The problem is the bi-directional information sharing between private companies and the multiple levels of government -- it should be one-way (private companies -> government).
There is a very large potential for abuse and we will have no recourse.
I will not deny that it's unpleasant but it is a necessity, which is why subpoenas and warrants exist.
Unfortunately, law enforcement organizations are harrumphing and ruffling feathers so they're getting what they want -- ability to bypass the requirement for subpoenas and court-ordered warrants.
The order should be all critical computers like power-grid control should not be able to connect to the internet in any way or have usb ports or DVD drives.
I have this fear that somewhere an ICBM is on an internet router because some general wants to monitor it. Sounds insane right? Well why are power stations on the internet?
You also need to monitor or update the software and machinery, so you'll probably want some kind of internal network. But can other things than the control systems connect to that network? Then you're screwed, unless you can absolutely guarantee that e.g. a laptop connected to the same network can't be compromised/transported out of the facility.
Iran's SCADA controllers were not connected to the Internet when they got owned by Stuxnet. They were just connected to a network with a laptop with a USB port.
But Obama's problem seems to be with the Internet. So keep those off the Internet, and then pass whatever legislation and executive orders they want for those networks, and leave the Internet alone.
Of course the reality is this executive order is going to have many "gotchas" hidden in it, to give the executive more power over the Internet, and we probably won't learn about them until it's too late.
An executive order that forbad private companies from connecting to the Internet would be far more of an executive overreach than anything proposed for cybersecurity by the executive, the Democrats in the Senate, or the Republicans in the House.
As a former employee of one of the US's largest electric utilities, I can answer this question.
The reason is quite simple. Most power plants are in the middle of nowhere and people with the capability to manage them don't want to live near them, not because of the plants themselves, but because they are in tiny rural towns, which most people understand and appreciate. To make good decisions, the experts, who prefer to live in metropolitan areas (like most people do) need access to the data these generators produce. If the generators weren't on the internet, that'd be impossible.
TLDR: Power stations are on the internet for the same reason everything else is on the internet.
The great thing about remote management interfaces over the internet is that anyone can try to take control over the internet. Whether it's simply a video camera or a power station.
See that pesky internet part.
I really hope ICBMs don't have remote management interfaces over the internet for "convenience".
The fundamental problem with this in my opinion starts with the executive order. As the article states: the executive's job is to enforce laws, not make them. EO's have stepped well beyond that in the last 20 years, with the executive branch becoming more sovereign in nature, which scares the hell out of me.
We do need a cyber security bill, but it should be passed by Congress, whose job it is to iron out all the competing needs, instead of passed by fiat by a wanna-be king[1] who "knows what's best for the country".
1. EO's aren't the exclusive domain of Obama by any stretch. Every president since HW Bush has used them in increasing number and, IMO, in increasing defiance to the separation of powers. Another 20 years and Congress will be nothing but a complete farce, much like other dictatorial "republics".
You're WAAAAAAY past the fundamental problem IMO. The problem is not the king, it's the entire court. The US now has a dysfunctional relationship with a federal government that continually grabs powers they don't have.
Couldn't have said it better myself. This is exactly why legislation is a process that requires oversight and accountability. I'll never understand why people are willing to write the president a blank check.
Yet another illustration of the unintended consequences of authorizations by Congress for war (obviously, in this case, an unavoidable war, but still).
The order to authorize internment camps was the result of two forces:
* Intense and direct recommendations from FDR's entire war staff and intelligence apparatus, which believed that there was an unacceptably high probability that Japanese and German populations would engage in sabotage during the war
* ENORMOUS public pressure, particularly in California, to eject Japanese citizens
The Japanese internment debacle is a blemish and a tragedy, no doubt, but it's not an illustration of an executive power grab. The whole country shares the blame for it.
The lesson I take from it is the same as the lesson I take from drone strikes blowing up wedding parties: Congress should be extraordinarily careful and guarded in its authorizations for using military force of any sort.
The President has broad powers to direct the military to take action. Telling the military what to do is a power uniquely within the President's purview. Telling the military to round up a group of people falls squarely within that power.
That's not a legitimization of the situation--you can argue that Japanese internment was illegal for other reasons, but we're not talking about the legality of Japanese internment in general. We're talking about the executive usurping powers reserved to Congress.
It's an illustration of a majoritarian government power grab. I certainly do not object to condemnations of Japanese internment camps! They were one of the biggest mistakes our country ever made. I object to the root cause analysis you've performed on it, and because this is a thread that is almost entirely about that root cause analysis (and not Japanese internment), I think that's a germane criticism.
Enforcing Congress's laws isn't the only power the President has under the Constitution. He is also commander in chief of the military. Telling the military to round up and detain people is an exercise of that power, and does not violate any separation of powers concerns.
When the people are American citizens on American soil, the action may very well run afoul of other Constitutional provisions, such as due process, but it's not an example of executive usurpation of a power that belongs to Congress.
Well, every once in a while the government would come by and regulate a population out of existence for security reasons. But that was the old days, they're totally trustworthy and non-murdery now.
When you say this are you ignoring or denying the experience of Native Americans? Because from what I understand tame is not a word often used to describe the Trail of Tears or Wounded Knee.
The Wild West refers to the west when Americans first started settling in the West and were largely out of the reaches of the army and federal government.
When the west was being "settled" who living there at the time?
Put another way: Are you arguing that the wild west period was a peaceful and prosperous time for the Native Americans? A period marked by little physical or economic violence?
He said "flourished". The state of being implemented by some basic government-funded research is almost completely disconnected from the time when commercial interests took the idea and ran with it -- causing it to "flourish".
The internet wasn't implemented by some basic government funded research. It was designed and built under a DARPA project and designed and implemented by key pieces of the military industrial complex (BBN, etc). It was run by the DOD and "flourished" long before it was commercialized.
The Internet isn't ARPANET any more than Ethernet is ALOHA.
The technology that made the Internet possible was almost exclusively private sector technology. The desire, effort and vision to put together large networks was already in place by the time the government made their move.
The government helped, no question about it, but all the pieces were already there to make it happen. The private sector was driving that direction and would have built out very large networks regardless of the government.
The record contradicts what you are saying here; what you've written is almost a perfect inversion of historical fact. All the commercial networks being developed or deployed when the Internet was being invented were circuit switched, centralized networks. They really didn't have anything to do with the Internet at all. The design philosophy behind the Internet [1, Section 3] was drastically different than all commercial efforts at the time. The design was so different and so unique compared to existing work that the inventors won a Turing Award for it.
As an aside, all of the above is typically covered in the first week or two of a networking course (I like Brighten Godfrey's [2]).
Have any of you actually read the executive order? If not, did you perhaps notice who the sources were for the stories being written about it today?
There was a cybersecurity order on the table last year (it wasn't enacted). HN got up in arms about it. Some of us read it. Guess what? It concerned itself almost entirely with the operational security of the federal government itself (which operates the world's largest IT departments). The places where it stepped past instructing DOE how to secure their networks were to create educational programs to get more people doing information security. It contained no provisions at all that would have given the government access to private entities networks.
I haven't read this executive order, but if I was going to place a bet about it, it would be that everyone hyperventilating about "king complexes" on HN is being played.
There's not that fine a line between skepticism and ignorant paranoia. Many people here on HN react in a paranoid manner to government initiatives without bothering to even read the proposals or educate themselves about the situation beyond what they hear from the echo chamber.
The government has earned a very large dose of paranoia. They keep trying to intentionally rob us of our liberty, and they've been doing it mostly as behind-closed-doors as they can get away with.
The old joke is it's not paranoia if they're really out to get you. The government keeps demonstrating it's really out to get us, or specifically it wants vast new powers over every remaining corner of freedom, including the Internet.
You come off as overly authoritarian in your comments such that a chance for measured discussion is I think probably often quelled by your domineering attitude.
Since the last decade our civil liberties have only been eroding -- that is the trend, not the opposite of that or something. So a good amount of leeriness is probably healthy and very well warranted. It's great that you're reading the executive orders and getting down to things, but please don't go off on those who by default take the position of skepticism. There's a reason they are that way, and that reason is a pretty good one.
This attitude drives me nuts. It's a message board. What do you want from me? We're not settling public policy, we're discussing it. How does it help anyone for me to issue prolix disclaimers about how certain I am about things? How does that even matter? If you think I'm wrong, say I'm wrong, and preferably, why you think that. If I agree, I'll say so. I'll do the same.
You're dodging the point. Being skeptical does not give you license to be ignorant. That is to say it's possible to believe that our civil liberties have been eroding for the last decade* and base it on actual evidence instead of knee-jerk reactions to any government action.
*) And I tend to agree with you. The history of the U.S. has been a waxing and waning of civil liberties, and I think we're in a waning point right now. That said, the long term trend has been towards more liberty.
The "new" EO is virtually identical to that one, yes.
(I think I got "educational programs", which IIRC was from Rockefeller's draft bill, confused with "outside consultation" from this order.)
I did a clause-by-clause comparison (you're welcome! all part of the service I provide) and while there are minor deltas (like which sentence of a clause the Attorney General appears in, or whether deadlines are 90 days or 120 days) it's the same thing:
* Coordinate better in managing FedGov systems
* Figure out a way to relay threat info from FedGov to private sector
* Inventory the US for computer systems that if disabled could kill people
* Reach out to owners of those systems to help them not be owned up over old dialup modems everyone forgot about
I'm not sure where the executive order is published, if anywhere, but it's a direct response to the failed CISPA in Congress. EFF criticized CISPA as violating 4th amendment rights by giving government new powers to spy on the public. Also opposed: Tim Berners-Lee, ACLU, Demand Progress, Reporters Without Borders, Mozilla, ACM.
Oh, look: a syllogism supported by a list of names and organizations, and not one fact about what's in the executive order that you haven't read, nor one direct concern about CISPA. Perhaps you could start by explaining why Tim Berners-Lee opposes CISPA. Maybe that explanation could include a firm statement about whether Berners-Lee read CISPA. It wouldn't be much of a knock on him if he hadn't; CISPA was the target of a huge fundraising effort by EFF.
Uh, the first line of CISPA is probably is big reason why EFF is critical and involved that 4th Amendment issue I mentioned (which is a direct concern about CISPA... where's your hostility coming from?). The Act is only 10 pages, I and many others read it.
"IN GENERAL.—The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence."
In case it's vague which direction the sharing is allowed (it's both):
"[Private sector may] share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government."
Sharing is secret:
"shall be exempt from disclosure
under section 552 of title 5, United States Code"
No recourse for sharing:
"No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self- protected entity, or cybersecurity provider, acting in good faith"
Edit: to reply to your next comment, you frame this as centered on "attacks" but it's more generally characterized as "threats" and also includes any intellectual property theft (which broadens this by several orders of magnitude). And it also includes efforts to degrade a network. Pretty sure my cell phone provider thinks I've made efforts to degrade their network and steal IP since Android was released.
You think the government should be enjoined from sharing attack information with private companies?
You think private companies should be enjoined from sharing attack information with the government?
You thought maybe attack information for ongoing investigations should be shared with the public?
Exactly what was it that you thought was happening when banks called in the FBI after compromises?
I read the article that Berners-Lee's quote appears on and I stand by my previous statement. I think it is reasonable to ask whether he read the bill, or whether he got it summarized for him by EFF. I do not think EFF was intellectually honest about CISPA. That's a problem, because EFF opposition to a bill is a quick way to generate opposing quotes from a laundry list of Internet luminaries.
Believe it or not, I am probably just as opposed to Internet power grabs by the government as you are. I just I think I'm required to read and think carefully about measures before I stridently condemn them; I did that here and came to different conclusions than you did.
I think the supporters of a law should be required to demonstrate that the problem it supposes to solve is real and even conceivably solvable by government action. In the absence of that it's safe to condemn any legislation on the topic, particularly when there's such a bad track record of alternately useless and harmful laws in the subject areas.
Are you really arguing, that we should wait for the President to issue secret orders and then sit together around the camp fire in order to discuss them? Is this your understanding of a democratic process?
Afaik only some leaked drafts have been circulating around and speculations have been going wild. After the PIPA/SOPA backslash are you honestly expecting "good intentions" when the a president is trying to get a very similar subject "solved" by circumventing public discourse?
I don't think you actually read my comment. I think you skimmed it, determined "this guy supports executive orders", and started yelling.
Even if the executive order had been a recapitulation of CISPA, CISPA has nothing at all to do with PIPA and SOPA.
But it most probably isn't a recapitulation of CISPA; it is simply a series of directives on how the federal government should secure their own networks.
If the order is secret, than how do you know how it will ultimately be worded? And if the subject is so clear cut as you are trying to let it look, than why was it impossible to pass it through a more democratic process?
Executive orders are a clear signal, that a President is unable to get a majority of delegates behind a specific agenda point. We have seen over and over again that under the cover of good intentions bad things are sneaked upon the public - and presidential orders are the ideal tool to accomplish this.
Your first statement on that subject that I wholeheartedly agree on.
I can completely understand that he is trying to circumvent the House on partisan issues (e.g. welfare, health care, etc) and avoiding compromises on his key agenda points.
But if he is unable to create consent on a deeply hawk'ish issue such as defense, then there is something seriously wrong - either with the president or with the proposal. Considering that there he is still part of an active political process - even across party lines (e.g. fiscal cliff) - the problem is not with the president - but apparently with the proposal.
He can't even get his (Republican) SecDef candidate confirmed. I'm sorry, I know that in the frictionless intellectual void that is message board arguments, it makes sense that Obama should be able to get bipartisan consent for defense measures, but in the real world that simply isn't so.
The controversy on Hagel's nomination has very little to do with his party line. Instead his questionable views on Israel are making him a choice that is difficult to sell - both to Republicans as well as Democrats.
Not saying that Hagel is such an outliner, but it is easy to nominate a fringe candidate of the other party and then pointing fingers when his own party does not support his views. Of cause something as sneaky as that would be unimaginable in real-world politics, and I am probably just watching too much House of Cards.
the govt's efforts on cyber security are almost as much of a joke as their response to protecting private businesses. unless you're google or a major bank, getting some sort of response from the fbi/ic3. Have tried playing by the rules when a client is attacked and submitting the information to them, but never any response. Most of the time i brush these attacks off as my own failure to keep things locked down but on the more serious attacks i've submitted server logs, documentation tracking the person back to their home address, facebook page, mother's phone number, everything they could possible need to arrest and prosecute. nothing but crickets.
glad they're starting to make some effort, but from software loopholes to literally exposed (outside & unprotected) hardware/transmission equipment, doubtful they'll never get their shoes on the right feet.
62 comments
[ 3.5 ms ] story [ 122 ms ] threadThere is a very large potential for abuse and we will have no recourse.
Unfortunately, law enforcement organizations are harrumphing and ruffling feathers so they're getting what they want -- ability to bypass the requirement for subpoenas and court-ordered warrants.
I have this fear that somewhere an ICBM is on an internet router because some general wants to monitor it. Sounds insane right? Well why are power stations on the internet?
Iran's SCADA controllers were not connected to the Internet when they got owned by Stuxnet. They were just connected to a network with a laptop with a USB port.
Of course the reality is this executive order is going to have many "gotchas" hidden in it, to give the executive more power over the Internet, and we probably won't learn about them until it's too late.
The reason is quite simple. Most power plants are in the middle of nowhere and people with the capability to manage them don't want to live near them, not because of the plants themselves, but because they are in tiny rural towns, which most people understand and appreciate. To make good decisions, the experts, who prefer to live in metropolitan areas (like most people do) need access to the data these generators produce. If the generators weren't on the internet, that'd be impossible.
TLDR: Power stations are on the internet for the same reason everything else is on the internet.
See that pesky internet part.
I really hope ICBMs don't have remote management interfaces over the internet for "convenience".
We do need a cyber security bill, but it should be passed by Congress, whose job it is to iron out all the competing needs, instead of passed by fiat by a wanna-be king[1] who "knows what's best for the country".
1. EO's aren't the exclusive domain of Obama by any stretch. Every president since HW Bush has used them in increasing number and, IMO, in increasing defiance to the separation of powers. Another 20 years and Congress will be nothing but a complete farce, much like other dictatorial "republics".
I'm curious to see what executive orders you think overstep the line from guiding enforcement discretion to outright lawmaking.
The order to authorize internment camps was the result of two forces:
* Intense and direct recommendations from FDR's entire war staff and intelligence apparatus, which believed that there was an unacceptably high probability that Japanese and German populations would engage in sabotage during the war
* ENORMOUS public pressure, particularly in California, to eject Japanese citizens
The Japanese internment debacle is a blemish and a tragedy, no doubt, but it's not an illustration of an executive power grab. The whole country shares the blame for it.
The lesson I take from it is the same as the lesson I take from drone strikes blowing up wedding parties: Congress should be extraordinarily careful and guarded in its authorizations for using military force of any sort.
Even so, legal or not, there is no valid reason to legitimize the internment of Japanese-American citizens.
That's not a legitimization of the situation--you can argue that Japanese internment was illegal for other reasons, but we're not talking about the legality of Japanese internment in general. We're talking about the executive usurping powers reserved to Congress.
When the people are American citizens on American soil, the action may very well run afoul of other Constitutional provisions, such as due process, but it's not an example of executive usurpation of a power that belongs to Congress.
http://en.wikipedia.org/wiki/American_Indian_Wars
Put another way: Are you arguing that the wild west period was a peaceful and prosperous time for the Native Americans? A period marked by little physical or economic violence?
The technology that made the Internet possible was almost exclusively private sector technology. The desire, effort and vision to put together large networks was already in place by the time the government made their move.
The government helped, no question about it, but all the pieces were already there to make it happen. The private sector was driving that direction and would have built out very large networks regardless of the government.
As an aside, all of the above is typically covered in the first week or two of a networking course (I like Brighten Godfrey's [2]).
[1] http://ccr.sigcomm.org/archive/1995/jan95/ccr-9501-clark.pdf
[2] http://courses.engr.illinois.edu/cs538/
There was a cybersecurity order on the table last year (it wasn't enacted). HN got up in arms about it. Some of us read it. Guess what? It concerned itself almost entirely with the operational security of the federal government itself (which operates the world's largest IT departments). The places where it stepped past instructing DOE how to secure their networks were to create educational programs to get more people doing information security. It contained no provisions at all that would have given the government access to private entities networks.
I haven't read this executive order, but if I was going to place a bet about it, it would be that everyone hyperventilating about "king complexes" on HN is being played.
The old joke is it's not paranoia if they're really out to get you. The government keeps demonstrating it's really out to get us, or specifically it wants vast new powers over every remaining corner of freedom, including the Internet.
(That goes for me too, of course. Totally possible I'm wrong.)
Since the last decade our civil liberties have only been eroding -- that is the trend, not the opposite of that or something. So a good amount of leeriness is probably healthy and very well warranted. It's great that you're reading the executive orders and getting down to things, but please don't go off on those who by default take the position of skepticism. There's a reason they are that way, and that reason is a pretty good one.
I have no actual "authority" on HN.
*) And I tend to agree with you. The history of the U.S. has been a waxing and waning of civil liberties, and I think we're in a waning point right now. That said, the long term trend has been towards more liberty.
(I think I got "educational programs", which IIRC was from Rockefeller's draft bill, confused with "outside consultation" from this order.)
I did a clause-by-clause comparison (you're welcome! all part of the service I provide) and while there are minor deltas (like which sentence of a clause the Attorney General appears in, or whether deadlines are 90 days or 120 days) it's the same thing:
* Coordinate better in managing FedGov systems
* Figure out a way to relay threat info from FedGov to private sector
* Inventory the US for computer systems that if disabled could kill people
* Reach out to owners of those systems to help them not be owned up over old dialup modems everyone forgot about
"IN GENERAL.—The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence."
In case it's vague which direction the sharing is allowed (it's both):
"[Private sector may] share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government."
Sharing is secret:
"shall be exempt from disclosure under section 552 of title 5, United States Code"
No recourse for sharing:
"No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self- protected entity, or cybersecurity provider, acting in good faith"
Also, quotes by everyone opposed:
http://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_...
Edit: to reply to your next comment, you frame this as centered on "attacks" but it's more generally characterized as "threats" and also includes any intellectual property theft (which broadens this by several orders of magnitude). And it also includes efforts to degrade a network. Pretty sure my cell phone provider thinks I've made efforts to degrade their network and steal IP since Android was released.
You think private companies should be enjoined from sharing attack information with the government?
You thought maybe attack information for ongoing investigations should be shared with the public?
Exactly what was it that you thought was happening when banks called in the FBI after compromises?
I read the article that Berners-Lee's quote appears on and I stand by my previous statement. I think it is reasonable to ask whether he read the bill, or whether he got it summarized for him by EFF. I do not think EFF was intellectually honest about CISPA. That's a problem, because EFF opposition to a bill is a quick way to generate opposing quotes from a laundry list of Internet luminaries.
Believe it or not, I am probably just as opposed to Internet power grabs by the government as you are. I just I think I'm required to read and think carefully about measures before I stridently condemn them; I did that here and came to different conclusions than you did.
Afaik only some leaked drafts have been circulating around and speculations have been going wild. After the PIPA/SOPA backslash are you honestly expecting "good intentions" when the a president is trying to get a very similar subject "solved" by circumventing public discourse?
Even if the executive order had been a recapitulation of CISPA, CISPA has nothing at all to do with PIPA and SOPA.
But it most probably isn't a recapitulation of CISPA; it is simply a series of directives on how the federal government should secure their own networks.
Executive orders are a clear signal, that a President is unable to get a majority of delegates behind a specific agenda point. We have seen over and over again that under the cover of good intentions bad things are sneaked upon the public - and presidential orders are the ideal tool to accomplish this.
I can completely understand that he is trying to circumvent the House on partisan issues (e.g. welfare, health care, etc) and avoiding compromises on his key agenda points.
But if he is unable to create consent on a deeply hawk'ish issue such as defense, then there is something seriously wrong - either with the president or with the proposal. Considering that there he is still part of an active political process - even across party lines (e.g. fiscal cliff) - the problem is not with the president - but apparently with the proposal.
Not saying that Hagel is such an outliner, but it is easy to nominate a fringe candidate of the other party and then pointing fingers when his own party does not support his views. Of cause something as sneaky as that would be unimaginable in real-world politics, and I am probably just watching too much House of Cards.
glad they're starting to make some effort, but from software loopholes to literally exposed (outside & unprotected) hardware/transmission equipment, doubtful they'll never get their shoes on the right feet.