Here in the information assurance salt mines, we sure do loves us some conspiracies, so here’s the conspiracy of the month: S.773 gives the Government the ability to view your private data and the President disconnect authority over the Internet, which means he can sensor it.
Let’s look at the sections and paragraphs that would seem to say this:
(b) FUNCTIONS- The Secretary of Commerce–
(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access;
Section 18: The President–
(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;
(6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security;
Taken completely by itself, it would seem like this gives the president the authorities to do all sorts of wrong stuff, all he has to do is to declare something as critical infrastructure and declare it compromised or in the interests of national security. And some people have:
And some movies (we all love movies):
It makes me wonder since when have people considered social networking sites or the Internet as a whole as “critical infrastructure”. Then the BSOFH in me things “Ye gods, when did our society sink so low?”
Now, as far as going back to Section 14 of S.773, it exists because most of the critical infrastructure is privately-held. There is a bit of history to understand here and that is that the critical infrastructure owners and operators are very reluctant to give the information on their piece of critical infrastructure to the Government. Don’t blame them, I had the same problem as a contractor: if you give the Government information, the next step is them telling you how to change it and how to run your business. Since the owners/operators are somewhat non-helpful, the Government needs more teeth to get what it needs.
But as far as private data traversing the critical infrastructure? I think it’s a stretch to say that’s part of the requirements of Section 14, it’s to collect data “about” (the language of the bill) the critical infrastructure, not “processed, stored, or forwarded” on the critical infrastructure. But yeah, let’s scope this a little bit better, CapHill Staffers.
On to Section 18. Critical infrastructure is defined elsewhere in law. Let’s see the definitions section from HSPD-7, Critical Infrastructure Identification, Prioritization, and Protection:
In this directive:
The term “critical infrastructure” has the meaning given to that term in section 1016(e) of the USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e)).
The term “key resources” has the meaning given that term in section 2(9) of the Homeland Security Act of 2002 (6 U.S.C. 101(9)).
The term “the Department” means the Department of Homeland Security.
The term “Federal departments and agencies” means those executive departments enumerated in 5 U.S.C. 101, and the Department of Homeland Security; independent establishments as defined by 5 U.S.C. 104(1);Government corporations as defined by 5 U.S.C. 103(1); and the United States Postal Service.
The terms “State,” and “local government,” when used in a geographical sense, have the same meanings given to those terms in section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101).
The term “the Secretary” means the Secretary of Homeland Security.
The term “Sector-Specific Agency” means a Federal department or agency responsible for infrastructure protection activities in a designated critical infrastructure sector or key resources category. Sector-Specific Agencies will conduct their activities under this directive in accordance with guidance provided by the Secretary.
The terms “protect” and “secure” mean reducing the vulnerability of critical infrastructure or key resources in order to deter, mitigate, or neutralize terrorist attacks.
And referencing the Patriot Act gives us the following definition for critical infrastructure:
In this section, the term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
Since it’s not readily evident from what we really consider to be critical infrastructure, let’s look at the implemention of HSPD-7. They’ve defined critical infrastructure sectors and key resources, each of which have a sector-specific plan on how to protect them.
- Agriculture and Food
- Banking and Finance
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services
- Government Facilities
- Healthcare and Public Health
- Information Technology
- National Monuments and Icons
- Nuclear Reactors, Materials and Waste
- Postal and Shipping
- Transportation System
And oh yeah, S.773 doesn’t mention key resources, only critical infrastructure. Some of this key infrastructure isn’t even networked (*cough* icons and national monuments *cough*). Also note that “Teh Interblagosphere” isn’t listed, although you could make a case that information technology and communications sectors might include it.
Yes, this is not immediately obvious, you have to stitch about half a dozen laws together, but if we didn’t do pointers to other laws, we would have the legislative version of spaghetti code.
Going back to Section 18 of S.773, what paragraph 2 does is give the President the authority to disconnect critical infrastructure or government-owned IT systems from the Internet if they have been compromised. That’s fairly scoped, I think. I know I’ll get some non-technical readers on this blog post, but basically one of the first steps in incident response is to disconnect the system, fix it, then restore service.
Paragraph 6 is the part that scares me, mostly because it has the same disconnect authority as paragraph 2and the same scope (critical infrastructure and but the only justification is “in the interests of national security”. In other words, we don’t have to tell you why we disconnected your systems from the Internet because you don’t have the clearances to understand.
So how do we fix this bill?
Section 14 needs an enumeration of the types of data that we can request from critical infrastructure owners and operators. Something like the following:
- Architecture and toplogy
- Vulnerability scan results
- Asset inventories
- Audit results
The bill has a definitions section–Section 23. We need to adopt the verbiage from HSPD-7 and include it in Section 23. That takes care of some of the scoping issues.
We need a definition for “compromise” and we need a definition for “national security”. Odds are these will be references to other laws.
Add a recourse for critical infrastructure owners who have been disconnected: At the very minimum, give them the conditions under which they can be reconnected and some method of appeal.