Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Frumple]

Know of any running that both has a chance of taking a seat and isn't a horrifying ambomination on par with or worse than the major two? It's a fairly serious question, because I basically never hear anything about any of them.

I'm a bit politically isolated, but the dem/rep folks I at least hear the name of in passing occasionally

[Aklyon]

There's more than two parties!

True, but everyone except the duo get ignored most of the time and counted as detractors from votes from the dems or the reps.

[GlyphGryph]

Are there any third parties not running on the big ego of an asshole just as bad as the other two, except with non substantive achievements behind them?

I know the green party in Maine is alright, actually, but I don't live there. And the national greens are less than useless, managing both crazy AND incompetent.

[Darvi]

Do as the Germans do and found a pirate party.

[Aklyon]

Do as the Germans do and found a pirate party.

A pirate party.
In the same land where the MPAA/RIAA of ridiculous copyright thrashing about are in?

[Darvi]

Keep your friends close...

[PTTG??]

Are there any third parties not running on the big ego of an asshole just as bad as the other two, except with non substantive achievements behind them?

I know the green party in Maine is alright, actually, but I don't live there. And the national greens are less than useless, managing both crazy AND incompetent.

There's also tons of independents, and they aren't all corporate libertarians.

All I'm really saying is that nothing would scare the big parties more than a resurgence of anyone and everyone else. There's no better way to say that what they've been doing is wrong than to vote for someone who's not either of them.

[GlyphGryph]

I actually do tend to vote independent. And there have been quite a few local elections in which they've run.

Maybe I'll run for something myself, there's quite a few uncontested elections coming up...

Edit:
Here's my local guide, called "Don't stand there... Run!"

http://www.sec.state.ma.us/ele/elepdf/candidates_guide_2012.pdf

[Darvi]

Gotta say that's a clever title.

[palsch]

The House acting on this was largely not expected which is why the administration came out hard and fast with a veto threat here. There has been extensive work and debate in the Senate over cybersecurity legislation, which is likely to be ongoing and shape the eventual bill. What happens next really depends on that Senate debate.

There are two main sections to the cybersecurity proposals. Information sharing and infrastructure regulation. This is long so I'll spoiler it for you all.

Spoiler: 1) Information sharing. (click to show/hide)

This is where all the attention is being paid. The problem being addressed is that of companies knowing things that they can't legally tell others
but which might be of significant value to law enforcement or others charged with protecting or maintaining critical infrastructure.

The proposal is to provide immunity from other laws for sharing information that falls into a certain set of categories, which then may only be used for a certain set of purposes. All of the problems come from what these categories and purposes should be and how to define them. Ignoring the House bill, because that's already passed, there are two perspectives in the Senate. The Republican view, headed by McCain, and the 'Democratic' proposal, headed by Lieberman.

In this there are three components. What information can be shared. Who it can be shared with. What it can be used for.

A) What information can be shared;
Both bills define the categories of information that can be shared by making extensive lists of ways that cyber intrusions could be conducted and then defining any information relating to these as shareable. This is actually a narrow approach to the problem; previous proposals have used far broader terms as ways to catch all possible threats rather than listing the acceptable, actionable ones. It's even arguable that this limits the value of the bill by potentially excluding new threats. On the flip side, both also make information 'indicative of a threat' shareable. That makes things pretty broad again. The Republican bill then has a further broadening factor of 'network activity' indicative of 'malicious activity', which is left undefined. That part is scary.

The Democratic side has an additional provision that any such information must have been (or rather reasonable efforts made) scrubbed of personal information unrelated to the thread prior to sharing, otherwise the immunity doesn't apply. This is missing from the Republican proposal.


As a side note, the House bill passed takes a very broad approach to defining the information to be shared. VERY broad. There were some amendments passed late in the process supposed to add privacy protections and others supposed to both narrow (removing IP theft) and broaden (not clear on this) the types of information to be shared. I haven't read these or solid analysis of them yet so won't comment.

B) Who it can be shared with;
This is almost the biggest fight in the Senate.

The Democratic bill gives the DHS authority to authorise a lead "Federal information sharing center". It may also authorise other sharing centres in both the public and private sector. It seems very likely this would lead to the DHS being the lead centre, although it's arguably undermanned and not optimal for this role. Broadly speaking this is the civilian option, keeping the DHS as the primary actor. The exact shape of this option is down to the DHS Secretary, and that's a presidential appointment (right now, Janet Napolitano). A future administration could easily shift control over to another body.

This sharing centre is then a hub for such information. They receive any information and determine what bodies (including other private companies) it should be shared with.

The Republican bill takes a somewhat different approach. It makes a list of many Federal bodies that are then permitted to act as sharing centres in the same manner as the Democratic bill. These include the NSA and other military bodies, as well as the FBI, Commerce and other groups that address a far wider spectrum of criminal activity than the DHS. There is then a requirement that the other federal bodies share their information in turn with the NSA. This is based on the view that the NSA is the best prepared body to confront such threats and that the military should have point on cybersecurity issues.

Both bills also allow for direct company-to-company sharing, bypassing the sharing centres. The Democratic bill only allows information to be shared with companies that directly manage critical infrastructure, or if simultaneously shared with a sharing centre. The Republican bill lacks these restrictions.

The Republican bill has an extra provision that requires any federal contractor to disclose any cyber security information that may relate to that contract.


C) What can the information be used for;
When it comes to private companies using the information the Democratic bill is narrower than the Republican.

In the Democratic proposal information shared between private companies may only be used to protect from cyber threats (as defined). They explicitly may not use such information to gain a commercial or competitive advantage. In addition to these two blanket restrictions the organisation sharing the information may add whatever additional restrictions they see fit to how the information may be used.

The Republican bill lacks the first provision, so the only restrictions on use are that it may not be to a competitive advantage and whatever the sharing party decide to add. This makes for potentially broad uses of information shared using the already more lenient private-to-private sharing provisions.

For federal/law enforcement use it's not a fun story.

The Democratic bill allows information held by sharing centres to share any information "that appears to relate to a crime", committed or planned, with any law enforcement agency concerned with that crime. This is extremely broad.

The Republican bill has an apparent limiter on it's version of this provision; it only allows information to be shared if the crime being discussed is one where a wiretap order may be sought. Not that such an order needs to be sought, just that such an order could be under the relevant law. In reality this is an extensive list and barely narrower than the Democratic rule. It then has an additional allowance for non-cyber 'national security' purposes.


I'd again note that this is where the House bill is fucking awful. The only restriction I'm aware of of the use of information on the Federal side is 'regulatory purpose'. That's it.


So what needs doing here? I'd say you could scrap this whole section, but enough people in government do believe there is a need and we are likely to see something passed eventually. Personally, if this were to be passed, I'd want the Democratic bill with three major changes.

- Add a liability clause and strong enforcement of restrictions. That is, where information is either shared or used outside the narrow authorised definitions there should be a cause for private action against the sharing entity. In many cases such sharing will be actionable under existing law, but I'd want to toughen that up. I'd also like to see the sharing centres policing such violations actively, informing individuals if their rights are violated in such a manner.

- Remove the law enforcement sharing provision (and certainly the Republican 'national security' one). This is literally warrantless wiretapping, as tacitly admitted in the McCain bill when they restrict the crimes to those that may be wiretapped. Frankly, any communications that are actionable by law enforcement should be intercepted and acted on by existing provisions and laws, not through this system designed for a narrow purpose. I'm mostly OK with this law so long as it's used to cover cybersecurity holes. Once it's used to chase and track individual action it becomes a fourth amendment violation.

- I'd want the sole sharing centre to be defined as within the DHS, with an additional budget to ensure it is brought up to scratch. I'm uncomfortable giving this sort of work to the military or an agency with it's primary role in other areas (such as Commerce or the FBI).

On top of these three major changes I'd also want some elements of the language tightened. Remove the 'indicative of a threat' provisions and require only the minimum of information required to describe a threat to be shared. Tighten up the restrictions on sharing private data to ensure no to minimal identifying information can be shared and that that shared can't be acted on. Etc.

I've been narrow here and only addressed the issues of the two Senate bills. There are additional questions that could be addressed, such as international cooperation. I'm not interested in that right now.

Spoiler: 2) Regulation (click to show/hide)

This is the administration's (and Democratic bill's) priority. Needless to say this half was entirely missing from the House Republican's bill (the one that passed). The veto threat was based partially on the lack of privacy protections and partially on the lack of regulation.

Similarly, McCain's Republican bill in the Senate originally lacked regulatory provisions. I don't believe this is likely to change. This suggests to me that Senate Republicans are likely to stand strong against regulation and that any regulatory language is unlikely to pass, even if an agreement could be reached on information sharing. That alone could be enough for an Obama veto, especially if civil liberties groups can't be brought on board with the sharing language.

In any case, there are such regulatory provisions in the Democratic bill so I'll give them a quick summary. Or as quick as you can be with such language without entirely missing the purpose.

The bill covers cyber infrastructure that could cause "catastrophic interruption of life-sustaining services", "catastrophic economic damage" or "severe degradation of national security capabilities" if disrupted. The actual designation will be left to the DHS Secretary, first by determining what sectors these might apply to and then determining what would qualify as critical systems within that sector. At this point actual systems could be designated as such. The owners may then sue in federal court to have such a designation removed. This may be over their qualification as critical infrastructure or to determine their status as a "commercial IT product" due to an exception for such in the bill. That exception seems strange to me and I'm not 100% sure I understand it.

In addition any infrastructure already regulated under another federal agency won't be covered by this bill. An additional exemption is made for an organisation that has already taken the necessary voluntary steps to protect it's infrastructure. This latter one basically means that if you meet the new standards they don't apply, which is odd.

Any remaining covered infrastructure will be required to meet new federal standards, again to be determined by the DHS Secretary through consultation with the private sector.

This is all incredibly vague, which is probably a good thing. If congress were writing these rules they would likely be out of date before they could be passed. The DHS might not be the most nimble organisation on the planet, but at least there there can be an appropriate ongoing process of review and refinement with feedback from private and public bodies.

Actual enforcement of these standards looks reasonable if on the weak side. Annual self-certification is likely to be the standard, although third party certification is an option (not that third party review bodies exist). Penalties and enforcement process are to be determined by the DHS.

One massive problem with all this is that it's slow. Arguably companies could delay any such regulations for up to a decade. Even if the DHS could keep relatively up-to-date standards and have realistic provisions to improve infrastructure security it seems likely that legal and judicial review, combined with other limiting factors, will greatly reduce the efficiency of any such regulations. It's entirely possible that this is simply an area that can't be made more secure by any level of government regulation.

In short, cybersecurity might be simply impossible, and any attempts to improve it through regulation are doomed to failure before they start.

I'm kinda attracted to the idea of minimum standards for important IT infrastructure, even if I'm not entirely sold on the security need side of things or the likelihood of real strides in improved security being made. Unless they are willing to scrap all current Windows systems running critical infrastructure that is...

So I'm almost entirely agnostic on this side of the bill. There isn't anything I think is bad, I'm just not convinced there is a strong enough indication it's either needed or likely enough to work to justify the fight that Republicans will undoubtedly put up.

My summary;
The information sharing provisions are worrying even in their best form (Lieberman's Senate Democrat bill), primarily by creating effective warrantless wiretapping by sharing information with law enforcement agencies but with lesser problems in other areas. Most of this could be fixed with further input from civil liberties groups to pose a minimal risk to privacy, potentially, but I'm doubtful it will go as far as I'd like to see. The need for them is (IMO) fairly low, but they are the most likely way that congress will try to address cybersecurity and so I'd be willing to buy into them with strident protections. I'd also argue that certain areas (again, the law enforcement sharing) would be fourth amendment violations and actionable in federal court, so might not last that long if actually passed and used.

The regulatory provisions are an interesting and attractive idea to me, but unlikely to do all that much and of debatable value. The Republicans aren't going to allow this anyway, either in the Senate or House.

Looking at the politics of this, Obama seems to want the regulations badly enough to play chicken with the whole bill. This could potentially be a negotiating tool to get a minimally damaging (from a civil liberties point of view) version of the information sharing provisions passed. I don't doubt that the administration wants some form of cybersecurity power. Arguably they have some form already, but all previous references I'm aware of are in military authorisation legislation, and Obama wants this to be civilian (as do I).

My view;
Either massive improvements to the information sharing language are made or the whole thing should be dumped. Better to have an extended debate on regulation after the elections on the merits than a fist fight over civil liberties during the election season. Although it looks like we are going to get both.