Lieberman's cyber-security bill: The good, the bad, the ugly

Lieberman's cyber-security bill: The good, the bad, the ugly

Summary: Sourcefire's Matthew Olney examines the "Protecting Cyberspace as a National Asset Act of 2010" and has some recommendations for Senator Lieberman.

TOPICS: Security

Guest editorial by Matthew Olney (Sourcefire)

So, you’re at the bar and across the room you see this incredible [insert whatever floats your boat here]. You spend an inappropriate amount of your time watching this person and your mind starts to fill in the details that the dark environment masks.  Then they turn around walk towards the bar and (finally!) walk into enough light that you can see what they look like.  Your first thought…”KILL IT WITH FIRE!

This is a lot how I felt as I read through the “Protecting Cyberspace as a National Asset Act of 2010” (pdf), a 199-page piece of legislation introduced by Senator Lieberman (I-CT) along with Senator Susan Collins (R-ME) and Senator Thomas Carper (D-DE).  It’s worth noting, in reviewing the legislation that Susan Collins and Joe Lieberman are the ranking members of the Senate Committee on Homeland Security and Governmental Affairs for their respective parties (with Joe Lieberman counting as a Democrat for the purposes of committees). follow Ryan Naraine on twitterThis is an impressive, expansive and ambitious piece of legislation, completely reworking the Federal government’s management of cyber security issues.  There are a lot of things in the bill that I think are necessary.  Of course, as you’ve probably seen by this point, there are a couple of issues that, erm, have “opportunity for improvement."

First up is the creation of the Office of Cyberspace Policy within the Office of the President.  There is little in our world today that is as poorly managed, rapidly changing and outright dangerous as “cyberspace”.  Having an apparatus at the level of the White House that manages these issues from a strategic point of view is important.  It is this office that would be tasked with creating a “national strategy to increase the security and resiliency of cyberspace”. It is also the first place (page 9) you notice the incredible breadth of changes in the bill.

The Director of Cyberspace Policy is tasked with, to paraphrase, overseeing all policies and activities of the Federal Government across “all instruments of national power” to ensure the security and resiliency of cyberspace.  The act specifically cites diplomatic, economic, military, intelligence, law enforcement and homeland security activities and also calls for the management of “offensive activities, defensive activities and other policies and activities necessary to ensure effective capabilities to operate in cyberspace”.  So while it is organized for “Protecting Cyberspace," the options available to ensure cyberspace is available is…well everything, including utilizing the NSA and Cyber Commands offensive capabilities to keep the peace. This office operates at the highest executive level, and the capability of every tool available, even offensive ones, needs to be understood.

Next -- the National Center for Cybersecurity and Communications

Next, the National Center for Cybersecurity and Communications.  This is where a lot of the good work of this bill, in my opinion happens.  The most important one is called out specifically as a duty of the Director of the NCCC: “sharing and integrating classified and unclassified information, including information relating to threats, vulnerabilities, traffic, trends, incidents and other anomalous activities.”  This determination to improve Government/Private sector communication comes into play again in the section defining the responsibilities of the US CERT. The information isn’t limited to domestic sources either, with the bill specifically calling for the Secretary of Defense, the Director of National Intelligence, the Secretary of State and the Attorney General to develop “information sharing pilot programs with international partners of the United States.

The communication thing is critically important.  This game is hard enough without having as much information as possible to base your defensive posture on.  One of the common complaints from the private sector (who run 80% of the “Critical Infrastructure” of the U.S.) is the difficulty in getting actionable informationout of the Government. The recently released “High-Impact, Low-Frequency Event Risk to the North American Bulk Power System” report from the North American Electric Reliability Corporation calls out several times that “focus should be given to improving the timely dissemination of information concerning impending threats and specific vulnerabilities” going on to say that "more effort is needed to appropriately de-classify information needed by the private sector”.

From the perspective of incident response, there is another important new service provided by the DHS.  "The DHS will, at the request of critical infrastructure operators and provided the DHS has sufficient resources, to both assist the operator in complying with mandatory security and emergency measures" (yes, we’ll get to this…) as well as, through the US CERT “respond to assistance requests from…owners or operators of the national information infrastructure to…isolate, mitigate or remediate incidents”.

Now…you might have noticed that CERT is doing a lot of useful things from a central point for information to a cyber-guardian-angel ready to assist the most important components of the national information infrastructure in defending themselves from attack.  But there are some strings that come with this. Those entities deemed to be “covered critical infrastructure” are required to report any cyber security issue that might indicate an actual or potential cyber vulnerability or exploitation of a cyber vulnerability.  And the DHS gets to decide the procedures to enable that reporting.  So if you’re a critical infrastructure operator…you are starting to get a little uncomfortable here, no matter how many disclaimers about the protection of information are placed into the bill.

Then you look at Section 248: “Cyber Vulnerabilities to Covered Critical Infrastructure”.  Between this and Section 250:  “Enforcement” the DHS is granted near unlimited authority to deliver requirements to critical infrastructure providers on handling security threats.  In short, DHS can deliver a mandate that a certain security issue be addressed, and a set of mitigations to be used.  Now, in an exceptionally rare, well thought out approach to this mandate (and a shout out to Richard Clarke and the open-ended mandate crowd), the bill allows for the DHS to accept alternate mitigations provided by the operator if the DHS determines they are adequate. These requirements, as you can guess by the name of section 250 come with a “civil penalty” if providers fail to address these issues.

My inner Libertarian gets pretty spooked when it comes to this kind of thing.  But, to refer back to NERC’s HILF document, market forces seem to dictate doing the exact wrong thing when it comes to security:

The increased use of IP networks for Supervisory Control and Data Acquisition (SCADA) and other operational control systems, in particular, creates potential vulnerabilities. Executives with SCADA/ICS responsibilities reported high levels of connections of those systems to IP networks including the Internet—even as they acknowledged that such connections create security issues.” --(pg31, NERC HILF, Cyber Vulnerability)

Since NERC hasn’t been able to fix this, and the Department of Energy and Federal Energy Regulatory Commission apparently are unable to deliver the regulations necessary to fix it, maybe this is the only way to address these issues. When you declare that an electric grid is a system “so vital to the United States that the incapacity or destruction of such…would have a debilitating impact on security, national economic security….” maybe you should keep the damn thing off the Internet. (I'm going to say this more than once, just so you know).  It seems so obvious to every security professional I talk to and to NERC itself.  Clearly they won’t self regulate here, so maybe this is the answer. (Note that I understand that this act targets “National Critical Information Infrastructure”, but the market and privacy concerns in the information infrastructure are 10 times worse, yet we haven't even addressed the "easy" (for some value of easy) case).

Next -- The kill-it-with-fire part -- >

Then, finally we get to the section that drives everyone nuts (you know, the kill-it-with-fire part). Section 249: National Cyber Emergencies.  In short, the DHS has the authority, when the President declares a Cyber Emergency to “develop and coordinate emergency measures or actions necessary to preserve the reliableoperation and mitigate or remediate the consequences”.  What this means is that in a “Cyber Emergency”, the DHS can do anything it feels necessary to the critical infrastructure systems of the U.S. and can mobilize the entirety of the Federal Government, provided the DHS does not “supersede the authority of the Secretary of Defense, the Attorney General or the Director of National Intelligence in responding to a national cyber emergency”.

Yeah, this is a good time to panic. I think we’ve amply demonstrated over the last decade that even when a President is restricted by law his actions can be…aggressive, and this essentially hands over to the executive branch the complete control of the nations critical infrastructure.  It doesn’t matter that there are hoops to jump through, the authority and the broad power that this bill allows for is simply unacceptable.  Further, we’ve absolutely avoided holding any high-level political figure accountable for his or her actions (did you just say Scooter Libby? Stop it…) as they relate to violations on the restriction of powers. We just don’t do it.

Also, I've never had a great deal of respect for anyone that comes to me in a panic about some issue when they've failed to do the things already in their power to address it themselves.  There is already regulatory power already vested in a number of Government entities, and they have failed to exercise that power (DOE, I'm looking at you) to mandate even the most basic of security practices (like not putting our power grid on the Internet).  The list of "Critical Infrastructure" that relies on the Internet is simply unforgivable.  If its critical, get the damn thing off the Espionage Super-Highway.  What I'm saying here, is don't come to me saying you need broad, unmitigated power to manage a situation because it is so horrible when you have failed utterly to mitigate and reduce the chance that that situation will actually come to fruition.

This clause is glass-house based rock throwing.  When the Federal Government demonstrates that it can protect itself from cyber attack, when you can stop the terabytes of data flooding from Government and defense contractors, when they show that this issue is so important that they are willing to deliver regulation NOW to these critically important organizations, when you've done everything you can to ensure that this power will never need to be used...then, and only then is it appropriate to discuss this.  Earn it, Senator Lieberman, show me that the Federal Government is willing to do more than just panic after the fact.  (Hello 9/11, Katrina, BP).

All this and I didn’t even get to the part where the Director has “sole, unreviewable discretion” to decide how to address problem and deficiencies related to security issues in “national information infrastructure” or any infrastructures that is “owned, operated, controlled or licensed for use by, or on behalf of, the [DoD] or intelligence community”.  Look….using terms like “sole, unreviewable discretion” just isn’t conducive to a trusting relationship between the public sector and the DHS.  We’re already mad at you about the whole shoe thing anyways.

So here’s the deal, Sen. Lieberman. You’re on the right track here, concentrate on the following:

  1. Ensuring open communications channels between the private sector and the Federal Government.
  2. Ensure an aggressive declassification (within the limits of law and protecting sources, etc…) of threat information so that the private sector can be notified so they can modify their defensive posture.
  3. Build a coordination center that targets not just Federal to Private sector communication, but communications within an industry vertical with the ability to bring in both offensive and defensive experts to assist in mitigations.
  4. Provide an avenue for technical assistance to critical infrastructure organizations so that even organizations without a mature security posture can react in an agile manner to threats.
  5. If market forces don’t move critical infrastructure operators to do right, then fix it.
  6. Prove that you are willing to take the steps necessary to prevent incidents of this magnitude prior to them happening.
  7. Let’s revisit the “Incredible Cosmic Power” approach to incident response. Even if it is scaled back to providing a list of recommended actions backed by an automatic exemption from civil liability if organizations act on them.But we cannot simply hand over the infrastructure to the Federal government.

Good luck, Joe. Unfortunately, you’re going to need it.

* Matthew Olney is a research Engineer in the Sourcefire Vulnerability Research Team.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Nationalization and militarization are bugaboos

    Effective nationalization of both public and private networks will be the end result of this. Under powers granted by this proposed law, the feds could dictate terms to any company even minimally connected to the internet, all in the name of security. They could and would demand unfettered and unmonitored access to a company's network, like they do today with the telecoms and ISPs. All it will take is the first "national cyber emergency", which will somehow become the permanent state of affairs, just like "Condition Orange". Once the government takes a power, they never relinquish it. And the effects spread far beyond simple technology, because security is a combination of technology, social interaction, and management policy. The cybersecurity cops would in essence have the ability to dictate anything that they felt contributed to security, from technology choices to HIRING, FIRING, and MONITORING private sector employees. Just like they do today in defense contractors, the US government becomes the hidden judge and jury for any employee action.

    Finally, militarization of the internet implies not only control by the government in all aspects, but also the concepts of acceptable risks and collateral damage. In a "cyberwar" setting, who decides the risks of using a weapon that could cause collateral damage to our own networks, or even just to simply isolate or "bunker" some system that affects the everyday lives of all citizens?

    The US has long operated on the idea that even critical parts of the infrastructure like utilities are owned and operated by private companies. But the government is continually expanding their day-to-day control over private companies with convoluted regulations. Now this bill creates a completely new level of authoritarian control, that of ?sole, unreviewable discretion?. In other words, unlimited dictatorial power.
    terry flores
    • RE: Lieberman's cyber-security bill: The good, the bad, the WTF

      @terry flores Lieberman's Cybersecurity and Internet Freedom Act 2011 (and no doubt, any Republican bill as well) is the most treacherous bill ever introduced in Congress. It represents the demise of the USA's technology sector and ushers in Big Brother. If ever the Mark of the Beast became real, this represents the technology to implement it. Every red blooded American (conservative & liberal alike) needs to read the following indepth analysis of the bill. This article breaks the bill down into understandable points, covers the treacherous authorities given to the Director of the new Cybersecurity Agency proposed as well as the POTUS's authorities. The implications of the bill are also broken down with quotes directly from the bill to support them. Contact information for Senators & Representatives is also given. We need to create such a groundswell of discontent that the media will be forced to cover it.
      Short Little Rebel
  • holy crap.. burn this bill now.

    It must die a horrible death and these stupid senators who keep making these technology bills that have no idea what they are doing need to have their asses voted out.

    I am soo fed up with the stupid majority ruling. Not this not a tea party rant, i just want smart people in office who know what they are talking about instead of morons like liberman who think they know what they are talking about and dont.

    I wish him the best of luck in his new job as a lobbiest.. but ffs get him out of office.

    In case you dont know, i was once involved in a government take over of a facilty. That facility sterilized things during production, the feds just showed up and said, we are going to use your facility from now on do sterilize all the mail going to washington. They litterly surrounded the building and took control.

    All in the name of anti-terrorism. So if you dont think it happens, its does. People need to get a clue. Watch V for vendetta if you want a cold reality of what will happen and how it will happen.
    • RE: Lieberman's cyber-security bill: The good, the bad, the ugly

      I agree 100%, Lieberman is a technology retard yet he insists on wrirting bills centered around technology. Lookup some of his past proposed wonderful bills on technology, especially the ones with his buddy McCain. I don't get his fascination with "The Internets", I guess he thinks he can secure those tubes.

      Lieberman + Tech Bill = A bad freakin idea!!
  • Cyberspace is just a buzzword, and a bad one at that!

    You ever hear professors, scientists, system admins, or network engineers use the word cyberspace? No, thought not. A bad buzzword from bad movies bandied about by those who truly don't know what they are talking about. The internet, the world wide web, wide area network, transcontinental network, Fiber backbone, Domain name system, hell even the "information superhighway" has a greater claim to legitimacy than "CYBERSPACE" ooooh sounds scaaaaarryyyyy. Hell he could have called it the interwebs or a series of tubes, or the always popular inter-tubes! At least then I'd know he had actually seen a computer and wasn't relying on cheesy hacker movies for his intel.
    User 13
  • I think it's ironic...

    ...that the Internet, which (as descended from Arpanet) was designed with a decentralized architecture to prevent being taken down by any single point of failure could now be subject to being shut down by a single order from a politician. Disturbing.
  • RE: Lieberman's cyber-security bill: The good, the bad, the WTF

    I FRIGGIN HATE THE FEDS DUDE. They are always looking for ways to take the peoples freedom away. There friggin exscuse is always about terrorism or terrorist or a matter of national security. Or its for the peoples own good Or for the peoples on safty. Or to protect the country. I respect them protecting the country when they do it right but when they don't like this friggin bill they are introducing. Thats just abusing power. Truth be told its all about the money. Heres a scary thought how many of us has our computers infected with friggin fed ware that our security previders can't tell us about for the risk of there business being terminated BY THE FEDS if they detect the fed ware. How many of we the peoples phones both cell & landlines are being tapped this very moment by the feds. Its freaky to think about. Another rant how many feds are directly connected to our systems & networks spying on us in dare i say it. There exscuses of It's a matter national security. I tell ya our bill of rights & constitution is pretty much nulled & voided by the friginn feds ain't it?