POLICY REVIEW: ANOTHER STEP TO INTERNET CONTROL
John 'J' Trinckes
May 31, 2009
A recent report entitled Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure just came out of the White House.
This report was written by a team of government cybersecurity experts that “inventoried relevant presidential policy directives, executive orders, national strategies, and studies from government advisory boards and private-sector entities.” The comprehensive review occurred over 60-days and intended to “assess U.S. policies and structures for cybersecurity.” The team came up with ten (10) recommendations (or near-term action plans) that are ultimately supposed to mitigate cybersecurity-related risks. (Note: The report was not conducted by an independent group or even provides the names or affiliations of the individuals on the team of experts.)
Reading through the seventy-six (76) page report, I couldn't help myself critiquing the quality of work that went into the report. First, the run-on sentences were plenty and confusing. I found myself reading sentences two and three times just to make out what the author(s) were trying to explain. I consider myself to be an intelligent individual and a published author as well. I guess the old saying that 'it is good enough for government work, still applies.'
Second, the report states that “the engagement process included more than 40 meetings and yielded more than 100 papers that provided specific recommendations and goals.” If this were the case, then why are most of the ten recommendations provided general in anture and rather vague in substance?
It is hard for me to believe that a comprehensive report could be completed in 60-days with as much information that would have to be reviewed from 40 meetings and over 100 papers on the topic of cybersecurity policy. This is especially true when the report defines cybersecurity policy to include:
“strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure.”
Wow! That was a mouthful. Don’t worry, the scope of the report did not include “other information and communications policy unrelated to national security or securing the infrastructure.” I’m not really sure what this means since the report defines cyberspace as pretty much all encompassing:
“as the interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries.”
The definition further goes on to say that “common usage of the term also refers to the virtual environment of information and interactions between people.” (Interesting, government control of the interaction between people.)
Why was this review necessary?
“America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration.” (Source: Report by the Commission of Cybersecurity for the 44th Presidency, December 2008). The report also states that:
“our digital infrastructure has already suffered intrusions that have allowed criminals to steal hundreds of millions of dollars and nation-states and other entities to steal intellectual property and sensitive military information.”
Really, we had sensitive military information stolen? When? Where? Who? Why was this not reported to us earlier? (I usually try to keep up on these types of things, but never heard about this one. While other sources were referenced in the report, this sentence had none.)
It is a known fact that “information and communications networks are largely owned and operated by the private sector, both nationally and internationally.” In addition, the private sector “designs, builds, owns, and operates most of the digital infrastructures that support government and private users alike.” The report indicates that there are many ways that the Federal government can work with the private sector. One way is by examining “existing public-private partnerships to optimize their capacity to identify priorities and enable efficient execution of concrete actions.” That’s nice, but it is nothing new. I mean, let's keep doing the same things that we have been doing and hopefully, we will get a different result.
What are some of the other ways that the Federal government can work with the private sector? How about setting up an "incentive mechanism," per the report, to make more secure products and services available to the public?
“Include adjustments to liability considerations (reduced liability in exchange for improved security or increased liability for the consequences of poor security), indemnification, tax incentives, and new regulatory requirements and compliance mechanisms.”
OK, we need more regulations to make cyberspace safe, right? Of course, “protecting cyberspace requires strong vision and leadership and will require changes in policies, technologies, education, and perhaps laws.” (You can be assured that there will be more laws coming down the pipe as I already hinted to in my last column Proposed Bill: Cybersecurity Act of 2009 (SB773) – How the President of the United States Can Control the Internet.)
No report from the government would again be complete without including the part about how much it is going to cost us [The American People]. “The Federal government should initiate a national public awareness and education campaign informed by previous successful campaigns.” (If these campaigns were successful in the past, then why are we at the point of urgency now in terms of our cybersecurity risks?) “The government needs to increase investment in research that will help address cybersecurity vulnerabilities while also meeting our economic needs and national security requirements.” “Appoint a cybersecurity policy official…” and “designate a privacy and civil liberties official…” (Just curious what the salaries and benefits would be for these two positions, heck, if it’s good, I may apply…. NOT!)
Let me digress for just a moment and explain how we’ve gotten to this point. According to the report, “the impact of technology on national and economic security needs has led the Federal government to adapt by creating new laws and organizations.” (Not a shock here.) The report indicates that even back to 1918, Congress authorized the President, through a Joint Resolution, to assume control of any telegraph system in the US and operate it as needed during World War I. In 1934, The Communications Act formed the Federal Communications Commission (FCC) to establish a broad regulatory framework for all communications, by wire and radio. In 1957, the Soviet Union launched Sputnik, the first man-made satellite. It was the peak of the cold war and the US and the Soviet Union considered each other enemies. Americans were scared of this news and thought that since the Soviet Union was able to launch a satellite into space, they could launch a missile at us. In response to this and to give the US a technological edge over other countries, President Dwight D. Eisenhower (not Al Gore) created the Advanced Research Projects Agency (ARPA) in 1958. ARPA enlisted help from Bolt, Beranek and Newman (BBN) to create the first computer network connecting four computers running different operating systems. They called the network ARPANET. A lot of the protocols used on the Internet today were developed through ARPANET. As soon as larger networks joined, the Internet was born. (Source: computer.howstuffworks.com) The Brooks Act of 1965 gave the National Bureau of Standards (NBS), now the Department of Commerce’s National Institute of Standards and Technology (NIST), responsibility for developing standards and guidelines for federal computer systems. In 1984, Executive Order 12472 re-chartered the National Communication System (NCS) to include telecommunication assets owned or leased by the Federal government. (In 2003, the Department of Homeland Security inherited the NCS.) In 1994, the Foreign Relations Authorization Act authorized the Department of State control over international communication and information policy. Now, we have the Cybersecurity Act of 2009 sitting in committee to give the President (or his designee) full control of the Internet under the disguise of security. (Or mabye it is War since we are still fighting two wars abroad and a war against terrorism, in all forms and on all fronts, at home.)
Back to the topic at hand, the report recommends “leading from the top” and appointing a cybersecurity policy official; however, “the cybersecurity policy official should not have operational responsibility or authority, nor the authority to make policy unilaterally.” What? Let’s assign someone responsibility for cybersecurity, but not give them any authority to implement any changes. Maybe we need to run our government like successful private companies do. Most large companies have a Chief Executive Officer (CEO) (i.e. the President) that has full authority to run the company governed by the Board of Directors (i.e. Congress) that reports to the business Owners (i.e. the People). They put Chief Information Officers (CIO) or Chief Technology Officers (CTO) in charge of technologies to align with business goals. They also have Chief Security Officers (CSO) or Chief Information Security Officers (CISO) that report to Security Committees (made up of high level executives) or the Board of Directors directly to create an independence element. Security is normally in direct conflict with operations, but they both need to work together to create effective systems for continued business prosperity.
I found this to be pretty interesting as the report goes on to say:
“A paucity of judicial opinions in several areas poses both opportunities and risks that policy makers should appreciate—courts can intervene to shape the application of law, particularly in areas involving Constitutional rights. Policy decisions will necessarily be shaped and bounded by the legal framework in which they are made, and policy consideration may help identify gaps and challenges in current laws and inform necessary developments in the law. That process may prompt proposals for a new legislative framework to rationalize the patchwork of overlapping laws that apply to information, telecommunications, networks, and technologies, or the application of new interpretations of existing laws in ways to meet technological evolution and policy goals, consistent with U.S. Constitutional principles. However, pursuing either course risks outcomes that may make certain activities conducted by the Federal government to protect information and communications infrastructure more difficult.”
Well we can’t have laws enacted to make the Federal government’s job more difficult, can we? I guess that is one of the reasons why President Obama nominated Judge Sonia Sotomayor. Judge Sotomayor is first nominee with cyberlaw record. Coincidence? I think not.
The report does a fairly good job in pointing out some hesitations that private sector industries have in partnering with the federal government. “Industry has also expressed reservations about disclosing to the Federal government sensitive or proprietary business information, such as vulnerabilities and data or network breaches.” “Industry may still have concerns about reputational harm, liability, or regulatory consequences of sharing information.” You think?
As a former police officer, one of the ploys we used was to have the suspect tell on themselves. We would give the suspect some false sense of hope that we were on their side, they should trust us, and things would go easier if they would just tell us ‘the truth’. (More times than not, the information the suspect provided to us created the case against them in the first place. Until the suspect started talking, we didn’t really have anything on them.) Do you think it would be any different if a company admitted to not following certain laws? Or, if they did, would the government grant some additional protection as the report puts it: “The civil liberties and privacy community has expressed concern that extending protections would only serve as a legal shield against liability.” So if a company is not keeping to its obligations in protecting their client's information, but as long as they tell the government about it and followed their standards in good faith (although these standards may have been lacking or not followed during a specific time frame that led to the security breach), they will be protected from lawsuits?
Here is another statement in the report that concerned me:
“Responsibility for a federal cyber incident response is dispersed across many federal departments and agencies because of the existing legal, but artificial, distinctions between national security and other federal networks.”
If my interpretation is correct, the report writers are pretty much saying that there is NO distinction between national security and other federal networks, thus any federal department or agency would be considered under the umbrella of a national security incident even if the department or agency doesn’t deal in national security related activity. Interesting, no?
I really like this one, “the government needs a reliable, consistent mechanism for bringing all appropriate information together to form a common operating picture.” Computer systems and networks have been around for about 50 years now and although technology has advanced, the government still hasn't gotten a good operating picture of their systems? This brings to my mind Cybernet in The Terminator movies. (I’m not saying we will have metal robots come to life to kill all humans, but if you recall the basis of the Cybernet program, it was to effectively monitor/control all government systems under one system. Unfortunately, Cybernet took over all these systems. It also contained some ‘artificial’ intelligence components. Wait, haven’t I heard this word 'artificial' before somewhere else?)
The report indicates that “we cannot improve cybersecurity without improving authentication, and identity management is not just about authenticating people.” It isn't?
“The Nation should implement, for high-value activities (e.g., the Smart Grid), an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy.”
I bolded the ‘opt-in’ since I always take this as meaning optional. We all now how easy optional becomes mandatory through varied mechanisms of control. We are all to familiar with the government 'enhancing privacy' matters. What privacy means to me is not what privacy means to the government.
“The Federal government also should consider extending the availability of federal identity management systems to operators of critical infrastructure and to private-sector emergency response and repair service providers for use during national emergencies.”
Again with the national emergencies since we all know how well the Federal government has handled these in the past. As far as I’m aware, the current administration still hasn’t got anyone in control of the Federal Emergency Management Agency (FEMA).
There are fourteen (14) additional mid-term action plans, but again, they are all pretty general and vague with no direct guidance on how or what impact these recommendations would ultimately have in the real world or on cybersecurity.
As a point of reference, I highlighted the words ‘global’ and ‘international’ above. I counted at least 35 times that ‘global’ was used throughout this report and at least 76 times that ‘international’ was used. Coincidence? I think not. (Can anyone say New World Order?)
In conclusion, I’m a huge proponent of Information Security and making the Internet (i.e. cyberspace or whatever you want to call it this week) more secure. It is very important to me. I live it, I breath it, and I know some of the risks and threats are real; however, I don’t believe this report to provide a clear, concise solution to the problems. It appears more to me to be some sort of mission statement or one group’s agenda on how to take control of the Internet (i.e. cyberspace) under the disguise of assuring a trusted and resilient information and communication infrastructure. (I don't know about you, but my Internet (i.e. cyberspace) connection has been on and running pretty well over the last few years. I mean, there are those moments that it doesn't work just the way it should, but these occassions are rare and far in between.) Isn't this the reason why we need more regulations and control, from the government to ensure a 100% uptime, right?
Subscribe to the NewsWithViews Daily News Alerts!
I do have to agree with at least one statement from the report: “The Federal government is not organized to address this growing problem [cybersecurity] effectively now or in the future.”
"This is just one of those reasons why I hate stupid people."
Cyber bill squelches speech, curtails liberty, by Bob Barr
© 2009 John 'J' Trinckes - All Rights Reserve