Risque Management : Politics

US Senate: security through (more) bureaucracy

Slav — Sat, 04 Apr 2009 23:15:00 GMT

When I first read the news on the Washington Post web site, I thought this is a 1 April joke: Senate Legislation Would Federalize Cybersecurity. The April Fool's day has come and gone but all the signs are to that this is for real: the press releases trumpeting arrival of the legislation are still there. The bill's summary is available from the US Senate Web site (I cannot find the full text of proposed legislation yet). The problem definition is a typical scaremongering:

This comprehensive legislation addresses our country’s unacceptable vulnerability to massive cyber crime, global cyber espionage, and cyber attacks that could cripple our critical infrastructure. We presently have systems to protect our nation’s secrets and our government networks against cyber espionage, and it is imperative that those cyber defenses keep up with our enemies’ cyber capabilities. However, another great vulnerability our country faces is the threat to our private sector critical infrastructure–banking, utilities, air/rail/auto traffic control, telecommunications–from disruptive cyber attacks that could literally shut down our way of life.

So get ready for digital Pearl Harbor. Real one: Conficker virus, another April Fools' event, which some described as just that, caused zero noticeable impact.

Coming from professional politicians, the bill unsurprisingly proposes to improve the cybersecurity situation by introducing colossal new bureaucracy, headed by the US Cybersecurity Fuehrer (or Tzar, or Leader, if you so wish). If it becomes a law then the governemnt will have control over information security matters in private sector:

The legislation would require the National Institute of Standards and Technology to establish measureable and auditable cybersecurity standards that would be applicable both to government and the private sector.

Although the press release and the summary mention specifically critical infrastructure controlled by private entities - utilities, banking, transportation, health and telecommunications - apparently the bill's scope is not limited thereto. That would dwarf Sarbanes-Oxley and HIPAA information security rackets and create massive compliance burden on the economy. Layers upon layers of firewalls, "endpoint security" and "intrusion prevention" technologies, and regular compliance audits may become mandated by the law.

The bill would also attempt to place a dollar value on cybersecurity risk. Ironically placed uder the Foster innovation section, it means this:

The legislation would require the Advisor to provide a report on the feasibility of creating a market for cybersecurity risk management, to include civil liability and government insurance.

Welcome to the cybersecurity cap-and-trade scheme!

This is not the first attempt to create cybersecurity bodies in the government. Think of the DHS and its Cybersecurity Center, the people who brought us this:

Yet according to the senators all the efforts have basically failed. Maybe that signifies a problem with the approach? It does. Government-mandated dogma is not a substitute for a pragmatic approach to security threats.

Wireless network in Canberra's Paliament House

Slav — Sat, 01 Dec 2007 07:44:00 GMT

Recently I have visited Australia's Parliament House in Canberra. As parliaments of many other democratic countries, it is open for public access. Notably, there was no wireless LAN available. Not for long - implementation of
wireless network is forthcoming.

There are many interesting bits and pieces in the information. Focus on security is understandable. I do not expect the implementation be anything extraordinary - our usual mixture of Cybertrust consultants, and DSD analysts and government bureaucrats working on rather predictable solution (my bet is on wholesale implementation of Cisco equipment and software, and certificate-based authentication). One thing that draws attention is that the intention is to provide wireless internet access capability to building occupants and visitors to the building such as delegates and invited guests. No public access.

That would be wrong. Australia needs to set example by providing free-for-all wireless Internet access in the Parliament House. This will be a token of Labor government's commitment to the broadband future for Australia. We have free parking at the House, why not free Internet?

Technically, providing public Internet access is not too hard, and it will only marginally increase the cost of the project. You create a separate SSID (open access), connect the clients to a separate VLAN, and route that outside of the government's firewall. Traffic shaping optional. Guests never really hit the "internal" network above the physical layer (which, being radio spectrum, is available to anybody anyway). If I'm right and Canberra goes with Ciso solution, this detailed guide is available.

I have emailed my MP asking for Internet access for general public. We'll see what comes out of it. Next time I'm going to Canberra I'm taking my laptop loaded with all the wireless tools to check out what the solution is.

The yardstick of a democracy

Slav — Sun, 20 May 2007 00:03:00 GMT

Received via Arvin Meyer, a fellow MVP:

The yardstick of a democracy is the degree of unorthodoxy permitted

- SOURCE UNKNOWN

I couldn't agree more. Full consensus is a bad starting point for decision making in any system - that being political, judiciary or business. Orthodoxy thrives where there's no democracy. Democracy may not be the best solution for everything (Down With Internet Democracy - Why you don't want anonymous volunteers powering your search engine). But dogmatism is a bigger danger - resulting in anything from useless security best practices to Taliban.

Tracing phone communications: mission expensive and impossible

Slav — Sun, 06 May 2007 04:32:00 GMT

Herald Sun, a local tabloid, reports:

VICTORIANS will be surprised to learn that the major telecommunications companies, including Telstra, charge the police when they check on calls by criminals.

This year Victoria Police's total bill will be about $800,000.

The service is provided at cost, but Chief Commissioner Christine Nixon wants it to be free.

Telstra said it received more than 300,000 requests a year nationally from police.

I'm not surprised. But these are interesting details. Looks like every call list costs the police tens of dollars - while same information is provided for free to the criminals in question (as they are Telstra's, Vodafone's and Optus' customers for the telephone service). Which is not fair.

And while the number of requests on their cost grows every year, criminals are getting smarter:

Police are increasingly worried crooks are using false identification to buy bulk pre-paid SIM cards so their calls stay anonymous.

Opportunities for anonymous communivations today are endless. The premise is free connection to the Internet that is available in many locations in Australia and elsewhere in the world. You can then sign up for any of services that give you free calls (Live Messenger, Skype, Wengo, you name it). One bit that is a little difficult is anonymous payment. Opportunities are in prepaid/gift credit cards as well as alternative payment systems. But payment is only required for interfacing with the legacy telephone system. It is interesting to see how availability of free and anonymous communications will transform crime - but there's little doubt that it will.

Alliances of incapable

Slav — Sun, 08 Apr 2007 02:13:00 GMT

Anyone remembers United Linux? An attempt of few Linux distro makers to take on Red Hat, the market leader, by creating a common product core, it has become a spectacular failure.

Apparently many didn't learn the lesson. There are two other industry alliances, both working in the information security space, that look very much like the abovementioned failure.

The first one is called Liberty Alliance. The stated goal is to create open standards for federated identity management as well as business and deployment guidelines, and the best practices for managing privacy. The real goal was to respond to Microsoft's Hailstorm (or .Net My Services). Microsoft's initiative never meterialised but the Liberty Alliance drags on, without focus and with really good and viable alternatives available. They even release specifications - as useful as Microsoft® .NET My Services Specification, also available (from $0.01).

The other alliance is OATH - the Initiative for Open Authentication. The stated goal is to address issues like theft of information and unauthorised access with a set of open standards. OATH is taking an all-encompassing approach, delivering solutions that allow for strong authentication of all users on all devices, across all networks. The real goal is to counter RSA Security (and its really good proprietary one-time password solution) advances in the market.

Here's the issues with the alliances: they are created based on marketing considerations; they try all-encompassing solutions and position themselves as best practice from the beginning, before gaining any credibility outside of the alliance members and their customers; and their strategy is dictated by their competition.

Grassroots movements with no obvious corporate alignment produce much more valuable outcomes.

Decision making too hard

Slav — Wed, 04 Apr 2007 03:22:00 GMT

Amazing news from the US:

The Federal Communications Commission has officially grounded the idea of allowing airline passengers to use cellular telephones while in flight.

Existing rules require cellular phones to be turned off once an aircraft leaves the ground in order to avoid interfering with cellular network systems on the ground. The agency began examining the issue in December 2004.
...
In an order released Tuesday, the FCC noted that there was "insufficient technical information" available on whether airborne cell phone calls would jam networks on the ground.

It takes more than two years for a bunch of government employees (with employment benefits many Americans can only dream about) to make decision that they cannot make decision. And therefore leave restrictions in place. The restrictions that are wrongly presented to us the airline customers as a safety measure (responsible for the flight safety is another authority, the Federal Aviation Administration).

It probably would be cheaper for American taxpayers to finance full-scale testing, with cell networks and airplanes stuffed with hundreds of active mobile phones flying above those somewhere in Arizona desert. But apparently the government bureaucrats aren't interested in making decisions based on facts. That's sad.

This is real security

Slav — Tue, 27 Mar 2007 22:44:00 GMT

Zbigniew Brzezinski, a prominent political scientist, recently wrote an interesting article in Washington Post - Terrorized by 'War on Terror' (How a Three-Word Mantra Has Undermined America). It's an analysis of the recent change in American mentality and a worthwhile reading. But there's something that Dr. Brzezinski gets just wrong:

Just last week, here in Washington, on my way to visit a journalistic office, I had to pass through one of the absurd "security checks" that have proliferated in almost all the privately owned office buildings in this capital -- and in New York City. A uniformed guard required me to fill out a form, show an I.D. and in this case explain in writing the purpose of my visit. Would a visiting terrorist indicate in writing that the purpose is "to blow up the building"? Would the guard be able to arrest such a self-confessing, would-be suicide bomber? To make matters more absurd, large department stores, with their crowds of shoppers, do not have any comparable procedures. Nor do concert halls or movie theaters. Yet such "security" procedures have become routine, wasting hundreds of millions of dollars and further contributing to a siege mentality.

An apparent failure to apply Occam's razor. The war on terror isn't the reason for screening visitors to the office buildings. It's a layer of physical security that exists to protect private property. It makes computer and office equipment theft, a universal problem in such environments, harder. Therefore the checks aren't all absurd.

And producing an ID isn't necessary. Such requirements can be (and sometimes should be) successfully challenged. Here's How To Fly Without ID. That works. Similarly, if you're invited to a meeting, you don't have to prove your right (or permission) to attend. That's not like crossing border of a foreign country.

Don't confuse real security for stupid security. There is a fine line between the two.

Kashrut, Sarbanes and Oxley

Slav — Wed, 21 Feb 2007 07:30:00 GMT

This is about interpretations, and how they transform law into something unrecognisable. The first example is karshrut, the orthodox jewish diet. Its origins can be traced mostly to the eleventh chapter of the third book of Bible (or Torah, if you like...(read more)