Sign in to follow this  
Followers 0
eshaelon

Question about Cybersecurity act of 2009

15 posts in this topic

I was reading the Cybersecurity Act of 2009 (S 773) and I have a couple of questions.

In section 18 paragraph 2, The President:

"may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network"

In section 23 paragraph 3, the following definition is given:

The term `Federal Government and United States critical infrastructure information systems and networks' includes--

A: Federal Government information systems and networks; and

B: State, local, and nongovernmental information systems and networks in the United States designated by the President as critical infrastructure information systems and networks.

My question are:

1) What exactly qualifies as a Cybersecurity emergency?

2) What qualifies a network as part of the "critical infrastructure information systems and networks"?

0

Share this post


Link to post
Share on other sites
I was reading the Cybersecurity Act of 2009 (S 773) and I have a couple of questions.

In section 18 paragraph 2, The President:

"may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network"

In section 23 paragraph 3, the following definition is given:

The term `Federal Government and United States critical infrastructure information systems and networks' includes--

A: Federal Government information systems and networks; and

B: State, local, and nongovernmental information systems and networks in the United States designated by the President as critical infrastructure information systems and networks.

My question are:

1) What exactly qualifies as a Cybersecurity emergency?

2) What qualifies a network as part of the "critical infrastructure information systems and networks"?

1, don't know.

2 is easy. You have the definition. It is at the President's whim. Most likely, any non government stop between Federal Agency A and Federal Agency B, like Level 3 internet backbone providers. If it needs to be there so those two (or three or x) agencies or offices need to talk, then it is considered critical infrastructure. Even local ISPS if they provide the network connection for an agency office.

0

Share this post


Link to post
Share on other sites

Like all legislation, it doesn't mean anything concrete. That's the whole point. An emergency is anything they can get away with saying is an emergency.

Don't think I'm trying to be some anti-gov type, either. I'm being completely serious. It's written in vagaries for a reason.

As far as critical structure, think banks, phone companies, isp's, power grid, etc. Anything that can possibly have some sort of effect on the workings of the USA.

Edited by decoder
0

Share this post


Link to post
Share on other sites

Part one.

If the government wants to call it a Cyber-Security emergency, then it shall be a Cyber-Security Emergency.

Part two.

Read the Computer Fraud and Abuse Act of 1986.

Any bank, or government owed system, or any system the government has interest in. So it can really mean anything.

That is how computer laws work now. Make them cover any and everything, so if they want to make an example of someone, they will.

0

Share this post


Link to post
Share on other sites
That is how computer laws work now. Make them cover any and everything, so if they want to make an example of someone, they will.

Try all laws.

0

Share this post


Link to post
Share on other sites

I thought I was just being paranoid.

I wonder if they could use this to target social site or use it as a censorship technique.

Consider if another worm (like the Samy worm) got out on a social networking sight (like Myspace). Could this constitute an emergency and Myspace would be ordered to shutdown?

What about sites like Binrev or HPR? Could they target security sites (like securityfocus) claiming that the evil attackers will use such information to attack these critical infrastructures?

Would such vagaries in the legislation allow for preemptive actions?

I may be blowing it out of proportion, but look at what they have already gotten away with:

Banning of incandescent light bulbs by January of 2014

Bailouts

Patriout Act(a special case in a different political world, I know, but look what has been done with it).

Maybe the old CG cartoon show "Reboot" had it right with Daemon, the supervirus. "She controls the pathways but not the systems; effectively controlling the net without spreading herself too thin."

0

Share this post


Link to post
Share on other sites

They could, until it hits the news and the courts. But why would the President, or the office of the president try to shutdown a site like myspace? How would Myspace be considered Critical to Infrastructure, or a threat to it? As the law reads, they could order myspace cut off from all government networks, but it wouldn't allow them to cut off myspace from private networks.

Also, even the Patriot Act cannot produce enough reason to ban information in regards to the First Amendment right to speech and press.

0

Share this post


Link to post
Share on other sites

I used the Samy worm's outbreak on Myspace as an example of a possible cybersecurity emergency.

If a new, highly infectious worm were to infect a popular site and millions of people became infected. Perhaps this worm attacks the firmware within a brand of router and bricks them. (I know a worm's function is to spread, but maybe after it infects so many users, then it bricks the router.)

If there was significant damage, could this legislation be used to force the shutdown of the site?

(assuming responsible admins are forced to keep the site up by the know-it-all advertising execs. (just a theory))

If such a worm were coded from bugs and exploits posted on securityfocus or some other security site then couldn't such sites be targeted.

Could they be accused of promoting or enabling Cybersecurity emergencies and be forced to shutdown?

All it takes is time to erode the constitution. It works so slowly, we do not realize it.

Maybe I am paranoid and overly cautious, but I just have a few trust issues with my politicians.

0

Share this post


Link to post
Share on other sites
I used the Samy worm's outbreak on Myspace as an example of a possible cybersecurity emergency.

If a new, highly infectious worm were to infect a popular site and millions of people became infected. Perhaps this worm attacks the firmware within a brand of router and bricks them. (I know a worm's function is to spread, but maybe after it infects so many users, then it bricks the router.)

If there was significant damage, could this legislation be used to force the shutdown of the site?

(assuming responsible admins are forced to keep the site up by the know-it-all advertising execs. (just a theory))

If such a worm were coded from bugs and exploits posted on securityfocus or some other security site then couldn't such sites be targeted.

Could they be accused of promoting or enabling Cybersecurity emergencies and be forced to shutdown?

All it takes is time to erode the constitution. It works so slowly, we do not realize it.

Maybe I am paranoid and overly cautious, but I just have a few trust issues with my politicians.

AFAIK, the letter of this law is clear. They can order the shutdown of TRAFFIC to/from government websites. This does not, literally, give them the ability to order the shutdown of the website. They can ask nicely, or they can ask with the threat of getting on the Gov's bad side, or they can force it and face a lawsuit that they were out of bounds of the law.

0

Share this post


Link to post
Share on other sites

I guess my question would be... what would we have them do under conditions of serious infections on government networks, or for that matter, large commercial networks in the U.S.?. To be taken seriously as critics of the bill (or any other security legislation), the technically minded folks have to come up with a reasonable plan that does address possible security issues on U.S. networks/traffic/etc. Factoring in the recent DarkReading article about the newly discovered massive botnet, there are potential large-scale security issues the government needs to address.

Edited by Pan
0

Share this post


Link to post
Share on other sites

chaostic-- I definitely see your point and thank you for that insight.

Pan-- I believe that if a serious infection occurred, then the network administrators would step in, but this legislation does include the provision for the president to shutdown the network in the intrest of nation security (Section 18 paragraph 6).

As far as the "technically minded folks have to come up with a reasonable plan", the legislation requires this also. Specifically, it requires the president to form a Cybersecurity Advisory Panel. They will produce reports every two years and aprove domain name contracts between the Assistant Secretary of Commerce for Communications and Information and the Internet Assigned Numbers Authority (Section 8, paragraph A).

I wonder what this legislation will look like if it is passed. As of right now, it is in the Senate. It still has to go to the House of Representatives and finally before the president.

Does the legislation appear fine now or should we demand our representatives to amend any parts?

I have read provisions for:

(sec 3) A Cybersecurity Advisory Panel consisting of many people of varied technological backgrounds.

(sec 4) A Real-Time Cybersecurity dashboard displaying the security and vulnerability status of all the government networks managed by Dept. of Commerce

(sec 5) Creation of Regional Cybersecurity Centers for the Promotion of Cybersecurity Standards.

++++©(3) make loans, on a selective, short-term basis, of items of advanced cybersecurity countermeasures to small businesses with less than 100 employees.

(sec 6) The creation of a cybersecurtity standard.

++++(a)(6) Vulnerability specification language- establish standard computer readable language for specifying vulnerabilities in software to enable vendors to communicate vulnerability data to software users in real time.

++++(a)(7) Nation compliance standards for all software -

++++(a)(7)(A) PROTOCOL - The Institute shall establish a standard testing and accreditation protocol for software built by or for the Federal Government, its contractors, and grantees, and private sector owned critical infrastructure information systems and networks.

(sec 7) License and certification for cybersecurity professionals working on federal or critical infrastructure information systems.

(sec 8) Review of NTIA Domain Name Contracts by the Advisory Panel.

(sec 9) Creating a Secure Domain Name Addressing System

(sec 10) Promoting Cybersecurity Awareness

++++(2) communicates the Federal Government's role in securing the Internet and protecting privacy and civil liberties with respect to Internet-related activities.

(sec 11) Federal Cybersecurity Research and Development

++++(a)(4)How to guarantee the privacy of an individual's identity, information, or lawful transactions when stored in distributed systems or transmitted over networks

++++(a)(6) How to determine the origin of a message transmitted over the Internet.

++++(a)(7) How to Support privacy in conjunction with improved security.

(sec 12) Federal Cyber Scholarship-for-Service Program

++++(B)(4) shall provide a procedure for identifying promising K-12 students for participation in summer work and internship programs that would lead to certification of Federal information technology workforce standards and possible future employment

(sec 13) Cybersecurity competition and Challenge for cash prizes.

(sec 14) Sharing Threat information between the federal and private sectors.

(sec 15) Cybersecurity Risk Management Report.

++++(1) (the feasibility of) creating a market for cybersecurity risk management, including the creation of a system of civil liability and insurance

(sec 16) Legal Framework review and Report

(sec 17) Authentication and Civil Liberties Report on the feasibility of ID management and authentication on government systems with respect to civil liberties and privacy

(sec 18) Cybersecurity Responsibilities and Authority

++++(2) (The President) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from and compromised Federal Government or United States critical infrastructure information system or network.

++++(6) (The President) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security

(sec 19) Quadrennial Cyber Review

(sec 20) Joint Intelligence Threat Assessment

++++ The Director of National Intelligence and the Secretary of Commerce shall submit to the Congress an annual assessment of, and report on, cybersecurity threats to and vulnerabilities of critical national information, communication, and data network infrastructure

(sec 21) International Norms and Cybersecurity Deterrence Measures.

(sec 22) Federal Secure Products and Services Acquisitions Board

(sec 23) Definitions

Edited by eshaelon
0

Share this post


Link to post
Share on other sites

Oh, and additionally, any self respecting network team would likely voluntarily pull their site if they are notified that their site is supporting or causing such a catastrophe. Site's get pulled and cleaned for alot less. (Recently, a hack on MetaFilter ended up adding a bunch of spam code that would redirect every link on the site to a virus site, and create popups, etc, as well as erased some database information [user profiles]. Pulled, cleaned, and restored within 12 hours of infection, for a site that is not monitored 24/7 by staff [They got to sleep to]).

Only some really (damn real) important site would refuse, and pricks. No need to piss off the feds if they are right about you being the source of an infestation.

0

Share this post


Link to post
Share on other sites
That is how computer laws work now. Make them cover any and everything, so if they want to make an example of someone, they will.

Try all laws.

Agreed :D

0

Share this post


Link to post
Share on other sites

i guess that is more of the fact that when the threat or the disconfort level comes in the system or a situation of predictable threat...

then it can be possible to do it

also here in india there is no law of cyber security as such..

and the awareness is pretty low !!

my mom herself dosent know how to shut down a computer :lol:

0

Share this post


Link to post
Share on other sites

eshaelon,

I think there are many laws that are general enough, vague enough, that they could be used to stifle opposition, suppress speech etc. However, having a law that says the government has a right to exercise control over networks that are involved into government transactions isn't by its nature nefarious. In specific terms of the president, he actually seems to have a clue and a genuine concern for information technology. He's hired both a "Cybersecurity" CIO and CTO, and created several other positions along those lines. The people appointed to these positions are technology professionals who have fairly competent track records. I definitely want the president to have a plan. If an ISP/network *doesn't* shut their stuff down in times of infection/emergency, the government should definitely have within their rights the ability to protect their infrastructure.

It's good to question the possibility of misuse, but in this case, I don't think we should expect it.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0