Wow, just when you though big government was someone else's problem
This comes from Lauren Weinstein's list and it's worth a read. It's a bill introduced into legislation, who knows where and when and if it will become law but, wow. http://lauren.vortex.com/Cyber-S-2009.pdf I'll just give you a teaser: SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM. 3 (a) INGENERAL.—Within 3 years after the date of 4 enactment of this Act, the Assistant Secretary of Com- 5 merce for Communications and Information shall develop 6 a strategy to implement a secure domain name addressing 7 system. The Assistant Secretary shall publish notice of the 8 system requirements in the Federal Register together with 9 an implementation schedule for Federal agencies and in- 10 formation systems or networks designated by the Presi- 11 dent, or the President’s designee, as critical infrastructure 12 information systems or networks. 13 Other pearls of wisdom: the government will license all "cyber" security folks and you don't work on government or "any network deemed by the president to be critical infrastructure" without one. If only we knew: to achieve a secure DNS all you need to do is publish a notice in the Federal Register. jy
On Sat, Apr 4, 2009 at 2:33 PM, Jeff Young <young@jsyoung.net> wrote:
This comes from Lauren Weinstein's list and it's worth a read. It's a bill introduced into legislation, who knows where and when and if it will become law but, wow.
Relying on Lauren to hear about cybersecurity related news is like relying on Fox News for an accurate picture of what Obama is doing. Ignore.
I'll just give you a teaser:
SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM.
There's more than enough government supported work going on that promotes DNSSEC, in case you're not aware?
Other pearls of wisdom: the government will license all "cyber" security folks and you don't work on government or "any network deemed by the president to be critical infrastructure" without one.
Do you by any chance get to go work on sensitive government networks without, say, a security clearance? --srs
Read it again. It says all government networks and any network the president deems vital, I'd have to assume that would at least be all of the major backbones. What's the point of picking on the source of the information? Sure his list is moderated and a bit self-serving, that's why you read from the source. And yes, I am aware of a number of activities inside the Fed Gov around secure DNS, while I applaud them for making a first step, an effective total effort will not come via government procurement. Or aren't you aware? jy On Apr 4, 2009, at 6:46, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
On Sat, Apr 4, 2009 at 2:33 PM, Jeff Young <young@jsyoung.net> wrote:
This comes from Lauren Weinstein's list and it's worth a read. It's a bill introduced into legislation, who knows where and when and if it will become law but, wow.
Relying on Lauren to hear about cybersecurity related news is like relying on Fox News for an accurate picture of what Obama is doing. Ignore.
I'll just give you a teaser:
SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM.
There's more than enough government supported work going on that promotes DNSSEC, in case you're not aware?
Other pearls of wisdom: the government will license all "cyber" security folks and you don't work on government or "any network deemed by the president to be critical infrastructure" without one.
Do you by any chance get to go work on sensitive government networks without, say, a security clearance?
--srs
On Sat, Apr 4, 2009 at 9:47 PM, Jeff Young <young@jsyoung.net> wrote:
Read it again. It says all government networks and any network the president deems vital, I'd have to assume that would at least be all of the major backbones.
Deeming something vital / critical has a whole lot of extra baggage attached to it. Check out for example the OECD surveys on critical information infrastructure. a. http://www.oecd.org/dataoecd/49/28/40839436.pdf - OECD Seoul Declaration for the Future of the Internet Economy, b. http://www.oecd.org/dataoecd/25/10/40761118.pdf - comparative study of CIIP in OECD economies (Australia, Canada, Korea, Japan, The Netherlands, the United Kingdom and the United States) --srs
Suresh Ramasubramanian wrote:
On Sat, Apr 4, 2009 at 2:33 PM, Jeff Young <young@jsyoung.net> wrote:
This comes from Lauren Weinstein's list and it's worth a read. It's a bill introduced into legislation, who knows where and when and if it will become law but, wow.
Relying on Lauren to hear about cybersecurity related news is like relying on Fox News for an accurate picture of what Obama is doing. Ignore.
Personally, I always read press releases from the White House and take that as absolute fact. You can't trust people to give you accurate information if they aren't completely subservient to the agenda.
I'll just give you a teaser:
SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM.
There's more than enough government supported work going on that promotes DNSSEC, in case you're not aware?
Other pearls of wisdom: the government will license all "cyber" security folks and you don't work on government or "any network deemed by the president to be critical infrastructure" without one.
Do you by any chance get to go work on sensitive government networks without, say, a security clearance?
--srs
I suggest that we wait until the actual text of S.778 actually shows up at http://thomas.loc.gov before reacting to hyperbolic analysis of drafts not actually assigned to the Committee on Homeland Security and Governmental Affairs. Although I am concerned with what has been attributed to this bill, not all drafts seem to contain the worst text. Once the Committee takes up the bill, the most effective way to fix or kill it is for the constituents of the members of that Committee to call or write them: http://hsgac.senate.gov/public/index.cfm?Fuseaction=About.Membership John On 2009Apr4, at 6:46 AM, Suresh Ramasubramanian wrote:
On Sat, Apr 4, 2009 at 2:33 PM, Jeff Young <young@jsyoung.net> wrote:
This comes from Lauren Weinstein's list and it's worth a read. It's a bill introduced into legislation, who knows where and when and if it will become law but, wow.
Relying on Lauren to hear about cybersecurity related news is like relying on Fox News for an accurate picture of what Obama is doing. Ignore.
I'll just give you a teaser:
SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM.
There's more than enough government supported work going on that promotes DNSSEC, in case you're not aware?
Other pearls of wisdom: the government will license all "cyber" security folks and you don't work on government or "any network deemed by the president to be critical infrastructure" without one.
Do you by any chance get to go work on sensitive government networks without, say, a security clearance?
--srs
Wrong bill. You want S.773, not S.778. There were two bills introduced concerning cyber security. The one that has everybody talking is S.773. S.778 concerns the creation of the Office of National Cybersecurity Advisor within the Executive Office of the President. S.773 Title: A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes. Sponsor: Sen Rockefeller, John D., IV [WV] (introduced 4/1/2009) Cosponsors (3) Latest Major Action: 4/1/2009 Referred to Senate committee. Status: Read twice and referred to the Committee on Commerce, Science, and Transportation. S.778 Title: A bill to establish, within the Executive Office of the President, the Office of National Cybersecurity Advisor. Sponsor: Sen Rockefeller, John D., IV [WV] (introduced 4/1/2009) Cosponsors (3) Latest Major Action: 4/1/2009 Referred to Senate committee. Status: Read twice and referred to the Committee on Homeland Security and Governmental Affairs. Marc -- Marc Sachs <marc@sans.org> Director, SANS ISC -----Original Message----- From: John Schnizlein [mailto:schnizlein@isoc.org] Sent: Saturday, April 04, 2009 8:20 PM To: Suresh Ramasubramanian Cc: nanog@nanog.org; Jeff Young Subject: Re: Wow, just when you though big government was someone else's problem I suggest that we wait until the actual text of S.778 actually shows up at http://thomas.loc.gov before reacting to hyperbolic analysis of drafts not actually assigned to the Committee on Homeland Security and Governmental Affairs. Although I am concerned with what has been attributed to this bill, not all drafts seem to contain the worst text. Once the Committee takes up the bill, the most effective way to fix or kill it is for the constituents of the members of that Committee to call or write them: http://hsgac.senate.gov/public/index.cfm?Fuseaction=About.Membership John On 2009Apr4, at 6:46 AM, Suresh Ramasubramanian wrote:
On Sat, Apr 4, 2009 at 2:33 PM, Jeff Young <young@jsyoung.net> wrote:
This comes from Lauren Weinstein's list and it's worth a read. It's a bill introduced into legislation, who knows where and when and if it will become law but, wow.
Relying on Lauren to hear about cybersecurity related news is like relying on Fox News for an accurate picture of what Obama is doing. Ignore.
I'll just give you a teaser:
SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM.
There's more than enough government supported work going on that promotes DNSSEC, in case you're not aware?
Other pearls of wisdom: the government will license all "cyber" security folks and you don't work on government or "any network deemed by the president to be critical infrastructure" without one.
Do you by any chance get to go work on sensitive government networks without, say, a security clearance?
--srs
Maybe. There was enough scary stuff in a draft of S.778, and its title in some of the worry on the Web that both probably need to be watched. Having one bill referred to Commerce... and one to Homeland Security ... does entail a two-front war. John On 2009Apr4, at 10:57 PM, Marcus H. Sachs wrote:
Wrong bill. You want S.773, not S.778. There were two bills introduced concerning cyber security. The one that has everybody talking is S. 773. S.778 concerns the creation of the Office of National Cybersecurity Advisor within the Executive Office of the President.
S.773 Title: A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes. Sponsor: Sen Rockefeller, John D., IV [WV] (introduced 4/1/2009) Cosponsors (3) Latest Major Action: 4/1/2009 Referred to Senate committee. Status: Read twice and referred to the Committee on Commerce, Science, and Transportation.
S.778 Title: A bill to establish, within the Executive Office of the President, the Office of National Cybersecurity Advisor. Sponsor: Sen Rockefeller, John D., IV [WV] (introduced 4/1/2009) Cosponsors (3) Latest Major Action: 4/1/2009 Referred to Senate committee. Status: Read twice and referred to the Committee on Homeland Security and Governmental Affairs.
Marc
-- Marc Sachs <marc@sans.org> Director, SANS ISC
-----Original Message----- From: John Schnizlein [mailto:schnizlein@isoc.org] Sent: Saturday, April 04, 2009 8:20 PM To: Suresh Ramasubramanian Cc: nanog@nanog.org; Jeff Young Subject: Re: Wow, just when you though big government was someone else's problem
I suggest that we wait until the actual text of S.778 actually shows up at http://thomas.loc.gov before reacting to hyperbolic analysis of drafts not actually assigned to the Committee on Homeland Security and Governmental Affairs. Although I am concerned with what has been attributed to this bill, not all drafts seem to contain the worst text. Once the Committee takes up the bill, the most effective way to fix or kill it is for the constituents of the members of that Committee to call or write them: http://hsgac.senate.gov/public/index.cfm?Fuseaction=About.Membership
John
On 2009Apr4, at 6:46 AM, Suresh Ramasubramanian wrote:
On Sat, Apr 4, 2009 at 2:33 PM, Jeff Young <young@jsyoung.net> wrote:
This comes from Lauren Weinstein's list and it's worth a read. It's a bill introduced into legislation, who knows where and when and if it will become law but, wow.
Relying on Lauren to hear about cybersecurity related news is like relying on Fox News for an accurate picture of what Obama is doing. Ignore.
I'll just give you a teaser:
SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM.
There's more than enough government supported work going on that promotes DNSSEC, in case you're not aware?
Other pearls of wisdom: the government will license all "cyber" security folks and you don't work on government or "any network deemed by the president to be critical infrastructure" without one.
Do you by any chance get to go work on sensitive government networks without, say, a security clearance?
--srs
On Sat, 04 Apr 2009 16:16:24 +0530, Suresh Ramasubramanian said:
Do you by any chance get to go work on sensitive government networks without, say, a security clearance?
What the draft actually says: SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS. (a) IN GENERAL. - Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals. (b) MANDATORY LICENSING. - Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President's designee, as a critical infrastructure information system or network, who is not licensed and certified under the program. A few thoughts: 1) Somebody's going to make a mint of money doing certification testing. 2) Somebody's network is going to be left flapping in the breeze because their provider didn't get certified in time. 3) It's interesting that "providers of cybersecurity services" have to be licensed, although others who do security-relevant work on the system/net don't have to be - nor do they define what a "provider of cybersecurity services" is. So - quick show of hands: If you have a net that this applies to, do you know which of your engineers do/don't need a cert? ;)
Seems like they're following up on Department of Defense Directive 8570.01, whereas all Information Assurance personnel (that being defined as anyone with privileged access) are required to be certified. Fully policy manual is here. http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Sunday, April 05, 2009 4:13 AM To: Suresh Ramasubramanian Cc: nanog@nanog.org; Jeff Young Subject: Re: Wow, just when you though big government was someone else's problem On Sat, 04 Apr 2009 16:16:24 +0530, Suresh Ramasubramanian said:
Do you by any chance get to go work on sensitive government networks without, say, a security clearance?
What the draft actually says: SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS. (a) IN GENERAL. - Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals. (b) MANDATORY LICENSING. - Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President's designee, as a critical infrastructure information system or network, who is not licensed and certified under the program. A few thoughts: 1) Somebody's going to make a mint of money doing certification testing. 2) Somebody's network is going to be left flapping in the breeze because their provider didn't get certified in time. 3) It's interesting that "providers of cybersecurity services" have to be licensed, although others who do security-relevant work on the system/net don't have to be - nor do they define what a "provider of cybersecurity services" is. So - quick show of hands: If you have a net that this applies to, do you know which of your engineers do/don't need a cert? ;)
On Sun, 05 Apr 2009 12:58:50 EDT, Michael Barker said:
Seems like they're following up on Department of Defense Directive 8570.01, whereas all Information Assurance personnel (that being defined as anyone with privileged access) are required to be certified.
Sort of what I was worried about - "Providers of cybersecurity services" and "has privileged access" aren't exactly the same thing.
* Jeff Young:
If only we knew: to achieve a secure DNS all you need to do is publish a notice in the Federal Register.
In the end, this is how we got many of our (non-public-key) cryptographic algorithms, and people seem to be quite happy about them.
participants (8)
-
Florian Weimer
-
Jeff Young
-
John Bambenek
-
John Schnizlein
-
Marcus H. Sachs
-
Michael Barker
-
Suresh Ramasubramanian
-
Valdis.Kletnieks@vt.edu