| Cyber-Security Legislation (in works by Belouve) | |
|
Ulic Belouve - Student  |
Currently a work in progress by myself and a couple others. We have had personal audiences with Congressmen, committees, and grassroots organizations. I have no issue with it being public domain, and posting it in full. Input would be appreciated, and circulate as you will, but respect it as an idea that we are still working on, so just don't do anything to impede progress, OK? I don't care if you use it as your own and get it passed. It would help us all anyways. Quote: Cyber-Security Strengthening Act of 2004 Section 1. Findings of Fact (a) Our nation’s information and telecommunications systems are directly connected to many other critical infrastructure sectors, including banking and finance, energy, and transportation. The consequences of an attack on our cyber infrastructure can cascade across many sectors, causing widespread disruption of essential services, damaging our economy, and imperiling public safety. The speed, virulence, and maliciousness of cyber attacks have increased dramatically in recent years. Yet, private sector professionals consistently do not rank security as an important part of their information infrastructure. Hence, Congress finds that security should be mandated by law. (b) On Friday, January 24, 2003 at 11:30 pm CST, American Intelligence began monitoring a Distributed Denial of Service (DDoS) attack that successfully took down 5 of the 13 (approximately 38.5%) root name servers. The root name servers (a.k.a. root Domain Name Servers, or root DNS) translate domain names, like whitehouse.gov, into an Internet Protocol (IP) address so a computer can connect to the server over the Internet. No root name servers effectively means no Internet. In other words, during the attack the Internet suffered 38.5% diminished capacity with particularly widespread and noteworthy outages in the Republic of Korea and the State of Texas. While the security of the root name servers was never compromised, the root name servers were flooded with so many bogus data requests by innumerable compromised systems that the root name servers could not fulfill their function. Worst of all, the entire attack could have been prevented had people applied a security patch that was six months old. Thus, Congress finds that un-patched systems can affect secure systems, and Congress finds that steps should be taken to force systems to be patched. (c) Some operating systems being developed today do not conform to fundamental security guidelines or do not have critical security features. Hence, Congress finds that independent security certifications and evaluations should mandate conformance to good security designs and practices. (d) While some operating systems do conform to fundamental security guidelines and have critical security features, many information infrastructure professionals do not have the proper training, knowledge, and experience to properly configure and use these operating systems in a secure way. Thus, Congress finds that independent security certifications and evaluations should mandate proper training and knowledge of information infrastructure professionals. (e) Time and again, the vast majority of information security breaches from outsiders are based upon un-patched systems. Yet, managers and supervisors consistently do not give security sufficient importance and resources to properly patch their systems. Hence, Congress finds that managers and supervisors should be fiscally motivated to give security sufficient importance and resources. (f) Identity theft is the fastest growing crime in the United States. One of the primary sources for information used in identity theft is customer information stolen from computers and networks. Yet, organizations consistently do not inform their customers of information security breaches that threaten customers’ identity or privacy because they value the reputation of the organization over their customers’ security. Thus, Congress finds that reports about information security breaches should be disclosed to customers so that customers can take preventative action to protect their identity and privacy. Section 2. Purpose The purpose of this legislation is to provide a more secure nationwide information infrastructure by mandating well-established security practices. Section 3. Definitions For the purposes of this subchapter: (a) A “bridge” is an electronic device that allows two networks, which may be similar or dissimilar in topology, wiring, or communications protocols, to exchange data. (b) A “computer” is an electronic, general-purpose machine that processes data according to a set of instructions that are stored internally either temporarily or permanently by: (1) Retrieving the data from the keyboard, disk, or communications channel into memory, (2) Calculating, comparing, or copying the data, and (3) Outputting the results to the screen, saving the results to disk, or transmitting the results back over a communications channel. (c) A “critical infrastructure environment” is any public or private sector organization that engages in the designing, manufacturing, testing, servicing, governing, managing, or deploying of those assets, systems, and functions vital to our national security, governance, public health and safety, economy, and national morale, which include food, water, agriculture, health systems and emergency services, energy (electrical, nuclear, gas and oil, dams), transportation (air, road, rail, ports, waterways), information and telecommunications, banking and finance, chemical, defense industry, postal and shipping, and national monuments and icons. (d) An “e-mail” is a memo or message transmitted over a network. (e) An “e-mail client” is a program or program module that provides e-mail services for computer users, including receiving e-mail into a locally stored inbox, sending e-mail to other network users, replying to received messages, and storing received messages. (f) A “gateway” is an electronic device that connects a local area network to a wide area network, a minicomputer, a mainframe, or the Internet. (g) A “hypertext” is a format or method of preparing and publishing text, ideally suited for the computer, in which readers can choose their own paths through the material. (h) An “information infrastructure professional” is a person who has received training and education for, and whose primary duties and responsibilities include but are not necessarily limited to, supporting, monitoring, testing, maintaining, analyzing, troubleshooting, and repairing computers, computer peripherals, and networks; documenting, maintaining, upgrading or replacing hardware and software systems; supporting and maintaining user account information including rights, security and systems groups; reviewing, analyzing, and modifying programming systems including encoding, testing, debugging, and documenting programs; or installing and configuring computers. (i) The “Internet” is an enormous and rapidly growing system of interconnected computer networks, world-wide in scope, that facilitates data communication services. (j) A “local area network” is a communications network that serves users within a confined geographic area by linking computers with high-performance cables so users can exchange information, share peripherals, and draw on programs and data stored in other computers on the network; it may include, but is not necessarily limited to, personal computers, minicomputers, and mainframes. (k) A “mainframe” is a high-scale computer that functions as a multi-user system for several thousand or more users and is designed to meet the computing needs of a large organization. (l) A “minicomputer” is a medium-scale computer that functions as a multi-user system for up to several hundred users and is designed to meet the computing needs of a small company or a department. (m) A “network topology” is the geometric arrangement of nodes and cable links in a network. (n) A “node” is a network junction or connection point that can create, receive, or repeat a packet of data. (o) An “operating system” is a master control program that manages the computer’s internal functions and provides a means to control the computer’s operations. (p) A “patch” is a quick fix to a program for the purpose of correcting erratic behavior, invalid output, or abnormal termination. (q) A “personal computer” is a small-scale, single-user computer equipped with all the system, utility, and application software, and input/output devices and other peripherals that an individual needs to perform one or more tasks. (r) A “router” is an electronic device that examines each packet of data it receives and then decides which way to send it onward towards its destination. (s) A “uniform resource locator” is a string of characters that precisely identifies an Internet resource’s type and location. (t) A “version” is a specific release of a program in which a higher number indicates a more recent release. (u) A “wide area network” is a network that uses high-speed, long-distance communications networks or satellites to connect computers over distances greater than those traversed by local area networks. (v) A “Web browser” is a program that runs on an Internet-connected computer and provides access to the World Wide Web. (w) The “World Wide Web” is a global hypertext system that uses the Internet as its transport mechanism. Section 4. Version Checking of Critical Software (a) The National Institute of Standards and Technology shall, within 18 months of the effective date of this legislation, develop a communications connection protocol which meets the following requirements: (1) The protocol shall be capable of connecting one computer to another computer, one computer to a remote network, and one network to another network. (2) Any bridge, gateway, or router using the protocol shall be capable of receiving from any operating system, e-mail client, and Web browser data identifying the version of the operating system, e-mail client, and Web browser in use, any installed patches, and one or more uniform resource locators that identify where on the Internet the bridge, gateway, or router can check if any additional patches exist for that version of the operating system, e-mail client, or Web browser. If the data received from the operating system, e-mail client, or Web browser is invalid, the computer will be denied all access to the Internet. If the data received from the operating system, e-mail client, or Web browser is valid, the bridge, gateway, or router will respond to the data returned from the uniform resource locator by taking action in one of three ways: (a) If the data returned from the uniform resource locator indicates that no additional patches are available, the computer will be granted full access to the Internet. (b) If the data returned from the uniform resource locator indicates that additional patches are available, the computer will be granted access to only those locations on the Internet necessary to download the patches. (c) If the data returned from the uniform resource locator is invalid, the computer will be denied all access to the Internet. (3) Any bridge, gateway, or router using the protocol shall be capable of receiving from any bridge, gateway, and router adjacent in network topology data identifying whether or not the adjacent bridge, gateway, or router is using the protocol. If the data returned from the adjacent bridge, gateway, or router is invalid or if the data returned from the adjacent bridge, gateway, or router indicates that the adjacent bridge, gateway, or router is not using the protocol, the adjacent bridge, gateway, or router will be denied all access to the Internet. (4) The protocol shall perform the aforementioned checks not less than once every 72 hours. (5) The protocol shall not transmit any personally identifiable information. (b) Any bridge, gateway, and router manufactured in, or imported into, the United States after 36 months of the effective date of editedthe communications connections protocol, as mentioned in 4a, shall conform to the protocol. (c) Any bridge, gateway, and router used in the United States to connect a computer or network to the Internet after 60 months of the effective date of editedthe communications connections protocol, as mentioned in 4a, shall conform to, and use, the protocol. (d) Notwithstanding any other provision in this section, allowances may be made for any bridge, gateway, and router that exist outside of the jurisdiction of the United States. Section 5. Certified Operating Systems All critical infrastructure environments in the United States shall use an operating system which has been certified under either the Department of Defense Trusted Computer Security Evaluation Criteria or the Common Criteria for Information Technology Security Evaluation, or an updated or upgraded version of an operating system which has been certified under the same, after 36 months of the effective date of this legislation. Section 6. Security Certification for Information Infrastructure Professionals All information infrastructure professionals working in a critical infrastructure environment shall be certified in either a generic security certification, which shall at minimum cover general security concepts, communication security, infrastructure security, basics of cryptography, and operational and organizational security, or a security certification specific to the operating system they are using. Section 7. No Punitive Damages for Preventable Information Security Breaches Any person who illegally gains access to a computer or network by means of a known security vulnerability for which a patch has been available for more than 72 hours shall not be liable for any punitive damages. Section 8. Disclosure of Information Security Breaches Any organization that suffers an information security breach in which personally identifiable information was stolen shall, within 180 days of the information security breach, report to the Department of Homeland Security and make a good-faith effort to report to all relevant persons whose personally identifiable information was stolen the nature of the information security breach, including: (1) A general overview of how information security was breached, (2) A listing of the information that was stolen insofar as necessary for persons whose information was stolen to take action to protect their identity and privacy, and (3) Any action the organization is taking to ensure that such an information security breach does not happen again. Section 9. Criminal Penalties (a) Any person or organization that knowingly or willfully violates Section 4 shall be guilty of a misdemeanor and fined not more than $10,000 for each bridge, gateway, and router in violation thereof, but such fine shall not exceed $500,000 for a first offense. (b) Any person or organization that knowingly or willfully violates Section 5 shall be guilty of a misdemeanor and fined not more than $10,000 for every 30 day period in violation thereof. (c) Any person or organization that knowingly or willfully violates Section 6 shall be guilty of a misdemeanor and fined not more than $25,000 for each information infrastructure professional in violation thereof, but such fine shall not exceed $850,000 for a first offense. (d) Any person or organization that knowingly or willfully violates Section 8 shall be guilty of a misdemeanor and fined not more than $125,000. It is a start. Everything needs a start. IN PROCESS OF CLEANING UP TO LOOK BETTER! And....that is it, for now. Wish I had a site to host this file and just linky to it. (takers? I can send the file.) _______________ Jedi do not fight for peace. That's only a slogan, and is as misleading as slogans always are. Jedi fight for civilization, because only civilization creates peace. This post was edited by Ulic Belouve on May 06 2005 08:04am. |
| Login and add your comment! |
| Comments |
|
SaZ - Student 
|
security needs lots of rethoughts so everything gonna change very quickly... but im not sure...  _______________ playing jk3 since 30th of january (2005), member since 1st of february. [Unofficial Master to Vision and Z�diac ] If you can make a fool of yourself infront of 300 people you can do anything - Jaiko D'kana |
|
Bail Hope of Belouve - Student 
|
Quote: Oh joy, the government getting involved in computer security. If they prove as competent as they have in other areas in which they've gotten involved--education, health care, mail delivery, and so on--there should be no computers left in the world within a few years. that's not bad ... since you can't shoot a nuclear missile without a good ol' computer at the launch point. ... maybe the enemy will start throwing them at us? gives the word "suicide run" a completely new meaning  _______________ Visit the Belouve Family Website! Quote: I try to have fun with my friends and try to make a difference as best I can. What does making a difference mean? Well, it can be as simple as saying hello, answering a question that seems obvious or heck, just talking. -- Vladarion
Want to know Vladarion? Read the Article about his life here. |
|
Darth Jason - Student 
|
I agree with DJ there are a lot of holes _______________ I have seen EP3 now I can die happy and complete. Happy Star Wars Completion day everyone!!!! |
|
JavaGuy - Student 
|
Oh joy, the government getting involved in computer security. If they prove as competent as they have in other areas in which they've gotten involved--education, health care, mail delivery, and so on--there should be no computers left in the world within a few years. _______________ My signature is only one line. You're welcome. |
|
tarpman - The Tarped Avenger 
|
Sorry, but I have to agree with DJ. _______________ Saving the world, one kilobyte at a time. |
|
DJ Sith - Jedi Council 
|
I'm one of those that ripped you a new one on this.  I'll start out specific to the bill then explain why this concept is a bad bad bad idea.Section 1, point a: Claiming that that industry professionals do not rank security as apriority is an insult to my profession. I do not know a single system or network administrator who casts a blind eye toward security. Please provide concrete examples of this. Section 1, point b: The root name servers don't translate IP addresses. They provide authoritative name server information for the purposes of DNS lookup. Essentially when you want to tranlate a name to an IP you first query your ISP's DNS server. If the ISP's DNS server doesn't know the IP for the name you're looking up it queries the root name servers to find out which name server is authoritative for that domain. The root server responds with a name server address. Your ISP's DNS server contances the remote DNS server to get the IP address then relays it back to your client. A completely patched server is still vulnerable to a denial of service attack. The root name servers will still recieve traffic no matter its OS or patch level. To prevent damage from a DoS attack you need to implement detection and filtering at the routing and transport levels. This kind of equipment is generally quite expensive when protecting something as valuable as the root name servers. Again patch level can do little to stop a DoS attack. Section 1, point c: You need to define "fundamental security guidelines" and "critical security features". Failure to do so allows for gigantic loopholes and misintrepretation. Section 1, point d: I agree that some folks in IT could use a little more smarts, but I hope you aren't going to try to approve a cirriculum. I don't have a college degree and would like to keep it that way (for the time being) and run my networks and code just fine. Section 1, point e: I agree. Section 1, point f: I agree Section 2: Okay. Sounds good to me. Section 3, point a: That definition also describes a switch and a router. A description of the OSI networking model might be in order if you're going to define what a bridge is. Section 3, point d: That's too loose a definition. An email message must specifically conform to certain RFC's. You should list those RFC's if you're signaling out email. "A memo or message" can apply to IM, ICMP, or even TCP depending on your point of view. Section 3, point e: An email client does not provide mail. It retrieves and sends mail. Mail servers provide mail. Section 3, point f: Hypertext (not "a hypertext"  is a formatting protocol. How's it allow users to choose their own paths?Section 3, point r: Technically a router is any devide that connects two or more internetworks. Nothing more. Packet inspection is done by many other types of devices than routers. Section 4: This part is really scary for a number of reasons: a) It mandates a gigantic protocol rewrite. We already have IP, TCP, BGP, etc for sending data back and forth. We do not need to reinvent the wheel. b) a URL doesn't return data. A remote server returns data. c) The concept of internetwork-wide trusted computing and communication is frightening at best and Orwellian at its worst. The very notion that a node can be denied access to the Internet because it fails to meet a government mandated standard is ludicrous. Any system or network admiistrator worth his salt would never ever ever implement this kind of eavesdropping gestapo system. Not to mention that EVERY OS, IOS, mail client, web client, NIC, switch, etc would have to be recoded to conform to this ridiculous standard. Who's going to buy all the new equipment? Who's going to write all the OS patches for things that don't exist anymore (legacy VAX, DEC UNIX, etc)? Section 5: Good luck getting every OS to comply with this. The open source community would never go for this. Trusted computing is a bad idea no matter how you slice it. It ruins the industry for the hobbyist, and puts undue pressure on the businesses to interoperate all of it. Section 6: Security certification is a good thing, but frequently technology acts much faster than the government. I like the idea of requiring it though. Nothing pisses me off more than a dumb admin at the hands of something they shouldn't be touching. Section 7: 72 hours is not enough time to apply a patch. Admins who have to care for hundreds of computers typically will test a new patch for weeks before applying it. In many cases a patch can break other parts of the program being patched. A responsible admin will thoroughly test any release patches in their test environment before putting it on their production equipment. Section 8: I agree. If the general public is in danger they need to be notified. Section 9: So if I decide to create my own messaging protocol in my spare time I can get fined up to $500,000 because it doesn't meet an arbitrary government set standard. Again this will ruin things for the hobbyist. Ok on to the general stuff... This proposal displays a complete lack of understanding of how networks interoperate, how the Internet works at its core, and the software development process. It's appalling that the people you've shown this to, taxpayers and lawmakers alike, agree with this tripe. Making these kind of changes in the US alone does nothing to prevent spam and hacks form the russion mafia (which does a suprising amount of business in spam) or a DoS attack from Italy. The solution to keep systems up to date is not a grand overall rewrite of how the Internet works. MS would have to recode Windows from scratch to make it "secure". You can't exactly tell them to do that. They'll alugh it off and lobby the hack against it. Likewise with the other big names (Cisco, IBM, etc). IP and all the network protocols would have to be rewritten, new hardware produced (and purchased). The cost for all this would be an order of magnitude more than the cost of the Iraq war (which you mentioned a lot on IRC). This article uses scare tactics (oooh some of the root name servers were inaccessible for a while. it blew up the internet!) to lull our legislators into signing anything. Stick to more facts and less FUD. If you want to fix the problem with unpatched systems the answer is education. Not legislation. Joe Q. Moron on the internet has no freaking clue that his PC is part of a DoS botnet. My grandpa is a good example of this. He kept yelling at me to stop updating hsi virus definitions. "I'm only on the internet for 5 minutes at a time. How the hell is a virus going to get in in only 5 minutes?". It's a general lack of education that causes a majority of all the crap you see on the Internet. This needs to be fixed at the user level. There are numerous tools and institutions in place at the administrative level to keep badness from spreading on the internet. These range from RBLs to USENET groups to tech web sites. Again the fact that you're showing this crap to CONGRESSMEN scares me to death. I'd fight this thing tooth and nail, and so would the rest of the industry. You need to do a LOT more research on this before getting congress' panties in a twist about network security. _______________ My car is made of Nerf. |
|
Ulic Belouve - Student 
|
Edited section 4, 5b and 5c. I like the idea of having some sort of plan in place, but forcing the plan to be implimented in an unreasonable amount of time, I just don't like that. Partner pushing for that, so edited. _______________ Jedi do not fight for peace. That's only a slogan, and is as misleading as slogans always are. Jedi fight for civilization, because only civilization creates peace. |
|
Ulic Belouve - Student 
|
OK, so I guess at first this is getting ripped to shreds. Which is a bit worse than I hoped, but it's progress. A horrible singer would rather know they are horrible, and know how to fix things, then ic things, and progress, than to get on National TV to make an ass out of themselves. Same thing here. I'd rather find this is horrendous, fix it, and find some solution. So, falling back on the Academy being a bit more respectful, I don;t look for IT gurus (though I ran across some, and they definately set me straight), I do look for solutions. So, erm, have at it. I'm not saying this is what needs to be done, but if no one does anything, nothing WILL be done. Heh. Be gentle? _______________ Jedi do not fight for peace. That's only a slogan, and is as misleading as slogans always are. Jedi fight for civilization, because only civilization creates peace. |
| Login and add your comment! |