Author Archive: Stewart Baker

STEWART BAKER, guestblogging, says:

I feel a little like Marshall McLuhan in the last funny Woody Allen movie.  Glenn has invited me to step into the debate between him and Andrew Sullivan about the Lieberman-Collins cybersecurity bill and its alleged Internet kill switch.

Andrew Sullivan will probably regret this in the long run, but he and I agree. (To his credit, Glenn knew that when he invited me to post here).

The widespread claim that the bill contains a kill switch is, well, a bunch of bull switch.

The epithet “Internet kill switch” was first coined to describe (to attack, really) a much different bill proposed by a different committee.  Maybe that bill justified the term.

But Lieberman’s bill doesn’t.  It is a lot more limited and careful in responding to a serious threat — the possibility that another nation might use our increasingly networked infrastructure to disrupt phone, banking, and power service in large parts of the country.  Since those services are in private hands, the government needs some legislative authority to respond to such an attack.  (We don’t usually ask private companies to respond to military attacks on their own.)

So what authority does the bill propose to give the government? To cut to the chase, it doesn’t grant authority over “the Internet.”  It gives the President the power to order certain critical infrastructure owners to protect themselves in a coordinated way.

Here’s a more detailed breakdown of who’s covered (My apologies, but this is a little complicated.)

  • First, to be covered, an asset must be part of the critical infrastructure, which is defined under existing law as systems and assets “so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”  That is pretty carefully focused on things like nuclear power plants and the New York Stock Exchange, not the Internet at large .
  • Second, under section 241, even assets that arguably fit this definition are not covered unless they are identified on a list prepared by DHS (as far as I know, the list has not made public, because we don’t want to give adversaries a handy list of the best targets).
  • Third, the authority only applies to a portion of that list, specifically to IT systems that support (or are themselves) critical infrastructure.

So the authority doesn’t extend to the Internet writ large, only to certain identified IT systems whose loss would have a debilitating effect on national security, health and safety.  It can’t be used to shut down the blogosphere, not even if Secretary Napolitano finds it personally debilitating not to get a morning fix of Andrew Sullivan.

Okay; it doesn’t cover the whole Internet.  But at least it’s a “kill switch” for the networks it covers, right?

Nope, not that, either.  Under the bill, in an emergency, section 249 of the bill lets the government order owners of critical infrastructure to do two things:

  • First, the government can tell them to implement their own emergency response plans, which are required by a different section (248) of the bill.
  • Second, the government can “develop and coordinate emergency measures or actions necessary to preserve the reliable operation, and mitigate or remediate  the consequences” of an attack. And in developing these measures, the government must choose “the “least disruptive means feasible.”

No doubt there’s room for quibbling and improvement in the bill’s language, but a kill switch it ain’t.

In short, if you think that a cyberattack is possible, and I’ve devoted big chunks of a website to explaining why an attack is highly likely, then this bill simply gives the President the minimum authority he’ll need to assure protection for our most important assets — like phones, banks, power.

Then why is the blogosphere, right and left, full of fulmination about the kill switch?  This post is long enough already, so I’ll just say that I think it’s a combination of privacy ideologues who automatically condemn new government authorities, even necessary ones, and anti-regulatory business interests — what I call the privacy-industrial complex. If you want to know more, it’s a theme I develop at length in Skating on Stilts.

[Glenn adds: Me, a dupe of the privacy-industrial complex? Say it ain’t so! But I’m sure Andrew won’t be troubled by these powers when they’re employed by the Palin Administration!]

IS OPEN SOURCE BIOLOGY the solution to bioterrorism?  In the Economist’s world, white-hat biologists quickly cure any disease the bad guys dream up.  I can see why biologists like that solution; it means more funding for them.  But haven’t we already tried outcompeting the black hats in the world of computer malware?  How’s that working out?

VULNERABILITY COMES CHEAP? There’s an increasingly open market in computer vulnerabilities.   Crooks buy them to construct “zero day” exploits that haven’t been seen before and that are likely to escape most malware detection systems.  Security firms buy the vulnerabilities to improve their detection programs.

So what’s the price of a new vulnerability?  A very limited study found that most vulnerabilities sell for $5,000 or less. Some of the posters at Slashdot are pleased that vulnerability sellers, presumed to be unscrupulous researchers and hackers, “aren’t making much money at it.”  But considering the lack of trust in any such market — the buyer doesn’t know the vulnerability is any good until it’s been clearly explained, and once the seller has clearly explained it, the buyer has no incentive to pay — $5,000 doesn’t seem all that cheap.

And if it is, should we celebrate?  A low price for computer vulnerabilities tells us something about the supply of vulnerabilities: Plenty more where those came from.  I don’t think we open champagne when the wholesale price of cocaine hits new lows.

CRAIG VENTER creates a cell with synthetic DNA. Venter is an interesting character.  I invited him to DHS while I was in government, for an encounter that left neither of us satisfied.  Here’s an excerpt from, yes, Skating on Stilts:

Craig Venter is a bald man with a beard and the tanned, bulky fitness of a sixty-year-old defying his years. He leans across the DHS conference room table as though he owns it. But the meeting isn’t going quite as smoothly as Venter expected.

If anyone represents the promise of biotech, it is Venter. He sees engineered organisms as the key to progress and riches on a vast scale. So he can’t be comfortable with the theme of the meeting.

I am pressing him on risks, not promise. Venter knows more about biotech than almost anyone. If there’s a way to avoid the dangers that come with democratizing genetic engineering, Venter should have it at his fingertips.

“What will stop terrorists from inventing new diseases?” I ask.

I’m thinking of what happened in 2001, when an Australian research project went frighteningly wrong. The researchers were trying to create a rodent contraceptive from the mousepox virus. They spliced a gene into the mousepox virus. They didn’t want to hurt the mice, so they injected the engineered virus only into mice bred for resistance to mousepox. And, adding suspenders to their belt, they vaccinated some of the mice for mousepox before administering the injection.

As a contraceptive, it turned out, the new virus was an overachiever. Dead mice don’t have sex, and dead mice were what the virus produced. The new gene turned the formerly mild mousepox virus into a killer, overriding the genetic resistance of every unvaccinated mouse. And then it turned on the vaccinated mice, killing half of them for good measure. If just one researcher made just one mistake as bad as that with human subjects, I tell Venter, even nations that had stockpiled vaccines would be destroyed. How do we know, I say, that well-intentioned hobbyists, not to mention hapless terrorists, won’t produce pathogens that are far more lethal and contagious than they intended? …

I’m hoping Venter can see something I’ve missed, some reason why democratizing this technology won’t ultimately empower the worst in human behavior as well as the best. Or at least some way to keep his beloved technology from putting humanity at risk.

I wait. Venter leans in, clears his throat. He smiles the winning smile that has charmed reporters and government funders for more than a decade.

“My, my, don’t you have an imagination,” he beams.

MMM, SPICY BURGERS. They’re better for you, as well as tastier.

IN THE MAIL: Short: Walking Tall When You’re Not Tall At All by John Schwartz.  Speaking as a borderline short person (I’ve been called dapper, which is code for short-and-wears-a-suit), I thought this book was charming, but what’s best is how it subtly undercuts the entire grievance industry.  If even the height-and-income studies have been hyped, imagine the data distortion underway in more politicized fields.  Says Schwartz in an interview:

I didn’t find any studies that really supported the idea that being short was a disadvantage—even those much-publicized studies that seem to say small people earn less than taller folks. Beyond that, I knew that science can be manipulated and misused, but even I was surprised to see how far people stretched it. I spoke with David Sandberg, a researcher whose groundbreaking work showed that the overwhelming majority of short kids actually cope pretty well with being small. His studies showed that their height doesn’t cause them deep psychological stress, and in fact he found that other kids did not see them in a demeaning way. … Sandberg was startled to find that his work was being cited to the FDA to support the notion that small kids do have big problems!

MMM, GINGER. And it’s good for you:  “Researchers at the University of Georgia have found that daily ginger consumption reduces muscle pain caused by exercise”  by 25%.

MORE TERROR ATTACKS SOON?  Stratfor Global Intelligence expects the Taliban to launch “additional attacks … in primarily New York City and Washington, D.C., in the next five- to six-month timeframe.”

NO CABS TO BE HAD OUT THERE:  Males (of another species) deceive females about danger in order to keep them near: 

“Researchers report that when ovulating female antelopes appear ready to leave, male antelopes make alarm cries identical to ones they make when lions are near. The males look in the direction the females appear headed as they make the cries, triggering them to falter and step back.”

NAVY SEALS FIGHTING TERRORISM isn’t really news. Navy sea lions, though, that’s another story.

WHAT WENT WRONG in the Christmas Day bombing?  The Senate Intelligence Committee report identifies fourteen “points of failure.”  Failure No. 2 is the decision not to put Abdulmutallab on the “no fly” list, which the intel committee attributes to “the language of the watchlisting standard, the manner in which it was being interpreted at the time, or both.”

Hang on.  The intel committee is saying that the Bush Administration had made it too hard to put people on the watchlist?  Was that the result of some previously unnoticed, late-breaking wave of Bush Administration squishiness on terrorism?  Not exactly.  What the intel committee doesn’t mention is a concerted 2008 campaign, led by the ACLU, that was intended to make the watchlisting standard more rigid, and did.  Here’s what I said in Skating on Stilts about the Christmas Day errors:

Imagine for a minute that you were a security official watching the ACLU press conference in 2008. You see that the organization got the number of names on the list wrong, trashed TSA for a problem they’d created themselves, and received fawning coverage for it. Do you really want to stick your head over the parapet and suggest a substantial expansion of lists that the ACLU says are already “out of control” and are victimizing tens of millions of Americans? Nope, in those circumstances, there wasn’t much chance that standards for getting on the lists would be eased, or that TSA would soon get operational access to the other 95 percent of the database.

In the end when all is said and done, the investigations of the incident will find errors in how the agencies handled the lists and the screening. But when they do, for once we should skip the football analogies.

The errors weren’t “fumbles” or “dropped balls.” Instead, the most apt analogy comes from tennis.

Because if ever there were a “forced error” in policy making, this is it.

And as in tennis, full credit should go to the privacy advocates that forced it.

Well, the unclassified report is out.  And it says pretty much what I expected, except that the authors, who fearlessly trashed the State Department, NCTC, NSA, the CIA, and the FBI, couldn’t muster the courage to  credit the privacy lobby for its dubious achievement.

BUT THEY’RE GOOD GERMAN OFFICIALS.  Here’s a quick privacy quiz.  Imagine that data from your unsecured wireless router has been mistakenly collected by a Google Street View car as it trundles down your street.  The company admits that it shouldn’t have done that.  In order to cure the privacy violation, you want Google to:

(a) Destroy your data

(b) Turn all your data over to German government officials

You can learn everything you need to know about the European privacy bureaucracy from the answer to this question.

REVERSING AGE-RELATED MEMORY LOSS: “Fischer’s team flipped the acetyl genetic switch to the “on” position in the older mice and their learning and memory performance became similar to that of 3-month-old mice.”

Don’t tell me.  I know there was something that I wanted faster, please.  Give me a minute.  It’ll come to me…

DID APPLE REJECT A POLITICAL CANDIDATE’S APP BECAUSE IT “DEFAMED” HENRY WAXMAN?  Dear Steve Jobs:  If you’re ever making a presentation and see a really fit blonde woman running down the aisle with a hammer, get off the stage.  She’s definitely looking for you.

WAR DRIVING:  Now that cars are just platforms and Ford is starting an apps store, how long before we see auto-malware?  Not long, say researchers from the University of Washington, who managed to breach automobile networks using keyless entry systems.  They were able to disengage or engage brakes (sometimes one wheel at a time), overriding the driver entirely.  And in a move that may make this the first scientific paper to be turned into a major motion picture, they launched a “Self-Destruct” mode:

“a 60-second count-down is displayed on the DriverInformation Center (the dash), accompanied by clicks at an increasing rate and horn honks in the last few seconds. In our demo, this sequence culminated with killing the engine and activating the door lock relay (preventing the occupant from using the electronic door unlock button).”

Looks like skating is for pikers; soon we’ll all be driving on stilts.

CYBERWAR:  Richard Clarke and Rob Knake have written a good book on the practical realities of cyberwar.  I cover this topic, and Richard Clarke himself, in Skating on Stilts, including this quick sketch:

Clarke was a flamboyant bureaucratic warrior camouflaged by the dress and haircut of a high school math teacher. A career official with a knack for building empires — and making enemies — he had risen to take charge of both cybersecurity and terrorism policy in President Clinton’s National Security Council. He later became famous briefly for his scathing denunciation of the Bush White House’s response to terrorism warnings.  But in 2000 he was better known as the man who had sponsored the failed Clinton Administration plan to build a monitoring network.

So Clarke’s got years of government background on the issue.  His book aims to do for cyberwar what Herman Kahn and William Kaufmann did for nuclear war — engage in some clear-eyed thinking about the very unpleasant surprises that new forms of war may hold for America’s leadership.  By and large, he succeeds (though he’s occasionally a bit naive about the way international initiatives to limit cyberwar will likely play out).

OR AT LEAST MORE EXPENSIVE:  New York plans a camera system “which it hopes will eventually be more sophisticated and effective than the closed-circuit TV (CCTV) system used by police in London.”