IANA

...now browsing by tag

 
 

Can America Take Over the Internet?

Friday, September 11th, 2009

Original Title : Cyber FUD s773

9.11.2009 – I haven’t forgotten.

A final straw has just broken this camel’s back.  I’m not exactly sure why it suddenly became such a big issue, but the story about “Obama can shut down the Internet” really topped the charts there for a while. I even had someone ask me about it without the facilitation of an electronic or analog device.  Today, I saw one more headline about the topic then was good for me, and as I said it was the last straw.  The thing that bothers me more then the sudden influx of news stories suddenly paying attention to this legislation is that nothing regarding the president’s powers has changed since its introduction. A few of us were making noise about this months ago, and it was no big deal. So some mainstream media must have picked up on it, and the type of people who take in that sort of information ate it up. In what seems to be par for the course, those covering the story have no idea what they are talking about, and are just playing on the popularity of the subject to attract attention to their publication. 

Internet Takedown Links

Let’s just skip over the fertile male bovine fecal matter, and get to the point.

Can Obama Shut Down the Internet?  – New Legislation Gives President Emergency Control.

That is a whole load of ignorance. Obama wouldn’t know how to turn off the internet even if such a thing was possible.  Yes the new legislation does contain wording related to the executive powers of control over critical infrastructure, but in reality this is nothing new. 

Lawmakers strike new tone with proposed bill giving Obama power to shut down Internet

When the bill was release in April, Leslie Harris, president and CEO at the Center for Democracy and Technology (CDT), which promotes democratic values and constitutional liberties for the digital age, told Network World: “We are confident that the communication networks and the Internet would be so designated [as critical infrastructure], so in the interest of national security the president could order them disconnected.”


I suppose this is the right day for this article.

In time of emergency the government has the power to seize control over anything and everything they desire. This includes the communications infrastructure and access to the internet.  If the people covering this story were aware of this, they might have expressed their concern over the redundancy of this power; why are they reminding us of this now?

Existing laws already give the president broad discretion on how to respond to cyberattacks, despite language in a Senate bill that proposes giving the president specific powers during such events, according to experts.

Experts debate expansion of president’s cybersecurity powers

The president has that power under the National Security Strategy, Addicott said. The most recent National Security Strategy was published in 2006.

Addicott said the bill — S.773 — probably included the language to more clearly define how government officials expect to react to a potential threat, Addicott said. There are precedents for presidents acquiring authority in situations where they do not legally need it, he said.


The people pushing this legislation are using scare tactics to advance their agenda. Using the threat of a cyber-911 or cyber-pearl harbor type of event as leverage to wedge the legislation into existence, they are merely trying to grow a new teat on Uncle Sam’s buttocks for them to feed from.

New Threat Scenarios Drive Cybersecurity Planners to Mull Responses

“It could even be a panic if you think about it,” Meyerrose said. “A story catches hold, there’s an attribution that says that country x has infiltrated something and nobody can take anything out of an ATM, or your power is going to go off or your water is going to turn off or whatever. And then a panic ensues. Those are the kinds of things (to consider) when you’re talking about cyber 911s or cyber Pearl Harbors, in my view.”

Meyerrose said laws are in place already for a situation like the one eight years ago, when the United States was attacked and President Bush ordered all aircraft grounded until further notice. But those aren’t easily applicable to cyberspace.

“There are already provisions I believe — and most of the folks in the business and the government believe — that give the powers to the president that allow to effectively do what needs to be done in times of national emergency,” Meyerrose said.

“I would be troubled if the president didn’t have some sort of emergency powers” for the Internet, he added. “The real ambiguity is, what’s the trip wire for making it a national emergency?”

 Obama Administration Seeks “Emergency Control” of the Internet

True enough as far as it goes, these “free market” cheerleaders are extremely solicitous however, when it comes to government defense and security contracts that benefit their clients; so long as the public is spared the burden of exercising effective control as cold cash greases the sweaty palm of the market’s “invisible hand”!


Of course Meyerrose is the former head of technology for the US Spymaster, and is now the traveling salesman for the Harris Corporation which works with the NSA on U.S. SECRET level encrypted communications. In  2008 it was the number one recipient of funds from the Department of Commerce, and makes billions of dollars a year in revenue. Security and cyber is their business. With the cybercommand being hosted by the NSA, I’m sure Harris <HRS> is a stock symbol to watch.

Internet security bill continues to cause uproar

Larry Clinton, president of the Internet Security Alliance, which represents a cross-section of IT companies including Verizon and Nortel, has criticized what he calls vaguely worded language in the latest version.

“It is [still] unclear what authority … is necessary over the private sector. Unless this is clarified, we cannot properly analyze, let alone support the bill,” he states.

However, there are those who say the recommendations make sense. James Lewis of the Center for Strategic and International Studies compared the provisions to President Bush’s decision to shut down airlines after the 9/11 attacks.

“It seems foolish not to have the same authority for cyberspace,” he said, quoted by TheHill.com. “It’s not that the president will wake up in a bad mood one day and implode Yahoo. This would apply only to s
evere national emergencies. … This is a great opportunity to blast us into a new level of discussion about cybersecurity.”


Ok, so not everyone writing about this is in need of immediate cranial rectal extraction, just most of them.  Lewis’ statement points something out that is important to note.


James Lewis of the Center for Strategic and International Studies compared the provisions to President Bush’s decision to shut down airlines after the 9/11 attacks.


Next time you read a story that says ‘the government can’t shut down the internet because 90% of the infrastructure is privately owned’, I want you to think for a moment; did the government own the airlines?  Remember, once these systems are designated as critical infrastructure, regardless of their ownership, they will be required to comply with federal standards which put them indirectly under government control. Depending on who is attached to these networks, the systems will fall under control of either Homeland Security or the NSA.  Both competent agencies with the publics best interests at heart.

Obama Administration Seeks “Emergency Control” of the Internet

Drafted by Senators Jay Rockefeller (D-WV) and Olympia Snowe (R-ME), “best friends forever” of the National Security Agency (NSA) and the telecommunications industry, they were key enablers of Bush-era warrantless wiretapping and privacy-killing data mining programs that continue apace under Obama.


Once the ‘emergency’ is declared, and the networks are commandeered, privacy’s already dead zombie corpse is beheaded and killed with fire, so not even the illusion of privacy would remain. 

The initial question remains. Can America Take Over The Internet?

My initial reactionary response to this absurd question is “of course not”.  Though after some discussion it seems to be that with enough pressure from the United States, most international corporations, telecommunications providers, and ISP’s are likely to cave and accept the forced compliance standards.  After all if America gets the DNSSEC root, then the DHS will be able to shut down pretty much whatever they want on an international scale, not to mention that the IANA was a US Department of Defense contract which ICANN was created to handle after the death of John Postal

New Agreement Means Greater Independence in Managing the Internet’s System of Unique Identifiers

“The United States Department of Commerce has clearly signaled that multi-stakeholder management of the Internet’s system of unique identifiers is the way ahead and ICANN is the obvious organization to take that responsibility,”- ICANN will no longer have its work prescribed for it. How it works and what it works on is up to ICANN and its community to devise;- ICANN is not required to report every 6 months as it has been under the MOU. It will now provide an annual report that will be targeted to the whole Internet community; – There is no requirement to report regularly to the DOC. The DOC will simply meet with senior ICANN staff from time to time. “The ICANN model of multi-stakeholder consultation is working and this agreement endorses it.


No requirement to report to the Department of Commerce, they can just come over for drinks every once in a while to see how things are going.   “Multi-stakeholder consultation”, makes me wonder where the ICANN is getting its funding.  Strangely enough, the federal funding for ICANN seems to be incompletely listed

ICANN Funding

It is unclear from the above paragraph whether ICANN inherits IANA’s self-proclaimed mandate of ‘Preserving the central coordinating functions of the global Internet for the public good.’ However, it would appear that it is in a good position to assert end-users should be willing to pay. If they are not, then the internet should be allowed to fall apart. Certainly the regulatory authorities who have largely stepped aside to allow this experiment to happen ‘would like to see an economically rational and practical charging system – a contribution per name registered for example.’ Therefore ICANN devises a funding scheme that not only takes account of internediary functions, but goes directly to the beneficiaries of the connectivity ICANN preserves and asks them for a contribution appropriate to the value of their benefit. ICANN provides security and stability. What is the price of that stabilty and security? What further can ICANN do to provide these services? It is in terms of the above argument that, apart from registry contributions, well-wisher contributions (disallowed as political contirbutions long-term?), we devised a quadripartite funding plan which can draw income from the end-user services ICANN provides. However it is not suggested that ICANN, in its not-for-profit guise, should operate these income streams directly -this would hazard the not-for-profit status of ICANN and threaten its mandate-, but that it be an agreed beneficiary on a cost-recovery basis, whilst any other pooled income accrues to internediaries pro rata.


So now, I believe, the question should be: “Can the World Take The Internet From the USA?”
Click to continue »

S.773 – The Cyber Security Act of 2009 – part 3

Friday, June 12th, 2009

S.773 The Cybersecurity Act of 2009 pt3

This is part three in a series reviewing the proposed cybersecurity legislation.

(e) FCC NATIONAL BROADBAND PLAN- In developing the national broadband plan pursuant to section 6001(k) of the American Recovery and Reinvestment Act of 2009, the Federal Communications Commission shall report on the most effective and efficient means to ensure the cybersecurity of commercial broadband networks, including consideration of consumer education and outreach programs.

At the end of section 6, I decided to carry this last paragraph over to the next article. Under the bailout bill funding will be provided to create new problems for protecting national infrastructure. This includes the new smart grid for energy transfer, and a new advanced air traffic control technology. The FCC is responsible for reporting on the security of the commercial internet, and will receive bailout money for evaluating the network’s security.

SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS.

This is a mandatory national computer and infrastructure security license. It
will include anyone who is engaged in network or computer security at the federal level, and operators of systems deemed critical by the president or his advisor.  Critical systems can include internet operations.  Federal and local emergency response systems are already dependent on the internet. In the case of a national emergency or in wartime the government does reserve the right to commandeer all forms of communication.  This act would require anyone operating any of these systems to receive approved training to qualify for a license to practice the security trade within the United States.  The vague nature of critical systems could mean that anyone who operates publicly accessible private equipment may be required to obtain this license to operate the internet.

SEC. 8. REVIEW OF NTIA DOMAIN NAME CONTRACTS.

The IANA is a government contract. The work is currently being carried out by ICANN. This group has been approved by the Defense Department since the IANA contract was handed over. The bill makes it clear there will be no changing of this situation without review, consideration, and approval.

SEC. 9. SECURE DOMAIN NAME ADDRESSING SYSTEM

This sets a three year timetable to develop a strategy for implementation of a secure Domain Name System (DNS).  This is a political issue.  The industry has already developed methods of securing the domain name addressing system. It is the role of the government to resolve the issues of foreign and domestic implementation. Federal, and critical systems will be required to participate in the secure DNS.  Internationally it would fall under the Department of State and the President to convince other nations to adopt the system.

SEC. 10. PROMOTING CYBERSECURITY AWARENESS.

The national cybersecurity awareness campaign will come complete with mascots and public service announcements. There will be awareness training beginning in the first years of school.  The goal of this is to not only create awareness of potential threats, but also to create an information and technology workforce for the future.

SEC. 11. FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT.

In an effort to bring the United States to the front of this digital arms race, funding will be directed to research and development. The National Science Foundation will be given priority in researching how to design and build systems that are secure and reliable when first deployed.  They will develop the ability to audit software, so that it “implements stated functionality and only that functionality”. Part of this will involve “selected secure coding education and improvement programs”, where the Director of the Foundation will look at ways to integrate secure coding into the “core curriculum of computer science programs” and “other programs where graduates have a substantial probability of developing software after graduation”. Colleges and universities regularly receive funding from the NSF, if this amount is over one million dollars, these institutions will release to the Foundation their statistics on computer since students, and those in related fields.  These figures will include the number of students likely to enter software design or development, whether or not they received secure coding education, and what classes they were enrolled in.  The NSF would like to evaluate these programs, and measure the effectiveness of the students “to master secure coding and design”.
The NSF will also research identity and information assurance, including the ability to “determine the origin of a message transmitted over the Internet”. The Foundation will provide support towards building new protocols for Internet security. There will be grants awarded for the creation of internet test labs “sufficiently large in order to model the scale and complexity of the real world networks and environments”. These labs will be used for playing war games, or “to support the rapid development of new cybersecurity defenses, techniques, and processes by improving understanding and assessing the latest technologies in a real world environment”.  There will also be work done towards the balance of security and privacy, and the problem of insider threat.

SEC. 12. FEDERAL CYBER SCHOLARSHIP-FOR-SERVICE PROGRAM.

The Federal Cyber Scholarship-for-Service program pretty much introduces itself.  I can not restrain my self from mentioning this was one of the solutions I reached independently.  I phrased it as “trucker school” like training.  Instead of paying for expensive training, licensing, and equipment, these things are provided with the promise that the student will work for the company for some period of time. This is an alternative solution to the current certification process.  Since operating the Internet is not quite the same as piloting eighteen wheels of Detroit iron, the government plans to start the kids off early.  They will provide “a procedure for identifying promising K-12 students”.  These promising students would be eligible for summer programs and internship “that would lead to certification of Federal information technology workforce standards and possible future employment”.  Just like with trucking school, once the class is complete the job is guaranteed.

SEC. 13. CYBERSECURITY COMPETITION AND CHALLENGE.

The goal of this challenge is to “attract, identify, evaluate, and recruit talented individuals”. The competition would also serve to “stimulate innovation in basic and applied cybersecurity research, technology development, and prototype demonstration”. If they don’t get the recruit, they will still have access to their work.  These widely advertised challenges will be available for high school and college students. Institutions will also be allowed to compete for the millions of dollars in prize money.

SEC. 14. PUBLIC-PRIVATE CLEARINGHOUSE.
The Secretary of Commerce will have access to all internet and critical networks “without regard to any provision of law, regulation, rule, or policy restricting such access”. The Department of Commerce will serve as a clearinghouse of related information, acting as liaison between the government and the private sector.

SEC. 15. CYBERSECURITY RISK MANAGEMENT REPORT.

This section simply gives value to risk.  It will create a market for risk management, require “cybersecurity to be a factor in all bond ratings”.

SEC. 16. LEGAL FRAMEWORK REVIEW AND REPORT.

This section calls for “a comprehensive review of the Federal statutory and legal framework applicable to cyber-related activities in the United States”.  There are several acts specifically mentioned, but it also includes “any applicable Executive Order or agency rule, regulation, or guideline”.

SEC. 17. AUTHENTICATION AND CIVIL LIBERTIES REPORT.
When the government starts discussing an “identity management and authentication program”, they must also address the privacy concerns which follow along with it.

SEC. 18. CYBERSECURITY RESPONSIBILITIES AND AUTHORITY.

The President will develop a strategy for security. This strategy should include a long term plan. It will respect national security, and include the private sector.  In the event of an emergency the President has the power to restrict, shutdown, or disconnect the internet. This applies to Federal and critical systems in time of emergency, or in the interest of national security. The President also will “designate an agency to be responsible for coordinating the response and restoration” of the systems restricted or shut down.  There will also be a department or agency which will “review equipment that would be needed after a cybersecurity attack and develop a strategy for the acquisition, storage, and periodic replacement of such equipment.” There will be “periodic mapping of…..critical infrastructure information systems or networks” to “measure the effectiveness of the mapping process”.  The President will also have the power to enforce regulations, and bestow ‘cyber-related’ certifications to United States people.

SEC. 19. QUADRENNIAL CYBER REVIEW.

Starting in 2013, this review will provide an unclassified summary, and include recommendations for improvement.

SEC. 20. JOINT INTELLIGENCE THREAT ASSESSMENT.

The Director of National Intelligence and the Secretary of Commerce will make a yearly report to Congress on “cybersecurity threats” and “vulnerabilities of critical national information, communication, and data network infrastructure”.

SEC. 21. INTERNATIONAL NORMS AND CYBERSECURITY DETERRANCE MEASURES.

The President would “work with representatives of foreign governments” to encourage global adoption of America’s new standards.

SEC. 22. FEDERAL SECURE PRODUCTS AND SERVICES ACQUISITIONS BOARD.

This section is an attempt to address the ‘supply chain’ vulnerability. There is need for “review and approval of high value products and services”, and so there must be “the establishment of appropriate standards for the validation of software to be acquired by the Federal Government”, including “independent secure software validation and verification”. This act would require the approval of the Secure Products and Services Acquisitions Board for any product or service subject to federal standards.

This marks the end of part 3. A summary will be provided later.

Twitter links powered by Tweet This v1.8, a WordPress plugin for Twitter.

Get Adobe Flash player