Fish Fear Me

There's a little buzz on the Internet about a bill submitted this week by Senators John Rockefeller and Olympia Snowe. It is being called the "Cybersecurity Act of 2009" and the actual bill is not available yet via govtrack.us or thomas.gov as of this morning. There is what is titled a "staff working draft" that may or may not be authoritative available here. Being the geek that I am, I read through it this morning to try to measure whether the claims that it would give the president unprecedented control to shut down the Internet and eavesdrop on Internet communications were true. My preliminary conclusion is that the answer is mostly yes, partly no because one section is being misinterpreted, and mostly that people are missing some other large implications of what is a far more broadly intrusive bill than people think. This and what follows assumes, of course, that the working draft is what is actually being introduced.

First off, the partly no. In referring to "Federal government and private sector owned critical infrastructure information systems and networks", Section 14 of the bill states:

People are interpreting that to mean the data on the networks, but I see that as applying to the actual detailed architecture of the networks themselves. Since an applicable network is any that the president defines as "critical", and there's no standard to hold him to at this point, that theoretically means any network in the US, public or private. Now, is that an issue?

Clearly the broad scope of that is a problem. Some sort of standard should have to be met before a network is defined as "critical infrastructure". As it is written, a case could be made that any telco or ISP in the country is "critical infrastructure". A lot of commerce can be disrupted if any of the major telcos are attacked. Even your local telco is "critical" since they provide 911 service(not too mention the "last mile" to the Internet in many cases). The more interesting question to me is just how much does the government already know about the detailed architecture of telco and ISP networks? Does this provision essentially lay the telcos bare to the government in ways that could be used to compromise or shut them down? Could it be the back door to the privacy concerns that are, inaccurately I think, now being stated? And note this in Section 18:

Once again, how broadly that would apply makes a difference. I want to be skeptical here and not paranoid, but we would be wise to note that the first thing you would need to do to control a network and either filter it or shut it down would be to have a good map. How far would the federal government take that authority and do they really need that info handy? Do we really want them to have that info handy?

It will be interesting to see the telco/ISP response to this. It's one of those things where what they don't say may be as important as what they do say.

More: A bit more about network architecture. Over the years there are a couple people I know who have set up their own home firewall device or router. I was pleased that they were able to experience the thrill of the geek, but they both misinterpreted their accomplishment as meaning this whole network thing is not that complicated at all. I hated to break it to them that what they had just done was probably less than 1% of what it takes to build and lock down a multi-node enterprise network. I know because I once led a team that did it. It is a complicated task and there are tons of details that must be attended to or it either doesn't work correctly, or it isn't protected properly.

The reason I bring that up is that I used to guard those network details pretty jealously. Outsiders got information on a need to know basis. So did insiders for that matter. Knowledge is power and detailed knowledge of a network is very helpful for figuring out how to compromise its security. What that part of section 14 noted above will do, if I'm reading it correctly, is put a lot of what is now private network information into the hands of some agency. Forget for the moment any worry about the government using that info, what if they just lose it, or they get compromised? I suppose they might set up a "Fort Knox" type repository, but that's for money; we're just talking about some dumb info that only guards the networks of our "critical infrastructure". 

What could possibly go wrong with the government acquiring all that info? Secrets never leak and government employees are never bribed. Right?

The other part leading the discussion now is Section 18 and these parts in particular:

There's an aspect here that seems to make sense: Of course the president should be able to shut down a federal government network that is compromised. I would think he had that authority already as chief executive, but I could be wrong about that. The same broad scope problems and lack of definition as above apply to these sections also. You can add in no definition of "cybersecurity emergency" or criteria for "in the interest of national security".

I find it hard to believe that the language as written in this draft will survive intact. The president, any president, needs some authority to be able to act in the face of growing threats on and to the Internet. I think it's safe to say that this is a badly written bill as is though, and is more suited to a dictatorship than a democracy. It deserves a lot of scrutiny.

I'll hit the other parts in another post. I have to get something done around the house today.