Ask Cybersecurity Commission Chairman Jim Langevin About US Cybersecurity Plans 92
US Representative Jim Langevin (D-RI) is one of the chairs of the CSIS Cybersecurity Commission that released a comprehensive 96-page report on Dec. 8 under the title, Securing Cyberspace for the 44th Presidency. The aim of the Commission is to help the incoming administration balance "cyberspace" security needs with civil liberties. We'd like to thank Rep. Langevin and his staff (some of whom are ardent Slashdot readers) for taking time to answer your (hopefully) cogent questions. Usual Slashdot interview rules apply, and — also as usual — we'll post Rep. Langevin's answers as soon as he gets them back to us.
The First Rule of Cybersecurity Plan... (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Oh man, I wish I ahd mod points for this. Sad but true.
So..... (Score:4, Interesting)
Re:PLEASE MOD THIS UP! (Score:5, Insightful)
"How many civil liberties to you plan to give back to us?"
no, mod comment #26093183 up (Score:1)
Actually, this is an interesting question. I'd actually like to see this answered as well. Although a spin on what the OP said, this is a question that I'd like to see covered and not trivialized.
Mod this up.
Re: (Score:3, Interesting)
Except we already know the answer to that: absolutely none.
Governments never give rights back, they only take them away. (Note this isn't the same as expanding existing rights to cover people they didn't cover before: civil liberties didn't grant anybody rights, they just gave everyone the same rights they already had.)
The only exception to this blanket statement I can think of is Prohibition, and with the ever-expanding drug war, it's obvious that was a special case.
The Democrats are, if anything, even mor
Re: Think of the Liberties! (Score:2)
After Esther Dyson's semantically loaded Mauve Herring question a couple of days ago, I want to know what side she is on. It was clearly designed to get the Right Wing, who already hates abortion, to now hate Anonymous Friends (which they may not yet have had a clear opinion on.)
I seriously have to get a couple books and review the Logical Fallacies. It's becoming a survival imperative.
Re: (Score:3, Interesting)
Re: (Score:2)
Have you read TFA yet?
I'm still going through the report, but it criticizes one of Bush's initiatives (CNCI) as having its effectiveness reduced by unnecessary secrecy.
The one thing I don't like about the report is that in general, I consider the word "cyberspace" to be too buzzwordy for some of the ways the report uses, especially the "National Office for Cyberspace"... Maybe something like "National Office for Information Technology Security" or something like that?
Re: (Score:1, Insightful)
Have you read TFA yet?
I'm still going through the report, but it criticizes one of Bush's initiatives (CNCI) as having its effectiveness reduced by unnecessary secrecy.
The one thing I don't like about the report is that in general, I consider the word "cyberspace" to be too buzzwordy for some of the ways the report uses, especially the "National Office for Cyberspace"... Maybe something like "National Office for Information Technology Security" or something like that?
"Cyberspace" is one of those words that are almost never used by people who really know what they're talking about.
Re: (Score:2)
I'm interested in how the cybersecurity strategists will be attempting to identify false flag attacks.
This task appears to require the application of traditional intelligence gathering techniques to give perspective to electronic evidence of malfeasance ...
Anyhow, false flag attacks in the cyber world will be an increasing issue as domestic groups realize they don't actually have to hurt anyone directly to set up their enemies for a fall.
After all, why snuff a competing group yourself when you can aim the h
Red Teams (Score:5, Interesting)
What are your plans to utilize this powerful technique? If applied elsewhere, Red Team competitions can help better secure other aspects of the internet and to stay uptodate.
Why run this out of the EOP? (Score:4, Insightful)
Why run this out of the Executive Office of the President? Trying to run operational units directly from the White House seldom works well; the environment is political, not operational. The present cybersecurity office, in Homeland Security, is ineffective because the incumbent is a former lobbyist. When Amit Yoran was in charge there, progress was being made. He quit because he wasn't getting backing from higher in Homeland Security. The office needs a high-level champion in the White House, but that's a liasion job.
Re:Why run this out of the EOP? (Score:5, Interesting)
To build on this, how are you planning on addressing the credibility gap between what the executive wants to achieve, and what the rest of the internet community (at least in the US) believes you really can/should achieve?
For example, I was at BlackHat this year, and the keynote speaker was one of the Feds, speaking about the federal plans for cyber security. The discussions in the hall after his keynote were scathing. Many of the attendees concluded that he had no clue what he was talking about. This, I think, has to be the first hurdle the executive needs to clear before accomplishing anything. Put simply: the private sector just doesn't believe in government's ability to succeed. How are you going to fix that?
Re: (Score:2)
Put simply: the private sector just doesn't believe in government's ability to succeed. How are you going to fix that?
That was the entire point of the recently held American elections.
The answer is forthcoming and will be based on how willing the American people are to dedicate their own time to enriching their country.
We are both cooperating to answer your question by participating in this thread.
Disclaimer: I didn't vote this time around. The election seemed too important at this juncture of history to g
Re: (Score:2)
Credibility will not come to DHS' cyber-security efforts from one election, neither will trust. Bureaucracies don't change that fast, and trust isn't granted that quickly.
My point is not that change wasn't coming...my point was that there was a step in their process that they missed. Call it step zero, if you like. That step is: establish competence and win the trust of the industry.
Re: (Score:2)
What does that even mean? Are you trying to imply that Bush was somehow preventing people from "enriching their country"? Like people were saying "Hey, I'm going to enrich my country!", and then some Republican thug would stop them? I don't get what you're trying to say.
a few things off the top of my head (Score:3, Interesting)
Action (Score:2, Interesting)
For example, almost all spam promotes products paid for by credit card: if the credit card companies were threatened with puncishment for handling transactions for goods spromoted by spam, there would be no more spam.(Even spam originating in other contries promotes goods sold to Americans, and paid for through American Credit cards).
Re: (Score:3, Insightful)
Why do you do nothing about the credit card companies handling the proceeds of crime? Most cybercrime relies on credit/debit card companies
You have a very poor grasp of "cyber crime" and what the current trends are in it. Spam is distributed by botnets, and I'm pretty sure they don't need a valid credit card number to operate. Malware is being developed every day that exploits people's online banking login credentials to conduct wire transfers, which do not involve credit/debit card companies or the ATM network (not directly anyway), in addition to secondary uses in industrial espionage and selling computing cycles for things like key cracking
Re: (Score:3, Interesting)
I think you missed a point there. The idea behind punishing credit card companies is not about credit-card fraud, but rather making the various V|4GR4 ads go away.
If credit cards have to be used to pay for such products, punishing the credit-card companies for processing those payments would make the economic incentive to sell such products dry up.
Re: (Score:1)
If credit cards have to be used to pay for such products, punishing the credit-card companies for processing those payments would make the economic incentive to sell such products dry up.
No, I see the point perfectly and I think it's idiocy. How does punishing one company for the actions of another solve the problem? It's like punishing gun manufacturers for people who use their product to murder. There's no relationship between the two. Cybercriminals will just find another way to steal funds, trick people, or interfere with commerce and manipulate those systems to seize an advantage. Attacking the credit card companies doesn't do crap except further damage an already vulnerable public res
Re: (Score:2)
No, its like the gun companies refusing to sell to people who specifically state they intend to use it for crime.
When someone buys the fake Viagra on the dodgy pills site, they use their credit card. It is presumably possible for the credit card companies to identify the merchants tied to these sites in the same way as they identify online casinos in order to comply with other laws regarding those. Therefore, they could block these transactions (or cut off the merchant accounts completely if thats fesable)
Re: (Score:3, Insightful)
When someone buys the fake Viagra on the dodgy pills site, they use their credit card. It is presumably possible for the credit card companies to identify the merchants tied to these sites in the same way as they identify online casinos in order to comply with other laws regarding those. Therefore, they could block these transactions (or cut off the merchant accounts completely if thats fesable)
And how do you propose vetting a vendor to ensure they're legitimate without either making it privacy invasive or resource-intensive? This is the same problem as with background checks, and on the internet, nobody knows you're a dog. If you want to win, you attack the problem at its source, not at the periphery.
Re: (Score:2)
Why is the spam distributed by botnets? to make money! Yeah, really ... they are not doing it to worhip the god of Bot!
How does threatening te credit card companies work? Well, I for one have a good knowledget of how the credit card companies are responsible for who they do business with i
Regulation (Score:5, Interesting)
The free and open nature of the internet is its biggest asset. How do you plan on enforcing "cybersecurity" without damaging its free and open nature? Are you sure that the cure (government regulation) isn't worse than the disease (cybercrime)? Remember there was no cybercrime before the internet. The internet has brought us both crime and prosperity, so far the prosperity has far exceeded the crime. I benefit far more than I suffer from having an unregulated internet, can you convince me that a regulated internet is even necessary?
What sort of measures can you take to fight cybercrime without affecting my unfettered access to the internet? The phrase "If you have nothing to hide, you have nothing to fear" is not an acceptable response.
Re: (Score:3, Insightful)
Qu'on me donne six lignes écrites de la main du plus honnÃte homme, j'y trouverai de quoi le faire pendre*.
-- Armand Jean du Plessis, Cardinal et Duc de Richelieu and first minister to Louis XIII
* If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.
How is this not a waste of time (Score:3, Interesting)
Dear Cybersecurity Commission Chairman (Score:3, Funny)
Dear Cybersecurity Commission Chairman,
Please shoot all your spammers.
Sincerely,
The Rest of the World.
Re: (Score:3, Informative)
They can't. Congress passed a law called the CAN SPAM act that basically says you can spam. They should have simply outlawed ALL un-asked for commercial email.
My question about CyberSecurity (Score:2)
Well, umm...yeah, do you, like, have one?
I'm only half-joking...
Wow. (Score:5, Insightful)
Cyberspace? I think if you want a comprehensive strategy you need to get a way from words that make you seem like a "series of tubes" style neo-luddite.
Lets move through the executive summary:
Reinvent the public private partnership:
Mmmmmm, pork.
Regulate cyberspace:
So you want to regulate it without telling anyone what to do. That should work.
Authenticate Digital Identities:
So, you want crypto for everyone, is that what you're saying? After that you're going to have to have some form of universal id/biometrics to keep those secure crypto identities from being stolen. And that won't actually work.
Modernize authorities:
The secret is realizing that just because a traditional crime is happening online, it doesn't make it a new crime. Once you take that step it's shocking how few new laws are actually needed.
Use acquisitions policy to improve security:
More pork. Seriously are people buying stuff that they know is insecure? (Not counting windows obviously.) You should be pouring money into open source development, and not shutting down things like the NSA's security enhanced linux program just because it's not putting money into the coffers of the big campaign contributors.
Build capabilities:
Nice and safe, that one.
Do not start over:
I'd argue that there hasn't even been a real start at this point on any of the above points, so that shouldn't be hard.
This just doesn't even seem serious to me. You need to get people who know vaguely what they're talking about, set up a secure, interoperative, interconnected network for the government. And if you manage to achieve that goal, then you can start trying to rearrange the rest of the world. But get your own house in order first.
Re:Wow. (Score:5, Interesting)
Wow, there are a lot of good questions being made here, but one thing REALLY bothers me:
The aim of the Commission is to help the incoming administration balance "cyberspace" security needs with civil liberties.
The word balance suggests that there is give and take on either side of the scale. I posit that there is not. Civil liberties must be maintained, at the cost of security on the Internet if required. Q: How do you intend to manage that problem?
A government commission on 'cyberspace' security should obviously be intending to bring 'cyber criminals' to justice in order to protect ..... what exactly? What exactly is 'cyberspace' that you are going to secure?
If your domain is bringing criminals to justice, shouldn't you simply be an enhanced part of the FBI?
In what ways have you, and will you work with groups from other countries with similar mandates?
So far, you seem to like using 15-20 year old buzz words. How does this reflect on your ability to react quickly to the changing landscape of threats to Internet infrastructure, businesses, and commerce etcetera? Further, 'cyberspace' as most of us know it is very big. How do you intend to react quickly and 'secure' it when the tens of thousands of people and companies currently trying to do so are not able to? Making it illegal to run un-patched databases on websites will NOT fix the problem, so how do you intend to fix the problems?
As someone who writes software I am keenly interested to know if my vocation will come with risk of incarceration in the future. Will simple security mistakes bring to me risk of punishment, other than punishment of losing my current job?
Aside from virus software one of the largest commercial security problems is DDoS attacks. Will you address that problem, or only problems that you can easily handle? Will the FCC be assisting you in any respect with regard to DDoS attack handling etc. Since 'cyberspace' runs on commercial pipes for the most part, and those pipes/tubes are full of lolcats running P2P, what will be the commissions reaction to capacity issues with regard to security of 'cyberspace'.
Are there any specific commercial ventures that will be ignored by the commission's work? Will this affect my local website AND Google, or just Google?
Is the word 'cyberspace' used in the title to relieve anyone of actually having to define what you will be responsible for?
Re: (Score:2)
It's just empty rhetoric. I think that's "cyberspace" actually means...It's like a punctuation mark to indicate a lack of knowledge.
Re: (Score:2)
Right. You give us your liberties, we take them. Next question:
We take the liberty of doing what we please. We can manage that quite easily.
How will this power be controlled? (Score:5, Interesting)
I work in IT security and thus I wonder how you plan to deal with two conflicting problems: Rapid change of threat scenarios and ability to supervise and monitor the actions taken by the "cyber police".
Threats in IT change rapidly. Over the course of days sometimes. So quick reactions to emerging threats is a necessity. You have to react fast when something emerges, you can't let debates go on forever with weeks passing to give various interest groups a say in the matter.
How do you plan to ensure that civil liberties will not suffer from the necessary fast response when trying to make the internet a safer place? That whatever organisation is supposed to make the "net safer" will have certain powers is a given. Whenever, though, someone who has power has to do something fast (i.e. before someone could complain or interfere), the temptation to abuse this power (claiming "danger in delay", when the only danger would have been that someone could find out that power abuse is afoot) is present as well. How do you plan to address this?
Net Neutrality (Score:2, Insightful)
Are you a supporter of net neutrality?
Translation (Score:4, Insightful)
In today's political environment, "balance" is short for "annhilate but in a way that doesn't draw public attention." They already monitor all domestic and much of international internet traffic. There are several super-massive networks dedicated to this, and data-centers that make Google's resources look like a street beggar next to a executive banker. Their two main challenges are sifting the data for timely intelligence and warehousing the data. Fortunately for them, much of internet traffic is redundant, especially when you already have a copy of something previously sent -- you can use deltas and journals to store and retrieve the data streams at a fraction of the cost of brute force storage approaches. Privacy died years ago but people are still clinging to the idea that it's out of reach because their imagination can't fully encompass the full magnitude of the surveillance effort. This slashdot post, and tens of thousands like it, undoubtedly reside in a database, instantly accessible, and tools exist to conduct a variety of analysis' at every level of communication. These tools make Wireshark look like a high school science fair project in comparison, and while they are internally developed, often poorly implemented, and are not easy to use -- they still work well enough and research is always underway to improve them.
What the government is continuing to do is surround itself in a dense layer of laws, bureauacracy, and legal framework to insulate itself from public protest, hoping to repel or entirely dissipate any manner of organized dissent. This is simply another step in what has been a progressive march towards total control of the global communications networks, and the United States has had assistance from over a dozen major players. The spectre of terrorism, in tandem with rapid advances in sigint technology has simply accelerated long-sought for powers and caused a paradigm shift in the way intelligence is gathered and distributed. To bypass certain legal restrictions placed on them, they simply "outsource" intelligence work, pooling their collective resources while maintaining plausible deniability and a layer of obfusciation with the sole purpose of continuing the charade for the publics' benefit in the respective member countries.
If any of this is news, it shouldn't be -- the major governments of the world want a global internet where every electronic communications device interconnects with every other because they already control most of the gateways and they are holding most of the keys. They are only too happy to have the assistance of people like you and me who labor under the notion that this will ultimately help society economically, socially, and politically. And it's true -- a global communications infrastructure will do exactly that, making the world a smaller place, making geographical and political lines largely irrelevant, streamlining economic exchanges, and bringing the thousand cultures of the world right to our fingertips. All under the watchful vigilance of ethereal and nameless soldiers, who promise you safety in exchange for an eye and an ear on the innermost details of your life.
And we're going to give it to them, not because we have a choice, but because several thousand years of human history says that somebody has to man the walls, somebody has to watch the gates, somebody has to enforce the laws (however arbitrary), and we're desperately afraid that this invisible framework that holds back the chaos today will fail and unleash a flood of uncertainty. All such frameworks are of course transitory in nature, but we will nevertheless sacrifice our freedoms in exchange for the promise of safety because we've never known any other way to live.
Freedom ever was only an illusion, a dream we continually strive for yet fail to achieve in any lasting way. Yet, because people continue have impossible dreams a balance will always be maintained between the extremes of tyranny and freedom. It was as true two hundred years ago on muddy battlefields as it is today, in a ethereal world of electric impulses.
Re:Translation (Score:5, Insightful)
Ah yes, forgot -- the question. So, Mr. Chairman, what will you recommend to improve the protection of the global surveillance network from abuse by foreign and domestic interests? What oversight will be available, and what punishments will be dealt for such abuses? What's to prevent the oversight committee from becoming too comfortable and complacent in its duties that an erosion of vigilance occurs and ultimately makes it a meaningless appendage of the bureaucratic process?
If I may offer a suggestion: Disclosure. Show us some of the near-collisions between this ethereal world and the real one, how close we've come to losing valuable assets. Show the challenges and balancing act that is as much about people as technology -- put a human face on the men and women who work in secret to protect us every day. Take us inside. Give us a reason to trust your commission, and the people they oversee, rather than empty assurances that abuse isn't happening. I accept there isn't much we can do to turn back the clock, but I'd sure like to know that the people manning the walls and standing at the gates are people like me who understand the moral implications of the choices they make every day. Because right now I have my doubts, as do millions of other Americans who look uneasily to the future.
Hiring Practices And Education (Score:4, Insightful)
I noticed briefly in the document that it mentions the inability of the Govt. to hire the .com burst. In reality the American IT profession is under assault by
necessary talent to combat these issues. Namely it mentions the drop in CS student enrollments and
attempts to relate it to the
both outsourcing and the current H1B visa program.
How do you intend to increase CS enrollment when the job market is being eroded by these two factors?
Over-reaching (Score:5, Insightful)
These may have belonged in my earlier question, but anyway:
1) Are you concerned with biting off more than you can chew with the "Manage Identities" portion of the recommendation? (or, put another way, are you sure the government should really be doing any of those in the first place?)
A number of people are already uncomfortable with the idea of a national identity card (witness the problems that RealID is having these days)...your report goes even farther, though, by proposing a government-issued identity card that consumers could use for purchases online. If I'm already suspicious of a national ID, why in the world would I want to use a government-issued online ID?
2) Also, your recommendations have some huge loopholes: point 17 says that you want to allow consumers to use strong government-issued credentials for online activities, but point 18 then says that there should be regulation preventing businesses from *requiring* the use of those credentials.
In practice, one of these two lines will be pointless (companies will say that it's optional to do business with them, so it's not "required"). By way of example, it's illegal for a company to *require* an SSN for non-banking business, but just try to get water service in Maryland without giving it to them...you can't do it.
Doesn't this sort of loophole make your "consumer protection" recommendations pointless?
cyberspace security needs and civil liberties .. (Score:5, Insightful)
Why? (Score:4, Insightful)
Why must civil liberties be given up under any circumstance under the guise of "cybersecurity"? Why is there no open public review for people to proclaim that under no circumstance do they plan to give up civil liberties for sake of a bad us government cybersecurity plan? I for one do not plan to give up any form of "rights" just because the government has an inability to secure their own systems. I'm sure we all know the Thomas Jefferson quote [wikipedia.org]for this.
Basically, my question is: why are we focused on balancing rights for security when we could spend more effort securing the existing government computer systems that we use, and it would be more effective? This is like pointing a finger at the washington monument and blaming it for the market collapse, and does not directly address the issue I just mentioned.
Single Platform Vulnerability (Score:5, Interesting)
It is no secret that our nations national security is threatened by the current single
platform strategy. The lack of operating system diversity creates a fatal environment
in which a single system flaw can expose all govt facilities and networks. As it stands
today a single serious vulnerability could be exploited to blackout most if not all of
our govt infrastructure.
How do you intend to address this serious problem?
Such as? (Score:4, Insightful)
The aim of the Commission is to help the incoming administration balance "cyberspace" security needs with civil liberties.
Give specific examples where civil liberties might need to be "modulated" for the benefit of electronic security measures.
Re: (Score:3, Insightful)
Defending our civil rights is defending the nation. If I have to give up rights for "national security" than the security people have failed terribly.
Basic definition... (Score:2)
What exactly? (Score:3, Interesting)
What are you actually securing? Military computers? Government computers? Or is "cybersecurity" intercepting everyone's communications to bust dopers and other "terrorists?"
We've lost fewer than 4000 people to terrorism this century, while ten times that many die on the highways yearly.
Re: (Score:2)
What does intent have to do with it? If the Islamists want to wipe us off the face of the earth they're doing a piss-poor job of it. The cars do it ten times better without even trying.
Homeland Security Lack of Scope / Mandate (Score:1, Interesting)
I feel that Homeland Security lacks a mission that defines the scope of its surveillance powers. Is this a long term danger to our democracy? Our history has shown us how when agencies like the FBI are given powers without clear scope and oversight they eventually get abused.
Furthermore, a lot of signals intelligence related operations have been largely outsourced to prevent government being hampered by existing laws. This clearly creates a dangerous situation. Can we put the genie back in the bottle?
Secure what? (Score:4, Interesting)
Besides sensitive government computers, which for whatever reason need to be connected to the WWW, exactly what part of the US portion of the Web needs to be secured and why?
Security Access by Criminals (Score:1)
When corrupt officials are busted how is it they still keep their security clearance, and still have access to government buildings and computers?
In this light.
What good is the Dept of Homeland Security?
The only thing they seem to be cracking down on is honest citizens trying to shine a light on corruption.
Hardening & Prevention versus Monitoring (Score:3, Interesting)
Much of the question of civil liberties in cybersecurity seems to be related to enforcement after the fact. The ability to find out who did what after the event occurs. That seems like a principle indication that there is a problem in our approach. Once an event happens, it cannot be undone. This is particularly true when considering information assets, which once lost cannot be recovered in the same sense in which a painting or automobile can be recovered.
Given these facts, is the direction of hardening and prevention being given sufficient weight when considering cybersecurity? Being able to put a criminal in jail is a fine objective, and perhaps there is some amount of freedom that is worth sacrificing to support that objective. Of course, it would be better to prevent the harm from occurring in the first place.
Do you you place higher priority on hardening our information infrastructure, or on enhancing our ability to find out who did it after a breach occurs?
Comment removed (Score:3, Insightful)
Relationship with the telco (Score:1)
In order to enforce a strong cybersecurity strategy, the US government and major owners of US telecommunication assets will have to cooperate. Unfortunately, the recent scandals regarding the illegal spying of US citizen using the telco infrastructure has affected the trust these privates companies had in the US government. Aside from granting them retroactive immunity, what other steps are you willing to take to ensure future cooperation from the private industry?
Clarification (Score:1)
whatstheworstthatcouldpossiblyhappen (Score:3, Interesting)
What would be a "worst case" scenario for internet warfare (I *hate* the term "cyber") against the US. What are some specific scenarios you're trying to defend against? Do you consider, for example, the rampant credit card fraud on the internet to be a form of economic warfare against the US at this point? How will you go about shoring up the security of our network infrastructure against massive, coordinated intrusion or denial-of-service?
Re: (Score:3, Funny)
(I *hate* the term "cyber")
I and Vice President Cheney are cyborgs, you insensitive clod!
You will be assimilated.
How to you prevent the president from clicking. (Score:2)
With no disrespect to the office of the president. However even the president of the United States is Human, and he is not an IT Expert. How do you prevent him from clicking "that button" which could create a security compromise. I would suspect that the President of the united sates would have web access, and would want to go to the basic media outlets which often have questionable adds on them, and sometimes attempt to trick you into clicking "that button" .
Several questions (Score:1)
1. What do you consider to be the most significant change to FISMA that is proposed?
2. Do you expect new Industrial Control System (ICS) regulations to be based on NIST 800-82?
3. There have been many efforts on the procurement front to ensure the security of software that the government purchases including NIAP, Common Criteria Certification and SCAP. This is discussed in the report What regulations are needed to cons
AirForce's cyber-warfare unit (Score:4, Insightful)
So we've been hearing on Slashdot a fair bit about what the Air Force is trying to setup as a cyber-warfare unit. While the goal is understandable (after all, the Estonia DoS attacks have demonstrated how to cripple a country through digital means), I'm a little worried that this unit being in control of the Army could lead to a real problem as far as accountability. No offense to our Air Force generals, but internet security and hacking have little to do with organizing strategic bombings or dogfighting. Who would you like to put in charge of such a division and why?
And what responsibilities would you assign them? As they are part of the US military forces, they are here to protect American interests on this other world that is cyberspace - would they be given the task of attacking hackers and their bot-nets disrupting American businesses? And how would you prefer they go about it? Since the cyber-warfare unit is one of the first of its kind, what kind of rules are they supposed to follow, in this generally un-ruled space known as the Internet?
Anomalies (Score:2)
Catch-22
Catch-22 is a sort of senseless, cruel, and idiotic unspoken rule.... that you have to be insane to fly a bombing mission, which means that you should be grounded (not allowed to fly a mission), but if you don't want to fly, that clearly proves that you are sane and must fly the missions.
Describing the meaning of the phrase "Catch-22".
Yeah, this is going to be long ...
I find myself (and a very few others) in a position similar to Cliff Stoll in his book:
"The Cuckoo's Egg: Tracking a Spy Through the
the Cyber War (Score:1)
Hiring? (Score:2)
Dear Congressman Langevin,
Need a hand? Call me!
Encryption vs. Surveillance (Score:3, Interesting)
As you might guess, I view encryption as a necessary (but not sufficient) tool for protecting information. Do you? Where do you place yourself in the tradeoff between encouraging encryption as part of protecting information from criminals and discouraging encryption as part of surveillance for criminals?
Source code auditing and Trusted Build Agents (Score:2)
Next question (Score:2)
As this is a constant issue that is very pressing in our current society, I am reminded of another question.
Would you be willing to be part of ongoing interviews of similar topics to this for slashdot (assuming slashdot is as well)? Say every couple months or so?
an open forum for discussion is important. An active open forum discussion is even more so.
Our Data:an appeal-a "Plimsoll line" for software (Score:2)
Why does it appear that no one is listening? (Score:1)
Dear Rep. Langevin:
As a hacker/computer security professional, I work daily to stay aware of emerging threats and computer security issues. I interact with people in both the public and private sector (read businesses and military/spooks). Both groups perceive the US government, specifically the legislature, as unresponsive, exhibiting misplaced priorities, and tolerating ongoing breaches of security by civil servants, our elected officials and by public agencies.
Congress appears to be - and has appeared to
Re: (Score:1, Insightful)
Security largely gets lip service. That's it. It's not just Congress. It's everywhere. Most people just don't understand the threat or appreciate the damage that is being done every day.
When you tell people they can't use IE 6 because of security issues, they rise up en masse and complain they can't do their work. Management sides with them and soon the IT security guy is in the doghouse for trying to compromise prod
'Balance' civil liberties? (Score:2)
Sir,
Do you agree that security does NOT require the forfeiture of civil liberties? I want my country, my community, and my family to be secure... but I want it without forfeiting the rights and freedoms that make our country great. I cannot think of a situation where a person's civil liberties NEED to be sacrificed for the sake of security, however our government seems to keep using security as a way to take our freedoms.
I would like to know if you have given some thought to shifting the commissions' focu
Countermeasures (Score:1, Interesting)
Wouldn't it be possible to install perimeter firewalls that act on behalf of the whole United States and block a lot of the suspicious traffic? Kind of a huge iptables firewall?
I realize that places like Chinanet host many innocent netizens tha
Geeks lead the fight (Score:1, Insightful)
While it's all well and good to have yet another set of policy statements the fact is that policies do not win these battles. Managers, reporting chains, and the junior security personnel do not win these battles. The guys with stars on their shoulders do not win these battles. The senior talent with hands on keyboards provide the tools, indicators, and insights needed to be able to successfully attack or defend.
One senior guy that can reverse engineer a piece of malware quickly and accurately provides t
The federal hiring system is decadent and depraved (Score:1, Interesting)
I live in DC and am currently pursuing a technical computer security-related graduate degree.
Many of my fellow students work in computer security with the DoD, DoJ, etc., although I do not work for the federal government. And the stories that I have heard of the politics involved with federal service and the lack of accountability endemic to the system, particularly at the SES level, ensure that I will not be doing so either.
Regardless, the common denominator among most of these people, or at least those wi
Focus on information control / reframing (Score:2)