[IP] DHS proposes to keep major network outages secret??
Begin forwarded message:
From: Richard Forno <rforno@xxxxxxxxxxxxxxx>
Date: June 24, 2004 8:33:34 AM EDT
To: Dave Farber <dave@xxxxxxxxxx>
Subject: DHS proposes to keep major network outages secret??
This goes back to the whole debate over disclosure of vulnerabilities,
both
in cyberspace and the physical world.
Here's another example of "security through obscurity" being proposed by
those in our government without Technology Clue One. While this may
give
such cluebots a warm-fuzzy feeling about keeping such information away
from
the public eye -- and "potential terrorists" -- it's the
thumb-in-the-dike
solution ... There are any number of other ways to get the same
information
or monitor our long-haul networks. At the very least, affected
customers
would complain and news would get out to the greater internet community
in
short order. (Or do they also plan to prohibit third-party network
monitoring services and software?)
Bruce Schneier calls this kind of thinking "security theater" -- the
presentation of the reassuring illusion of security instead of the real
thing that works effectively. I call it the Ostrich Security Syndrome
--
the cyber equivalent of sticking one's collective head in the sand and
hoping the problem/danger goes away before you look up again.
While some of you have noted the periodic "sensationalism" of the
Register,
I repost this article nevertheless, because Kevin is someone I can
trust.
Rick
-infowarrior.org
Feds urge secrecy over network outages
By Kevin Poulsen, SecurityFocus
Published Thursday 24th June 2004 09:46 GMT
Giving the public too many details about significant network service
outages
could present cyberterrorists with a "virtual road map" to targeting
critical infrastructures, according to the US Department of Homeland
Security, which this month urged regulators to keep such information
secret.
< snip >
The commission is hoping for similar results on the wireless and data
networks that have become integral to the US economy and emergency
response
capability. The proposal would expand the landline reporting
requirement to
wireless services, and generally measure the impact of a telecom outage
by
the number of "user minutes" lost, instead of the number of customers
affected.
It would also require telecom and satellite companies to start issuing
reports when high-speed data lines suffer significant outages:
specifically,
whenever an outage of at least 30 minutes duration affects at least
1,350
"DS3 minutes." A DS3 line carries 45 megabits per second, the
equivalent of
28 DS1 or T1 lines.
The reports would include details like the geographic area of the
outage,
the direct causes of the incident, the root cause, whether not there was
malicious activity involved, the name and type of equipment that
failed, and
the steps taken to prevent a reoccurrence, among other things.
To the Department of Homeland Security, that's a recipe for disaster.
"While
this information is critical to identify and mitigate vulnerabilities
in the
system, it can equally be employed by hostile actors to identify
vulnerabilities for the purpose of exploiting them," the DHS argued in
an
FCC filing this month. "Depending on the disruption in question, the
errant
disclosure to an adversary of this information concerning even a single
event may present a grave risk to the infrastructure."
< snip >
http://www.theregister.co.uk/2004/06/24/network_outages/
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/