Cybersecurity bill allows gov't to dictates how you run your servers

[brandonstills]

http://news.cnet.com/8301-13578_3-20023464-38.html

The bill would allow gov't to control how you run your servers. If you don't comply you will be fined.

I'm sure they will require some proprietary security software that only one company will have a monopoly on. And I'm sure the company will be chosen based on campaign contributions, and probably feature a hidden backdoor.

"All your database are belong to me."

Quote:

Section 224 of HSCPIPA hands DHS explicit legal "authorities for securing private sector" computers. A cybersecurity chief to be appointed by Napolitano would be given the power to "establish and enforce" cybersecurity requirements.

HSCPIPA's process works like this: DHS draws up a list of regulated "critical" companies by evaluating the likelihood of a "cyberincident," existing vulnerabilities, and the consequences of an attack. DHS is supposed to consult with the NSA, other federal agencies, and the private sector to the "maximum extent practicable," but the other groups don't get a veto over the final list.

Any "system or asset" that is a "component of the national information infrastructure"--read broadly, that could be any major Web site or provider--is fair game for DHS regulation. Companies can appeal if they don't want to be on the "critical" list, but it means asking DHS to reconsider its original decision (no neutral party considers the appeal).

"With a little bit of imagination, you can pretty much pull anything into that," says Lauren Weinstein of People for Internet Responsibility. "Does Google represent critical infrastructure now? It's hard to see how any major Internet service or property could be assured of the fact that it would not be covered."

Once the list is complete, DHS has the authority to require those regulated tech companies to "comply with the requirements" that it has levied. Those requirements include presenting "cybersecurity plans" to the agency, which has the power to "approve or disapprove" each of them. DHS "may conduct announced or unannounced audits and inspections" to ensure "compliance."

"In the case of noncompliance," the legislation says, DHS "may levy civil penalties, not to exceed $100,000 per day, for each instance of noncompliance."

Harper, from the Cato Institute, says that private firms already have the right incentives on cybersecurity. HSCPIPA imposes "a layer of bureaucracy that seeks to replicate the incentive structure that technology firms already face," he says.

[Barefootsies]

It sounds top notch.

Nothing you appreciate more than a little goose stepping across the interweb.

[Dcat]

Very troubling..

I'm going to keep an eye on this, and see how it plays out. It might be time to move to a Canadian based hosting co. soon.

I hope more Americans wake up to who the real "terrorists" are before it's too late.

[Kiopa_Matt]

Huh? So what does this mean in practical terms? The US government is going to fine me $100,000/day because say... I leave port 21 open, or am not PSI compliant, or don't have the latest version of whatever-the-fuck?

How about posting the actual article instead of a trumped up biased piece?

[brandonstills]

Quote:

Originally Posted by Kiopa_Matt

Huh? So what does this mean in practical terms? The US government is going to fine me $100,000/day because say... I leave port 21 open, or am not PSI compliant, or don't have the latest version of whatever-the-fuck?

How about posting the actual article instead of a trumped up biased piece?

The link is the article I pulled it from. It also has a link to the actual bill. It is deliberately vague (as usual). It is subject to interpretation. Yes, all of the above you mentioned COULD BE reason for fining you.

Another speculation would be that they can use it to selectively attack sites they don't like by making compliance near impossible or prohibitively expensive.

[woj]

Quote:

DHS draws up a list of regulated "critical" companies by evaluating the likelihood...

I'm sure some guy running some TGP or a blog would be considered a "critical" company...

[MasterM]

my guess its a promo for EU hosting ))

[BIGTYMER]

Send that butch back to Arizona.

[brandonstills]

Quote:

Originally Posted by woj

I'm sure some guy running some TGP or a blog would be considered a "critical" company...

They might say, this site has a lot of traffic so it is critical. If they can't attack porn for obscenity then maybe they go after it on the basis that it has 'x' amount of traffic so it is "critical".

Regardless, it would not actually secure anything and probably make the matter worse. Is anyone really going to trust their security to someone who just had 250,000 secret documents compromised?