White House Declassifies Outline of Cybersecurity Plans 51
An anonymous reader writes "The Obama administration on Tuesday declassified part of the Comprehensive National Cybersecurity Initiative created during the Bush administration, outlining offensive and defensive strategies for protecting information networks. The initiative was originally intended to unify efforts of a number of government agencies into a comprehensive strategy to protect the nation's computer networks. 'One area in which the government did officially disclose new details was Einstein 3, a program to protect civilian government systems from intrusion by deploying sensors on the networks of private telecommunications companies. For the first time, the government disclosed officially that the program would use technology developed by the NSA, the nation's largest intelligence agency. It also said that the Department of Homeland Security, which would run the program, would share malicious code data with the NSA but not the content of communications, such as e-mails.'"
Re: (Score:2)
Re: (Score:3, Funny)
No, the budget has been slashed by a fourth. To be exact, by one "S".
Get A Clue Please (Score:1, Insightful)
Maybe you've been living under a rock the last 10 years, or you are just willfilly being ignorant, but the fact of the matter is that these threats are real, and they are ongoing.
I love how the slashtards think the government is just making this shit up for their own benefit, as if China, Russia, and other US adversaries aren't basically broadcasting their intentions and advertise their espionage plans.
Seriously, just read up a bit before spouting such misinformed nonsense. Moderators, please do your jobs.
Re:Get A Clue Please (Score:5, Insightful)
Re: (Score:2)
Yeah, tear up the market share of one of the biggest and therefore politically entrenched companies.
Not happening.
Re: (Score:2)
Re: (Score:1)
They will set them with a batch file, or a shortcut, most likely.
Re: (Score:3, Insightful)
Its not just the slashtards. Ryan Singel at Wired was spouting this exact same gibberish just two days ago [wired.com]. Of course, these are the same people who are in denial of the Brazilian power grid attacks [wired.com].
The idea that the US Government would fabricate [wikipedia.org] information to justify a corrupt agenda [newamericancentury.org] is ridiculous.
The nerve of some people.
Re: (Score:2)
Re: (Score:3, Insightful)
As 2003 unfolded i often wondered if the left would have been so cynical and vehemently opposed to overthrowing Saddam if Clinton or Gore had ordered it. What would take the place of "no blood for oil" or "Bush == Hitler"? Would they have drawn Hitler mustaches on Gore's face? Or would they have seen that the UN inspections, no fly/drive zones and sanctions were about to end and realized that Saddam would have gone right back to producing WMDs, brutalizing his own people and invading his neighbors? Follow
Re: (Score:3, Interesting)
Why? He was a neutered dictator at that point, unable to commit the acts of genocide that he committed in the past. Thus, he wasn't significantly worse than most of the other leaders in that region.
Re: (Score:3, Insightful)
I agree that Clinton didn't care about the Iraqi people, or, more accurately he didn't do anything to show it if he did. But then he wasn't president of Iraq was he, he was president of the US.
I honestly think Bush cared even less though. Bush never claimed he sent our troops to save the Iraqi people. H
Re: (Score:2)
There are two things a leader in the middle east cannot do. Show support for Israel and show support for the US. We are not liked in that part of the world. A leader who appears to give in with no fight to our demands (and the UN inspections were our demands) will not last. He will be seen as weak at best, possibly a traitor. He would be attacked from within his own country and possible from his neighbors as well. Such a leader would not last.
Saddam was playing a bala
Re: (Score:1, Flamebait)
It is, simultaneously the case that team china loves their espionage and the case that every creepy fossil in the military-industrial complex smells profit and power.
I, for one, find phrases like "More specifically, we need to re-engineer the Internet to make attribution, geo-location, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable." coming out o [wired.com]
Re: (Score:2)
So this means I have to fight off the Chinese and the Military Industrial Complex at the same time? And do it in my spare time, with no budget?
Ok, so be it. 8)
Re:Get A Clue Please (Score:4, Insightful)
How many financial transactions take place at ATMs loaded with Windows 2000? How many banks have crappy, poorly written ASP.NET websites.
How about all those malware filled crusty old porn surfing boxes that manage our power grid in their spare time?
Yes, there is a problem. We are vulnerable and something bad will someday happen. However, nothing our government is going to do is going to help. What's necessary is for the people to demand better from the hospitals, banks, power companies etc... which implement this crap. That isn't going to happen. The people don't understand, don't care and don't want to.
Meanwhile what is some government agent reading my email going to do to help? Our government has a horrible track record on privacy and lately even on basic human rights in general. On top of this, all three branches and both parties are in the pockets of media executives who admittedly do have some legitimate points about their property being stolen but would like to take things way beyond protecting what is truly theirs and eliminate fair use while closing off media to any potential competitors.
Protect the internet, protect free speech. Keep the government out.
Re: (Score:2)
You were going so well until you said "poorly written ASP.NET" websites. Anyone can write a poorly designed website in any language, with loads of SQL injection vulnerabilities and all that good stuff.
Re: (Score:2)
Maybe it's more because the fly by night learn to program in week type of classes tend to focus on Microsoft platforms. Or maybe it's because
Re: (Score:2)
You're absolutely right, there are a lot of bad practices in web design.
Re: (Score:2)
How about all those malware filled crusty old porn surfing boxes that manage our power grid in their spare time?
I have a feeling not as many of these exist as you think. I'm no power grid expert so maybe I'm just naive, but I can't imagine that engineers are using the exact same machines to control the power grid as they for personal computing. I've been inside control rooms for water processing facilities and, typically, any computer designed to be in direct control of anything vital is built around that specific function. It's not like "Joe from I.T." decided to run the plant's control software on his laptop today.
Re: (Score:2)
Then again, I just read the article with the statements from our new "Cyber War Czar". He actually says the insecure power grid computers are a myth. That's refreshing, non-FUD regarding computers from a member of our government? Maybe it isn't so bad after all. I stil
The First Condemnment! (Score:1)
Re:The First Condemnment! (Score:4, Funny)
Tell me, Mr. Anderson... what good is a phone call... if you're unable to speak?
I know, I know, it's old and overused, but admit it, when did it fit better?
Concerns About Dinner (Score:2)
"...Mike Brown needs a little more time for dinner in Baton Rouge. He'll get back to you..." - D.H.S. Staff Communication.
Re: (Score:3, Insightful)
I guess my most major concern about using the Department of Homeland Security is that if anything should go wrong; that it's not during dinner.
And I guess my most major concern about using the Department of Homeland Security is that. They take my nail clippers away because it's a security risk, say I can't wear underwire bras, have closed the bathroom down for most, if not all of the flight (and god help you if you have a feminine issue then) now they want to take high-resolution naked pictures of me and share them with their government buddies, contractors, and basically anyone not me. They can't even handle issues of basic sanitation and common
High Risk - High Payoff? (Score:5, Interesting)
Initiative #9. Define and develop enduring "leap-ahead" technology, strategies, and programs. One goal of the CNCI is to develop technologies that provide increases in cybersecurity by orders of magnitude above current systems and which can be deployed within 5 to 10 years. This initiative seeks to develop strategies and programs to enhance the component of the government R&D portfolio that pursues high-risk/high-payoff solutions to critical cybersecurity problems. The Federal Government has begun to outline Grand Challenges for the research community to help solve these difficult problems that require 'out of the box' thinking. In dealing with the private sector, the government is identifying and communicating common needs that should drive mutual investment in key research areas.
(Emphasis mine)
I propose instead that we consult the results of the previous R&D work that has been active in this area since the 1960s, and learn the lessons of problems already solved. This is low risk (as we've already paid for it), high payoff.
Let's get capability based security into the hands of the masses. This will remove their machines from the threat pool. It would also allow those inside the government to manage security in a much more granular (and thus more effective) manner.
This can be fixed, and it doesn't require a high risk, just due diligence, and hard work.
Re: (Score:2)
This can be fixed, and it doesn't require a high risk, just due diligence, and hard work.
Which makes it, politically, decidedly non-sexy, and therefore unlikely to be seriously considered as a workable approach. I've seen it with my own eyes, made the same suggestions almost 10 years ago when Richard Clarke and the PCCIP dog and pony show was in town. Blank stares at the suggestion that the PC's of "the masses" were the high ground and could be taken at will by the bad guys. Then, as now, the reality, evident to anyone with a clue when it comes to security issues, is that we are on our own. The
Re: (Score:1)
1) No one's going to be developing anything in 5-10 years. NSA will pull something out of a hat that's been in the works for decades. And it'll probably be exactly what you guessed.
2) "Dealing" with the private sector sounds ominous.
3) This sounds suspiciously like DRM. Oh, you do business with the feds? You'll need to use certified, "trusted" systems that allow NSA to remotely memory-hole anything you're accidentally sent.
4) Next step: Internet user licensing. Say goodbye to anonymity. Three-strikes
read the solution is here (Score:3, Insightful)
How about designing an Operating System that strictly differenciates between code and data - and don't download code from the Internet, except from a well defined whitelist of known secure and verified sources. And don't allow the excecution of code by clicking on a URL or opening an email attachment.
"The EINSTEIN 2 capability enables analysis of network flow information to identify potential malicious activity while conducting automatic full packet inspection of traffic entering or exiting U.S. Government networks for malicious activity using signature-based intrusion detection technology"
Except enumerating badness [ranum.com] is a bad idea, and if the computers didn't arbiterarly execute code coming in off the Internet then you wouldn't need to analysis of network flow of information. Such a monitoring system itself being open to abuse. Your one stop shop to hacking the entire grid.
Re: (Score:2)
Yes, enumerating badness is a bad idea... you'll aways be behind. Securing the OS by simply allowing the user what rights to grant a program at run time is a much more sane approach, don't you think?
Re: (Score:3, Interesting)
No, I don't propose enumerating goodness. I propose that you tell the OS what capabilities you want to give to a program when you run it. Don't trust code, and you don't have to try to solve the halting problem.
The USER of the system is the one who should decide what's appropriate. They aren't likely to give permission to trash the OS if things are kept transparent and easy to understand.
Re: (Score:2)
He isn't proposing 'enumerating goodness' from an "official". He is saying the USER should have to approve any new software installation. If I am installing a new package and it asks me for approval, I say yes. If I visit SexyMidgetsAndTheWomenWhoLoveThem.com and it asks me for approval to install software I say no.
Old news (Score:3, Insightful)
It also said that the Department of Homeland Security, which would run the program, would share malicious code data with the NSA but not the content of communications, such as e-mails.
... because they already have that from the network providers.
Re: (Score:2)
This is not self-monitoring. (Score:4, Interesting)
The desire for government agencies to have "situational awareness" in the form of deep-packet inspection of every transaction coming in or out of their network is nothing more then a proactive capability that any responsible Admin might want for their network. (assuming they disclose this capability and have policy dictating its use)
What does worry me are the washington posts comments about Telcom involvement.
This other article make it very clear EINSTEIN 3 is truly NSA equipment installed on the commercial telcom network where the potential exists for it to easily be repurposed to monitor _OTHER_ traffic streams.
http://www.washingtonpost.com/wp-dyn/content/article/2009/07/02/AR2009070202771.html?nav=emailpage [washingtonpost.com]
this is a whole different animal from whitehouse.gov's portrayal of responsible network admin.
Re: (Score:2)
That is not correct, the equipment is placed on the telco side of the gov entities connection where it comes into the facility.
The only traffic being inspected, is what is coming and going to said gov entity, nothing more.
The original Einstein program was based on the silk analysis tool suit developed (and open source) by CMU, then second edition of the program used a commercial tool that sucked horribly, it was slow when you started creating different network groups to separate the traffic based on each in
Slippery slope (Score:3, Insightful)
I think this is the most obvious example of a slippery slope that I've ever heard. The government is going to install devices that can intercept communications, and promise not to use it. Pardon me while I go beat myself over the head repeatedly. I need to lose at least another 30 IQ points before I can continue to live in this country.
It also said that the Department of Homeland Security, which would run the program, would share malicious code data with the NSA but not the content of communications, such as e-mails
Defense: a legitimate government power, right? (Score:4, Insightful)
If your neighbor is worried about the Red Menace, he might be inclined to put a ABM launch site in his backyard, or even ICBMs as deterrent force.
You probably don't want that.
There are some very good reasons for centralizing physical warfare under a single political authority. It's not just that the constitution says this is a federal executive job (i.e. not something you leave to the states or the people); it's a good idea. If it weren't in the constitution already, I think almost all people would support an amendment making it so.
But even so, there are limits to that. There's no legitimate reason the federal government should be able to have any sort of authority at all, over whether or not people are allowed to build bomb shelters. A bomb shelter isn't a particularly good way to deal with the threat of nuclear holocaust (the best thing to do, is persuade the Russkies to not attack in the first place), but it doesn't really endanger your neighbors or usurp the president's negotiating power.
The same applies even to 18th century threats. If your neighbor is worried that the Brits might try to retake the colonies, it's ok for him to stock up on musket ammunition, but that's not really a good solution either. You want a single political entity to deal with the Brits, hopefully at a point long before anyone has to worry about redcoats marching through their farms.
With cybersecurity, the situation is pretty different. The analogy to relatively ineffective private bomb shelters and relatively ineffective musket ammunition stockpiles, happens to be the best solution to computer security problems. If you decide to have a policy of not executing malware, you are pretty much invincible except for Denial of Service issues related to overwhelming traffic. (And the private network providers are able to deal with that.)
We don't need any sort of central authority for dealing with computer security. That doesn't mean a central plan would be totally useless, but the payoff is pretty low. A president in charge of cybersecurity is about as an effective solution to cybersecurity, as bomb shelters are an effective solution to nuclear war.
People can already deal with this; they just don't bother to. That's their problem.
Now, TFA is actually not all that stupid-looking. He's mostly talking about the government protecting goverement systems. That's a no-brainer. But we don't need them to protect private networks, and I hope people keep an eye on any bullshit that moves in that direction.
Re: (Score:1)
WOW... very insightful!
Preview of outlines (Score:5, Funny)
+-----------x
| |\
| | \
| | \
| | \
| ----
| |
| |
| |
| |
| |
| |
+----------------+
Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition.