Senators spar over cybersecurity
By Suzanne Kelly
Senate members sparred Thursday over whether a new cybersecurity bill will effectively give the U.S. government and private security what it needs to defend itself against the dozens of attacks occurring daily on both government and private computer networks.
The Cybersecurity Act of 2012 proposes to house the government's cybersecurity headquarters within the Department of Homeland Security, which has already taken the lead among the government agencies on coordinating efforts to tackle sticky cybersecurity problems in cooperation with the National Security Agency.
Specifically, the act sets out guidelines for determining cybersecurity vulnerabilities, protecting and promoting innovation and encouraging companies to share information about cyberthreats, improving the security of the government's own cyber networks, and coordinating research and development while clarifying the roles of federal agencies.
Perhaps the most controversial effort of the Act is to establish a partnership between the government and the sector of private industry that controls "critical infrastructure" systems, such as the country's air traffic control system, water filtration facilities, banking systems and electrical grids.
Sen. John Rockefeller, D-West Virginia, perhaps made the most urgent case for passing the legislation saying U.S. citizens are at great risk and they don't even know it.
"It's hard to talk about this sometimes without seeming alarmist," said Rockefeller before detailing how the threat in the cyberworld could strike in the real one, using the example of a potential attack on the nation's air traffic control system.
"Cyberhackers can take that out. So the planes are literally flying in the dark and they will fly into each other and kill a lot of people," Rockefeller said.
Under the legislation, private companies that control such "critical infrastructures" would be identified the Department of Homeland Security and each individual company would be required to secure their own networks from cyberattack, and then "self-certify" in an effort to show the U.S. government it had complied. DHS would have the opportunity to spot check companies, and failure to secure could lead to civilian penalties. The voluntary nature of the bill is one of the criticisms.
Sen. John McCain of Arizona was one of seven Republican senators who sent a letter to the Senate leadership saying the bill had not been offered to other committees that should have a say in it. During Thursday's hearing, McCain talked about concerns on how the new measures would be paid for, and he expressed doubts about seating the department at what he referred to as the "regulatory leviathon at DHS."
"Given the serious national security and economic consequences of any legislation, it is imperative that the other committees of jurisdiction be given the opportunity to share the legislative outcome in a bipartisan manner," said McCain, who promised the introduction of an alternative bill on cybersecurity.
The chairman of the Homeland Security Committee, Sen. Joseph Lieberman of Connecticut, disagreed with McCain, saying that he had in fact reached out to all seven of the Republican senators who signed the letter and that everyone had the chance to work toward consensus.
"I'm sorry they haven't been engaged before and I'm glad they're gonna be engaged now," said Lieberman in a civil but tense exchange with McCain.
At a separate worldwide threats hearing earlier in the day, Director of National Intelligence James Clapper and Director of the Defense Intelligence Agency, Lt. General Ronald Burgess, both praised the bill and pressed lawmakers on the urgency of the threat.
Clapper listed counterterrorism, counterproliferation, cybersecurity and counterintelligence as the most pressing security concerns facing the intelligence community.
@natlsecuritycnn on Twitter
I would disagree that the splpuy chain terrorism is so unlikely as to be a myth. We might argue whether terrorism is the proper word It's already happened, though I can't go into it (but if you've been paying attention over the last few years and understand it when you see it ). Like stuxnet it's also a governmental thing, so perhaps gains its mythic status that way.However, as a more interesting possibility, we allow all kinds of software and hardware gladly into our lives on a daily basis. We also don't see particularly phased as a group when it's disclosed that personal information of one type or another is being farmed from our phones, computers, social networking sites, etc. A few people stand up and shout, but by and large everyone else just wants to get back to their Angry Birds game. It is not at all inconceivable that someone, terrorist or otherwise, will find a way to exploit that in a way we can't even guess at now. It's fair to say it hasn't really happened yet, but it's NOT fair to say it's a silly idea.
When the Stuxnet malware attacked the control systems of Iran’s nuclear enhancement plant in mid-2010, destroying 1,000 centrifuges, the attack was analyzed by top malware consultants, including Symantec in the US. Their reports are published on the web; ICS conferences are still being held to discuss Stuxnet. However, you will not read in the reports or hear at the conferences of the actual action that was taken by Stuxnet, the action that depended upon the write-always characteristic of the programmable memories of the PLCs (programmable logic controllers) of the control systems. These memories are identical to the reusable, rewriteable memories that are inserted into digital cameras. The Stuxnet malware corrupted the integrity of the programs stored on the PLCs’ memories. All PLCs that are in place in control systems, as well as all PLCs newly manufactured by ICS equipment vendors, have vulnerable write-always memories. ICS vendors, owners and operators remain unaware of, or purposely ignore, this crucial vulnerability
The alternative memory has a write-once characteristic. This write-once characteristic is also that of music CDs and movie DVDs used by millions around the world.
Programming stored on a write-once memory cannot be corrupted by malware; write-once memory is invulnerable.
If these facts interest you, we will be pleased to send additional information. The Senate has just released its cybersecurity legislation, and it is our opinion that DHS should be made aware of these facts.
The solution of a, as you call it, "write once memory" may seen to provide the solution that you are capable of understanding. What your solution proposes is apparently beyond what you understand about the functionality of industrial control systems. The solution that you propose is the same as listening to a politicians speech during an election year. Nether they, nor you, sufficiently understand the subject of which they speak, yet they continue to say the words because the resulting noise sounds good to their own ears. My suggestion to you is to invest 25+ years in your topic, completely understand that which you speak, and then cautiously offer your opinion. You'll look much less like a political ass and you'll actually have something intelligent to say. Please keep your ignorant ass out of my profession unless you've got the experience necessary to design, program, troubleshoot, and successfully build the type of systems that you wish to attempt to control with your half baked ignorance!
Why don't they bring in ACTUAL EXPERTS to design the bill instead of taking wild guesses as to what works and what doesn't? These people writing the bills have probably just finally figured out how to even turn on their computer, and have no business passing a law like this. This would cripple businesses like mine with endless analysis and maintenance that is nowhere near necessary to effectively protect your network.
Simplest and most sane decision would be to make a law requiring all vital infrastructure support systems to be cut off from access to the net entirely. While returning to such an analog system might seem necessarily costly, it will save us immense amounts in the long run on what would be needed to defend them from cyber attacks. However, people are addicted the conveniences of modern systems, and it is unlikely they would agree to such a measure.
Many countries can get together 200 or 300 of their smartest computer people and develop cyber warfare abilities. It can be an equalizer for smaller nations. 30 people to study military satellites, 30 people on civilian satellites, 30 people on military communications, 30 people for financial vulnerabilities, etc.
One historic example is the breaking of the German codes in World War II, when the British assembled a group of people for one very important intelletual purpose.
With the Stuxnet cyber-warfare virus, said to have been developed by Israel, it would seem that the war has already begun, but they may rue starting the precedent.
Sad truth is that that the hackers are in our corporate and government networks. Meanwhile, the gop, instead of defending America from these advanced threats and attacks, would rather sit back and tell you to not get abortions. Besides, their idea of watch everyone in America is as much of a failure as the TSA is, treat everyone like criminals here when the real criminals are safe in their own country.
"Oh yeah senator, I just sent you a virus!!!"...."A virus huh..well I just sent you one too senator" Hahahahahahahahaha
Neo: Why do my eyes hurt?
Morpheus: You’ve never used them before.
http://michaelfury.wordpress.com/2010/09/10/ghosts-in-the-machine/
"Cyberhackers can take that out. So the planes are literally flying in the dark and they will fly into each other and kill a lot of people"
You mean like this, Senator?
http://michaelfury.wordpress.com/2010/08/13/blue-skies-from-pain/
Porn
[PDF]
A BILL
http://www.hsgac.senate.gov/.../the-cybersecurity-act-of-2012-s-2105
File Format: PDF/Adobe Acrobat
(a) SHORT TITLE.—This Act may be cited as the. 4. "Cybersecurity Act of 2012". 5 . (b) TABLE OF CONTENTS.—The table of contents for. 6 this Act is as follows: ..
the dirty evil zionist listen in on every phone call made in the U.S. and you jerk-off worry about cybersecurity.
It's too late.
We're owned by the dirty evil zionists.
Play it smart: keep your mouths shut and stay stupid.
Stay in debt and when the call comes you send your children off to fight in the zionist wars in the middle east so they can die for the new world order – with the dirty evil zionists calling the shots.
America is a terrorist state now and we are all slaves.
Stay stupid, our zionist masters like their goyim dumb and dumber.
I hope that anger management classes are in your immediate future. Have a blessed day.
this is just another way of giving out politically favorate wallet filling jobs. It also..won't work
we are the nintynine percent, we will not forget. Expect us
Oh this is just great all these disparate entities are going to self-certify and police themselves. You have got to be kidding!
There has to be simple and easy way to exclude hackers from say AIR traffic systems. How about the whole system being on a central ATC server which has an encrypted daily random number changed access code.At the input end this is fed only to authorised terminals automatically each day
The server does not let access into the system unless the terminal is identified and the encryption code passes anything outside that gets fried and deleted automatically. You can do to mainframes which contain the control programs running the same way with even higher levels restricted access. Other standard communication can go vis standard international ISP.
A similar sterilisation of electricity supply systems from ISP to " in houseSP" should reduce risk substantially.
Regards,
Hodgson.
Yes, I'm sure none of the experts thought of this. None of these systems can be totally secured because humans are involved.
I'm a democrat and cannot stand republicans but even I am beginning to worry that if more democrats were in charge bills such as ACTA and SOPA and that bullshit protect the children from porn bill would have passed by now. It's scary the bills hollywood is trying to shove through.
The most successful attacks seem to all be in retaliations for legitamately annoying things that the government has done. Maybe the government should try not being evil so that hackivists would target other governments instead.
I know, crazy idea.
They won't go after other countries, mainly because the countries will hunt them down and do away with them. We just send them to jail for a few years and then they get a movie deal.
well we have to face threats with counter measures, in this field we will be viewed by the big brother safety net, so are we realy being snooped on, well who cares after all we are on a blog that is monitored. so if we do not conduct criminal activity and do not make threats against people , whats the big deal. as long as its not a witch hunt to silence people for their political views , and we all have seen some wierd things here. i say go for it big brother just do not abuse it.
well, it will also go a long way in compating crime, in d country