National Cyber security: Is regulatory legislation the answer (or not) ?

I have been reading ‘Cyber War: The next threat to National Security and what to do about it’ by Richard A. Clarke. There are some interesting and compelling points made on the vulnerability of existing computer systems and the ease with which they could be attacked or controlled from external sources, unless the issue of security penetration is seriously readdressed at a joined-up national level. The more advanced a nation, the more fragile it is to this form of attack; the more reliance it has on technology and connectivity, the more it has to lose.

Whilst this may be an ideological issue in terms of approach to public policy, it seems not to be a particularly partisan issue in the politics of reality. The author of the book mentioned above worked as special advisor to Bush 1, Clinton, Bush 2 and advised on the Obama campaign. The current president recently stated that: “The vast majority of our critical information infrastructure in the United States is owned and operated by the private sector… let me be very clear: My administration will not dictate security standards for private companies”, so is treading the same anti-regulatory path followed by previous incumbents. Is this the correct approach?

I would assume that anti-regulatory conservatives would prefer the market was left to its own devices and allow private companies the freedom to ascertain for themselves the correct or necessary levels of security required. I would suggest an analogy with this approach is (biological) evolution. Sure, the market may find the most efficient way to exist and perform, but without the foresight of forward planning, it can’t in any way predict or stop the extraordinary, catastrophic event.

I would also speculate that if a cyber attack was launched and the private businesses that own the Nation’s ‘critical infrastructure’ were hit – electricity generation and distribution companies, aircraft flight control, oil and gas lines, water supplies, trains and traffic, financial institutions, and all the other essential public interest utilities and services that are in private company holdings – then it would be government organisations and tax payers’ money that ultimately steps in to clean up the mess. Is, as the cliché goes, prevention not better than cure?

So, I would frame the debate as thus:

Should it be the responsibility of government to enact legislation to firmly tighten up regulatory procedures (over private businesses) and enforce the enactment of adequate (and no doubt expensive) cyber security, to ultimately ensure the safety of the general public at large; or…

Should private businesses be left free from such governmental constraints to conduct themselves in the matter they deem appropriate and most realistic to the perceived threats, and let the market ultimately decide what, if anything, is required in this regard (even if the public are left potentially vulnerable)?

Thanks.

No. This is the classic problem with big government getting invoved in things they cannot possibly scope, understand and/or control based on nebulous fear of some bogeyman that’s going to bring an end to life as we know it.

Well, they’re not, so that is basically a false premise to the argument that private business is left to themselves in this area. All sorts of legal regulatory information security requirements already exist in various industries. I don’t know if I get what you’re at with the what “if anything” part as far as the public is concerned. You are suggesting concerns about private industry controlling the communications infrastructure. Every company and individual that uses it has a stake. I haven’t been anywhere in the past 10 years (and I’ve been alot of places, BTW) where increased focus on all aspects of computer, systems and communications security was not readily apparent.

The whole cyber scare coming into the public consciousness thing vis-a-vis governmental intervention manifested last year with the infamous Internet kill switch hubbub. I suspect your book was either an offshoot of that or some precursor to it. Either way, I wouldn’t be too worried, at least not until the government tries to get more involved.

Sure, all companies will definitely have some form of security in place, and I’m sure the majority feel they are currently well protected, given the esoteric (or improbable) nature of the threat. But the inherent structure and connectivity of the internet allows the possibility of intrusion to grow as we develop, not diminish. The more technology connects devices, the more we allow remote access for overview and maintenance, for running diagnostics, for convenience sake, the more vulnerable each system becomes to external attack.

No, I’ve no inherent issue with private companies being responsible for running and providing essential services. But I would suggest that if experts on cyber security are looking at the existing systems security measures and find there are vulnerabilities that could potentially be exploited by those with malicious intent, and when they point out these facts to the private companies in question but they don’t act or take the concerns seriously, what other path would there be other than to turn to central government to take up the mantle and impress upon the private companies the necessity of plugging the gaps? I may not be the preferred approach, but it may just be a necessary one.

Don’t get me wrong; I’m not remotely an expert on any of this, and haven’t quite made up my mind on what I would personally deem the proper approach, so am open to all arguments and evidence. I’m presenting the case from the author’s perspective, but of course I can’t relay the entirety of the evidence and concerns (of which there are many) listed in the book here. But the issue as presented seems to be more than just a scare-story or a bogeyman fear; there are genuine concerns that need to be addressed, the question is how best to do that?

Strangely enough, I agree with Nadir on this point, though for a differing reason. The Internet is simply too nebulous, quickly evolving, and inconsistent in nature for government to address it in anything but the most general and ultimately ineffective terms. A cutting edge hacker can get what he or she wants if there is a connection. The only solution in this game is continued vigilance and upgrading of hardware and software alike to keep pace. This will be done with reasonable regularity in the private sector anyway simply to keep up.

There have always been vulnerabilities. Those vulnerabilities, the n’er-do-wells who try to exploit them and the security people responsible for protecting the resources have all been evolving right along with the systems everything rides on for the past 30-odd years. It’s a never-ending game of cat and mouse.

The real problem these days is the players are becoming extremely sophisticated just as the systems themselves are. State-sponsored groups target the enemy’s military. Illegitimate organizations of all kinds, organized crime, terrorists, what-have-you make money with phishing and spam schemes. Political operatives deface web sites to get their online graffiti exposed. It never ends. But this stuff all relies on the lines staying up and operable. No worries.

The biggest problem I see is disruption in space during a large scale conflict. But that’s another thread.

No one wants to take down the internet; they recognise it as too good a tool for taking down other potential targets. There is concern that nation states are or have already begun such tactics - such as Russia’s cyber attack on Georgia.

One other example would be when Microsoft, under pressure for sales, gave the Chinese government full access to Windows source code, that no one else has. The Chinese government then tweaked the code to suit their own needs for computers released in the Chinese market (including those used by US companies in China) and potentially within other markets too if they buy computers made in China (and who doesn’t?) This allowed the Chinese government to implement their own backdoor access into others’ systems and to monitor usage, content etc… leaving any systems using this operating system staggeringly vulnerable and easily manipulated.

Even the integrated and international supply chain and construction of computer components (hardware) and of written code (software) can have many nations and many hundreds of individuals involved in its creation, implementation, manufacture and production. This leaves plenty of opportunities for trapdoors and logic bombs etc… to be hidden in operating code for future use should they be necessary. Many nations ( well, China & Russia and no doubt the US ) are positioning themselves to leave such access in others’ systems, like sleeper cells. All in the name of hedging bets.

One other issue is that, with the growing sophistication of attacks, many systems won’t even recognise when, of if, they have been hit. It’s not like breaking into a museum and taking a Picasso - files and code can be copied and all trace of the theft covered up and hidden, so no one is even aware of the intrustion.

For a little bit of background, I had a look at Wikipedia and they have a page - Cyberwarfare - giving a reasonable overview of the issue under discussion, for anyone interested.

Sounds like Windows, alright. :smiley:

That’ll be the day - when M$ gives anyone full access to anything. :rolleyes:

What exactly is it you are rolling your eyes at? That Microsoft wouldn’t give access to their usually protected and proprietary source code, that they certainly wouldn’t give it to the Russians or the Chinese, or just the fact that Microsoft products are so poor that they don’t work well enough to give access to anything?

China Gets A Peek At Microsoft Source Code

Microsoft Gave Windows Source Code to TOPSEC, Which Trains and Employs Chinese Cyberspies

Leaked US embassy cables: Diplomats fear that China used Microsoft source code for cyber warfare

China uses access to Microsoft source code to help plot cyber warfare, US fears

Does Microsoft’s sharing of source code with China and Russia pose a security risk?

You do of course realize, that our info ops troops have been fighting a cyber war with China for over ten years now, right?

I’m not going to add a rolleyes smiley, except to wonder in print why the cyber world as we know it has not yet ceased to exist.

Do you think? I wouldn’t call it a war, regardless of how it might be considered by others. It’s really far short of such a scenario. It’s the usual diplomatic posturing, sword-fencing, realpolitik capers that happens in all fields of endeavour when two nations face-off. Maybe some aspects could be considered battlefield placing of assets in anticipation of their future use, if required, but nothing particularly major has been deployed in attack for or defence of either nation - yet.

There has certainly been industrial espionage, intellectual property theft, spying and strategic positioning of backdoor assets and access points to either enable more of the same or to provide the potential for a vastly ramped up attack should the situation arise that requires it. But no one wants to show their full hand unless the conflict is serious enough to warrant it, as attacks of this nature will generally only work the first time. (Once flaws in systems have been exploited, the gaps will be plugged by defensive teams, so you don’t waste the opportunities you have on the small stuff)

The US has great offensive capabilities in this regard, they could strike back easily, but being able to turn off Chinese Air Defence would really be of limited comfort to US citizens if the PLA have turned off the power in many US cities for weeks, shut down all financial markets and created massive shortages in goods and food by scrambling the routing systems in US railroads. It’s got to be ‘defense first’.

So until the real and obvious vulnerabilities in US defensive systems are fully addressed and considered, the US can never be fully confidence in even holding their own in any cyber exchange again, even with nations with much less conventional capabilities. And this defensive vulnerability can, I would suggest, only be addressed by strict federal regulation, as the private companies in charge of ‘critical infrastructure’ are not willing to pay the money to properly secure them, many believing protection from any external attacks is the responsibility of the DoD to provide.

The Chinese have been actively targeting and exploiting U.S. DoD and corporate information systems for over 10 years. You can call it whatever you want. You don’t seem to have a very good grasp on the various aspects of modern war. It’s not just about killing people people and blowing things up. Our military, industrial and indeed very fabric of life today is heavily dependent on communications and information processing systems of all kinds. If you are just now getting around to worrying about that you must have been asleep for a couple of decades.

The Air Force has a Numbered Air Force (24th) dedicated to offensive and defensive cyber ops. Private enterprise may be more or less focused on information operations and data security functions depending on their reliance on such technology. It’s an ongoing aspect of life on the Internet and the cyber world we live in today. It’s nothing new and nothing to get all worked up about. Certainly nothing calling for legislation, as you naively suggest in this uninformed, alarmist plea to debate.

And I will, thanks.

Really? Who knew! My point above, as I’m sure you fully realise, is that the extent of the damage that could be done by exploiting weak system defences is hardly being fully explored (by either side) at the present. It may be difficult to map out a scenario where this could occur, but if there was a full out war situation with Russia or China in the future, then when the gloves are off the damage that could be dealt out would be magnitudes greater than the spying and hacking capers that are currently being undertaken in the low-grade cyber conflict of today. You can call it a war now if you like, but it’s hardly there yet.

I’m not worried about it at all, as I’m neither involved in cyber security, information processing, secure communications, nor indeed am I American, for that matter. What I am doing is I’m trying to have a civil discussion on this general topic, on a message board. Whereas I get the impression you feel the subject is either too mundane to be worthy of discussion, or too well known that rehashing aspects and approaches to it is a waste of time, which begs the question as to why you are responding at all?

But again, the very heart of my point is that, yes, the entire countries’ infrastructure is heavily reliant on communications, and regardless of what you say, the current systems in place are not secure. Obama’s ideas for upgrading the entire US electricity network to a ‘Smart Grid’ is one example; a great policy idea and could bring better value to consumers, save many billions of dollars, but leaves the entire network extremely vulnerable to attack, without the correct security considerations.

They do, and you can read about them in the links I’ve posted earlier. As do the Navy (Fleet Cyber Command), as do the Army (Army Cyber command), but admittedly to a lesser extent. The Air Force, of course, no longer have the lead on the cyber front that they wanted to maintain, as overall command was removed from them and given to US Cyber Command based in Fort Meade, Maryland. Please note they are all military and only charged with protecting military or DoD computer networks, not with any civilian networks (such as the power networks mentioned above) which is predominantly the point of the entire thread.

And you seem to think that what private businesses are already doing in this regard is completely enough to secure the critical infrastructure they own and control, whereas you have not in any way shown why you should assume this to be the case.

I’m not worked up in the slightest, but thanks for your concern regardless. It is the nature of the world we live in, sure, but that doesn’t suggest that we can’t carry on discussing ways to improve things in that world either. If you want to have things secure and remove vulnerabilities that could potentially be exploited, why not discuss it? It’s an important question and merely saying ”it’s in hand, we have it under control, it’ll all work out” is frankly a much more naive approach than what I have been posting here to date. It’s about securing the vital systems, then it’s about gaming out the possible responses to attacks, creating contingency plans, having operations and procedures in place to deal with eventualities etc… There are plenty of things to discuss without resorting to minor digs and petty 'you don’t know what you’re talking about’ type insults.

What is your basis or cite for assuming we have weak system defenses? The book you read?

No kidding? Then why are you insisting there is some theoretical problem calling for legislation?

Cite?

Maybe you should introduce this idea to the leaders of your country. People running the SCADA system in this country have been implementing enhanced security information infrastructure upgrades for years. Obama’s “idea” is nothing new, except possibly to you and him.

Again you assume this must be the case. Cite.

You have not shown it not to be the case. Were is the problem?

And you believe this is not already being done because of the book you read?

Meh. I work in information security. Sorry, not buying it. Maybe the European Union needs some legislation in this area? No idea what they are doing over there. You seem to have a lot to say about things like the U.S. military, Obama, et al, not being an American, that is. DARPA and U.S. DoD started the Internet back when you probably still wet behind the ears, and we’re doing just fine with it right now, thank you very much.

The book you cite in your opening is just another alarmist left-wing scare-mongering load of rubbish from Clark. Really, it is. Let it go. I’m done here.

The book was a starting point, and all the cites contained within the book were also sources of additional information, sure. But it’s not just me, or this one book I mentioned, that is suggesting the defences are not what they should be. See below…

Okay, here’s a few for you:

GSA falls short in four critical areas

Lawmakers: US, DoD still not taking Cyber Security seriously

Obama administration falls short on cybersecurity, CSIS report says

Cyber Security CSIS report

White House Scores Low on Cybersecurity Report Card

The idea of making it more and more interactive is being driven by the current administration. But as you know, this opens up all sorts of new avenues into the control systems: more access points = less secure. It’s not a difficult concept to grasp.

Where the problem is, firstly, is assuming everything is just fine and dandy. See some of the concerns above.

You’ve very sure you’re that good, eh? Nothing gets past you? You have it all in hand and everyone else is simply crying wolf, being wishy-washy liberal Cassandras? Is it your position that everything that can be done is being done, or simply that what is in place now is probably good enough? No room for improvement?

You think I’m not allowed to have an opinion on things American because I’m not American? Please. This is a US-based board, generally things discussed here are related to the US in some way. I happily discuss other things related to other places in the world when on other message boards. Again, if you are uninterested in the topic, feel free to pass the thread by. If you are interested, please feel free to cease the petty insults and snide remarks and address the content instead. As a self-appointed expert, you could always try to inform rather than insult, you know?

The internet, albeit funded by DARPA and ARPANET, was really an invention of the left-wing hippy sect based on the campuses of MIT, Stanford and Berkeley, back in the day. And since you know all about the internet, you’ll of course understand that when it was created it was solely for use by well-meaning academics and researchers to exchange ideas, so security was never a consideration, and this basic premise has never been changed. Guys like Larry Roberts who wrote the first transmission codes realised the protocols created an unsecure system, but did not want to slow down the development of the technology. In those days it didn’t matter as it was a small network so it was far easier to simply secure the transmission lines by encrypting links between each computer on the network. With the exponential growth experienced in connections, this is clearly no longer possible, but the same insecurities in the transmission protocols remains. How would you secure that, if at all? I would suggest that for critical systems, such as the power network, there should be NO connectivity to the internet at all.

So you’ve read it? That’s good to know at least. Because you wouldn’t be so rash as to judge the content based on hearsay or your personal opinion of the author’s credentials now, would you? Clarke, who worked for the State department under Reagan, appointed by Bush I to the counter-terrorism security group, and became Special Advisor to Bush II on cyber-security, a recognised expert in his field who is suddenly berated in the right-wing press for his outspoken remarks against Bush’s bungled handling of the 9/11 attacks and subsequent Iraq war. And his experience has led to holding a position that the only way to safely secure American lives from future cyber attacks is to enforce private companies in charge of critical infrastructure to tighen up their security, and the very use of the word ‘regulation’ makes him a target for right-wing hatred.

But I didn’t want to debate the writing style of the book nor the personal qualities of the author, or I would have posted this in Café Society. So let’s move on and deal with the actual content instead, eh? ( unless of course, you really are ‘done’, then I’ll say goodbye )

Bye!

Have you worked in IT in the private sector? Or information security in the private sector? Security and profits are generally two competing ideas. The people in the profession are very dedicated and generally pretty good at what they do - with an amazing ability to get things done on shoe-string budgets (mostly because of the culture of information sharing and open-source products that are available) but that doesn’t change the fact that more often than not, they’re viewed as the janitorial staff.

Now I’m not saying national legislation is the right idea - there are some pretty great public/private partnerships and fantastic security information sharing organizations - but it requires dedicated, knowledgeable staff to take advantage of those opportunities. There’s nothing short of reputation keeping infrastructure companies even close to honest right now.

This isn’t a simple throw-away ‘no’. It’s a complicated topic - and legislation might be a good way to force the hands of some cheap and/or unwilling infrastructure companies - the question becomes - what kind of legislation would be effective if that were pursued?