The private sector may own most of the critical infrastructure in this country, but, you know, it also owns most of the land in the United States, too. Does that mean that we don't need an army? The ownership question is largely irrelevant. Businesses don't like to be regulated. I understand that, but when it comes to national security we can't depend on voluntary action. That's largely what the bill tackles. You'd give Homeland Security more authority to mandate security in critical infrastructure, and that's a good thing.
Are attacks on the U.S.'s critical infrastructure an imminent threat?
One of the problems we've had with the debate is that people have been really imprecise in what they mean by a cyber threat. The normal practice is to call everything cyber war and cyber attack. We know that a cyber attack, a real cyber attack, is now part of an advanced military's arsenal. Some of our opponents have even done the necessary reconnaissance on U.S. critical infrastructure to find vulnerabilities. The director of the National Security Agency (NSA) has told me this. It's just going to be part of warfare in the future. It's a weapon that many major militaries have and that probably 20 to 30 countries are trying to acquire.
If that is the case, why haven't any cyber attacks on U.S. critical infrastructure taken place?
They also have missiles, airplanes and ships. It doesn't mean they just use them freely. That's why I think we haven't seen any critical infrastructure cyber attacks so far. People have the weapons, but they're no more likely to use them frivolously than they are any other weapons for fear of reprisal.
Is the Protecting Cyberspace as a National Asset Act an effective approach to protecting utilities, communications networks and other critical infrastructure?
The bill is on the right track, although it's now being rewritten, and we don't know what the current version looks like. They're trying to figure out what it is you need to do to become really effective. Information-sharing and public-private partnerships don't work. The bill tries to say that we need to move beyond these old and somewhat sterile debates and think of new ways to protect national security. People don't like that because it goes against the sort of utopian ideology that the Internet was built around, and it goes against the desire of companies not to be regulated.
The Act calls for an Office of Cyberspace Policy, which would have it's own director. Where would this director fit into the government's cyber security hierarchy, and how would this impact Howard Schmidt's role as White House Cyber Security Coordinator?
I think the authors of the bill think they would be upgrading Howard Schmidt's position. He would still be where he is, but he would have more ability to actually shape policy and action. Some of what they feel is that Howard's position doesn't have the authority it needs. Put aside Howard for a minute, I think the Office of Cyberspace Policy would be like the White House's Office of the Trade Representative. In other words, there would be a White House staff with enough members to cover the problem and that have the ability to say this is U.S. policy, this is what people will do.
There's a school of thought that too much control of the Internet, even for the sake of cyber security, is counterproductive. Should the government consider a more collaborative approach to security?
We're in a transitional moment, and this debate over an Internet kill switch is part of that. You have the old-school Internet thinkers who are wedded to this pioneering vision that we have to keep the Internet open and unstructured because that will empower innovation. People really believe that. People also believe in flying saucers, and these ideas are about equal. But you also now have people saying, let's look at the data and see what really has worked. We know from the data that although there haven't been cyber attacks on critical infrastructure, there has been espionage against it. We know that an approach such as the 2003 National Cyber Security Strategy (pdf)—which was: we'll share information with people and when they realize the scope of the problem they'll immediately do the right thing—is just not going to happen. Some companies may not realize what they need to do and underestimate their vulnerabilities. When you ask critical infrastructure companies whether their control systems are connected to the Internet, almost all of them say "no," because that is the right answer. And they probably believe it's no. But when you actually go and do the checking you'll find that about one third of them actually are connected to the Internet and the executives just didn't know.
Subscription Center
See what we're tweeting about
10 Comments
Add CommentSurfing the net is not critical. To protect critical stuff, get the machines running it off the public internet. Disable optical and USB flash drive connections (and all other, older, ports) to the workstations hooking to the mainframes or server farms.
Reply | Report Abuse | Link to thisSince people are corruptable and spies/saboteurs can get into facilities, no complete protection is possible. But as long as machines are exposed to public access (internet, cd/dvds, usb drives, etc.) the amount of protection possible is only medium, a little better than that of a tech-savvy home computer user.
I say the government needs the power to shut off the internet. Next time a certain country near the Sea of Japan gets decides to be bad they can slap em' in the face.
Reply | Report Abuse | Link to thisI say the government needs the power to shut off the internet. Next time a certain country near the Sea of Japan decides to be bad they can slap em' in the face.
Reply | Report Abuse | Link to thisThe root vunerability in our countries infrastructure is due to the fact that software companies in the US have been able to do business with "shrink-wrap" license agreements which basically obsolve them of having their product work as they say it should; so actual security in these applications and products is an after thought. If we held companies to a higher standard (yes the cost of mission critical software would go up) then they would have to spell out how secure their product actually is and then stand behind that claim. Cutting off the internet to protect our key infrastructure systems at the expense of the free flow of information (regardless of whether it is friendly to the current government powers) is like shooting the dog because it has fleas when an anti-flea bath would do the trick!
Reply | Report Abuse | Link to this"Shutting off the internet from a company" can be the same as "shutting down the company". Now we are talking (I hope) only about "critical infrastructure" which (I can only assume) wouldn't include E-Bay and the sorts - who's existence depends on the internet.
Reply | Report Abuse | Link to thisBut many of the common practices today place companies at risk if the plug was pulled - either by "us" or "them".
Every system that is "moved to the cloud", or outsourced to remote locations (to decrease costs) increases this network dependency. Internal communications depend on it (e-mail and phone). Business systems are centralized and accessed via communications link that effectively "go over the internet" - at least physically.
When networks were less reliable, much work was done to keep critical resources localized to minimize issues "when" (not if) the network stopped working. Today's networks are (seemingly) reliable enough for many companies to be betting the business on those connections remaining up.
This is hard enough of a problem to solve, but then you also throw in the fact that so many companies are multi-national, with networks and systems having global dependencies.
Don't fall for this New World Order stuff. The New World Order will initiate the cyber-attacks, then they will claim they need the power to control the internet to prevent the cyber-attacks that they themselves have initiated. The American public will be duped once again and we will give our government the power to control the internet. There goes our ability to communicate and our freedom of expression.
Reply | Report Abuse | Link to thisThe New World Order will fail. The global awakening cannot be stopped.
I agree that the Federal government needs an ability to protect critical assets in case of an attack. However, just as there are strict limits on the situations where the military is allowed to control private property to protect the country, there should be clearly specified limits on the control of these critical assets. Also, there must be access to judicial remediation; to deny legal appeals would give too much power to the government. I believe Mr. Lewis' attitude toward the situation is highlighted by his statement "...we have to keep the Internet open and unstructured because that will empower innovation. People really believe that. People also believe in flying saucers, and these ideas are about equal." Excuse me?!?!? He believes the idea that believing in openness in communications fosters innovation is equivalent to believing in flying saucers?!?!? That's using an emotive argument to belittle anyone that disagrees with him. I believe experience has shown science and society flower with openness in communications. And is he considering that shutting down or disconnecting telecommunications won't affect the Internet? I suppose you'll still have access to your home network.
Reply | Report Abuse | Link to thisSo, yes, i agree the government needs some control, but it should require specific, transparent, high-threshold protocols to invoke and it should be subject to judicial review.
I recall three major episodes in our history during my own lifetime when instruments of our government were used to silence critics of government policy. The first was the painful experience of the McCarthy era that had intellectuals of every sort looking over their shoulders.
Reply | Report Abuse | Link to thisThe second was the period when undercover agents from Hoover's office and elsewhere made mush of our civil liberties, when the Nixon crowd got so carried away that the very presidency itself was compromised, and when the Central Intelligence Agency busied itself with grossly illegal activity in Central America and elsewhere in the Iran/Contra scandal.
The third and most recent period is still with us and we find massive invasions of privacy, lavish use of heavily-armed civilian police, lawless behavior by mercenaries, exponential growth in the private prison industry, and what seems to be unbridled behavior by mega-corporations given their imprimatur by the conservatives on our Supreme Court and in our Congress.
One can go back in time to the Palmer raids after World War One, or still further back to the Alien and Sedition Laws in the early years of the Republic.
Why should we trust the faceless and not particularly competent operatives who now sniff around the digital discourse we enjoy in our millions?
Billions, potentially, as global networking finds its stride.
There's some really dangerous potential for brutish and cynical abuse of authority hanging out there in "What if" land and it's already the case that I can legally be "disappeared" for daring to make that statement in these United States.
We need a better handle on guarding our guards. The Romans forgot that and it didn't work out so well for them, did it!
FMarkus
We are the Illuminati and you will be assimilated. Resistance is futile. Individuality is irrelevant.
Reply | Report Abuse | Link to thisOr maybe we just don't want Iran to trash our economy with a $500 scumware bundle.
This disconnect would have to be physical and is easily bypassed by one careless person with a wireless connection such as a cell phone. With the recent effort to replace the centralized domain name registry with a distributed registry that would be somewhat immune to centralized control, I find this idea more challenging than scary.
Reply | Report Abuse | Link to this