Technology Officer, VeriSign
- Michael Kaiser, Executive Director, National Cyber Security Alliance
- Steve DelBianco, Executive Director, NetChoice
If interested, let me know and come on by.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.