US Senate bill allows White House to disconnect private computers from Internet

0.<p>So, when you look at something like this, I think you have a choice to make: you can put on the tinfoil hat and concede any relevance you might have to the discussion, or you can recognize the real weaknesses of this bill and the process that is producing it and comment rationally on whether the government is capable of legislating improved security for its own systems when those systems are by necessity constructed from COTS pieces created by unregulated technology companies.<p>1.<p>The thing that everyone is going to talk about here is the definition of a "nongovernmental critical information system". The term is defined broadly in this bill: the President designates them. But I think the intent here is pretty clear: private industry operates the E911 system, the cellular phone network, all our financial exchanges, and a good chunk of the power grid.<p>Most of these systems are in some way connected to public networks: for instance, a generic Cisco VPN vulnerability could get you a telco, which would get you to private leased lines. Before you shrug that off, read up on "Operation Sun Devil", and the state of the art of teenage hacking in 1991.<p>I think it's hard to say that the NSC, given a secret update that, say, all Cisco IOS versions were vulnerable to a pre-auth generic TCP remote code execution vulnerability, should NOT have the capability to ensure that exposed power grid systems were locked down.<p>On the other hand, I agree that the wording is overbroad. I'm interested in what HN people think good wording would be for what would qualify as a nongovernmental critical information system.<p>2.<p>What sucks about this situation is this:<p>The broad intention of this bill, to improve "cybersecurity" across all of US industry and government systems, is going to fail. You can't legislate it.<p>But narrowly, this bill is going to define what it means to work with systems at DOD, law enforcement, and energy. And I don't care that much, except that the existing processes in these areas are arcane, arbitrary, and exclude a lot of talent and ideas. Relative to financial services, DOD does <i>not</i> have excellent security.<p>But since everyone is going to get ratholed in the meaningless broad intention of the bill, nobody's going to get into the nitty-gritty of secure software accreditation, procurements, certification of personnel, funding for technology and technology grants, and so on. Those topics are boring, but they're more important than whether you can outlaw insecurity.

Rough summary:<p>"A bunch of American politicians have worked themselves into a right tizzy over something they don't even come close to understanding. In response, they are trying to pass a law saying that they run the Internet. When asked his position on the bill, a senior Senator emitted a series of 1990s-era buzzwords."

What's dangerous is that people are letting the military, politicians and the cybersecurity industry raise the hype and fear about the online world. That will only feed their budgets and militarize the internet. Remember the hype around Conficker and "cyberwar" in Estonia. Neither, in hindsight, meant anything. Good network security practices for the government? Sure! A secretive government internet security program run by the NSA and DHS and a Pentagon botnet? No, no, no.

Key passage from the article:<p>"Probably the most controversial language begins in Section 201, which permits the president to "direct the national response to the cyber threat" if necessary for "the national defense and security." The White House is supposed to engage in "periodic mapping" of private networks deemed to be critical, and those companies "shall share" requested information with the federal government. ("Cyber" is defined as anything having to do with the Internet, telecommunications, computers, or computer networks.)"<p>"The language has changed but it doesn't contain any real additional limits," EFF's Tien says. "It simply switches the more direct and obvious language they had originally to the more ambiguous (version)...The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There's no provision for any administrative process or review. That's where the problems seem to start. And then you have the amorphous powers that go along with it."

Here's the actual bill text:<p><a href="http://www.opencongress.org/bill/111-s773/text" rel="nofollow">http://www.opencongress.org/bill/111-s773/text</a>

I'm no expert. Can anyone think of a set of circumstances under which this power could be reasonably used?<p>Alternatively, can anyone think of a <i>likely</i> misuse of this power? (I'm not talking black-helicopter stuff here, just standard-issue governmental overreaching).

AFIK the President has always had these powers in wartime. The War Powers act allows the gov't to mandate complete control over any of the countries resources, oil, trains, airwaves, etc...

Look for booming business in offshore hosting facilities.

This is part of a pattern. The US state has been making a concentrated effort over the last decade to establish an infrastructure that will protect them from their own citizens (the establishment of Northcom being the foremost example). Why the sudden fear, unless they plan on imposing something they anticipate will be met with widespread resistance?

What I realize about this is that, in the day and age of a global Internet, localized government is becoming rather irrelevant. Laws like this aim to keep the people under control and the government in power.

Has the whole piracy episode taught us nothing? You cannot control the internet. The internet is about the efficient conveyance of information: it's basically a law of physics that nothing can stop information from spreading.