In many localities, hairdressers require licenses as well. Draw your own
conclusions. 
(speaking only for myself and no one else)...
You make a good point Chris..
Regardless of any politician or bureaucrat's motive for taking an action, many (most?) are ill prepared to speak or even ponder the topic of "the Internet" (and the fancy series of tubes.. ) [much less make laws about it]
I was in a local city council meeting recently while one of the council members was chiding a very polite Time Warner Cable "Gov't affairs" spokesperson on something the council person had obviously no clue about.. I was embarrassed for him and proud the TWC rep was able to remain professional..
Making our expertise available to politcos that want to learn sure seems like a good idea, but I suspect we have to be very careful not to run afoul of our employers rules and desires on such topics.
Hiers, David wrote:
Governments already license stock brokers, pilots, commercial drivers, accountants, engineers, all sorts of people whose mistakes can be measured in the loss of hundreds of lives and millions of dollars.
Good times....
David Hiers
CCIE (R/S, V), CISSP
ADP Dealer Services
2525 SW 1st Ave.
Suite 300W
Portland, OR 97201
o: 503-205-4467
f: 503-402-3277This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.
I must have missed something here... I cannot find in the article or the
bill where it states or alludes to a federal computer license
requirement for computer users.
Is this just more fear mongering or is it in the bill? If it is ... where?
Jason Jenisch
"The proposal also includes a federal certification program for "cyber
security professionals," and a requirement that certain computer systems
and networks in the private sector be managed by people who receive that
license, CNET said."
Peter Beckman wrote:
"The proposal also includes a federal certification program for "cyber
security professionals," and a requirement that certain computer systems
and networks in the private sector be managed by people who receive that
license, CNET said."
Presumably, this is to increase security of private sector networks that interconnect with government networks and high risk networks such as banks and utilities. Presumably it wouldn't mandate the social networking, ESP/ISP sectors.
Jack
Does this tread on open "secrets," inside knowledge, or hoped-for info?
Just asking, I'm guessing you know something I don't and I'd like to be
in on it.
OTOH, I'm pretty sure I agree with you on the merit and worth of
licenses for hairdressers. It seems that the silly season besets us
from the right and from the left. The M&W of government licenses for
IT Pros has been debated and thoroughly discredited, elsewhere.
Much like other things that have been thoroughly discredited but keep
coming back again and again, until they pass when someone drops the
hot potato.
Follow the money, is the adage of yore. Who benefits immediately, from
licensing IT Pros? Easy answer. Who sponsors them or their cause, if
anyone? Or are we to believe that a few (dozen?) independent agencies
are truly the source of this concerted, prolonged push?
I'm not sure what you're asking. Those disconnections were
well-covered in the press. Start with
http://www.doi.gov/news/grilesmemo.htm but there's a lot more that a
quick google search will find.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
Perhaps it's intended to be a workaround to the current problem with a lot of government IT Security: The (big) contractors are told to follow IT security guidelines, at which point they point back to their contract and say "That's not in the statement of work, lets renegotiate the contract and cost it out."
Jack Bates wrote:
I guess the precedence for blocking is the way cops can close
airspace, roads, and any piece of property when needed. If you accept
the notion that we've built private and public "roads" and "buildings"
on the "information superhighway", the notion of emergency roadblocks,
crime-scene tape, traffic cameras, and bears-in-the-air can't be too
far behind.
I didn't mean to imply that computer *users* would need a license, but
that many in NANOG would probably be considered as license candidates
by that bill. My message was sent to NANOG (which is not just your
average bunch of users) and is best understood in that context. I may
be wrong, but I suspect that most NANOG subscribers have a security
aspect to their job.
Thanks,
David
I must have missed something here... I cannot find in the article or the
bill where it states or alludes to a federal computer license
requirement for computer users.
Is this just more fear mongering or is it in the bill? If it is ... where?
Jason Jenisch
David
It's not a proposed "license for computer users" but rather a proposal to license computer security professionals. Here is the draft bill text, so that we are all on the same sheet of music:
TITLE I-WORKFORCE DEVELOPMENT
SEC. 101. CERTIFICATION AND TRAINING OF CYBERSECURITY PROFESSIONALS.
(a) IN GENERAL.-Within 1 year after the date of enactment of this Act, the Secretary of Commerce, in consultation with relevant Federal agencies, industry sectors, and nongovernmental organizations, shall develop or coordinate and integrate a national certification, and periodic recertification program for cybersecurity professionals.
(b) TRAINING AND DEVELOPMENT.-The Secretary of Commerce, in consultation with relevant Federal agencies, industry sectors, and nongovernmental organizations, shall devise a strategy to improve, increase, and coordinate cybersecurity training across all sectors.
(c) FEDERAL EMPLOYEES.-The Secretary, in cooperation with the Director of the Office of Personnel Management and other Federal departments and agencies, shall develop and implement a plan to train cybersecurity professionals across the Federal government to ensure they achieve and maintain certification.
(d) CERTIFICATION.-Beginning 3 years after the date of enactment of this Act, it shall be unlawful for an individual who is not certified under the program to represent himself or herself as a cybersecurity professional.
(e) CERTIFIED SERVICE PROVIDER REQUIREMENT.-Notwithstanding any provision of law to the contrary, the head of a Federal agency may not use, or permit the use of, cybersecurity services for that agency that are not managed by a cybersecurity professional who is certified under the program. It is unlawful for the operator of an information system or network designated by the President, or the President's designee, as a critical infrastructure information system or network, to use, or permit the use of, cybersecurity services for that system or net work that are not managed by a cybersecurity professional who is certified under the program.
A question for the NANOG community - if this section were to only apply to US government employees would it be acceptable? In other words, strike any reference to the private sector (except perhaps for those in the private sector who are under contract to perform government work.)
Marc
Steven M. Bellovin wrote:
I'm not sure what you're asking. Those disconnections were
well-covered in the press. Start with
http://www.doi.gov/news/grilesmemo.htm but there's a lot more that a
quick google search will find.
A news-item or -event I missed for whatever reason, okay.
I'll consult Google. Thank you,
Reese
Scott Morris wrote:
So if someone hacks the electric grid, does it not make sense to unplug
that portion of the infrastructrure from the Internet until the problem
is fixed? (e.g. shut down traffic to/from) I think someone wrote an
article after WAY over-thinking this whole thing and everyone else jumps
on the bandwagon.
Declan does that a lot. It's very annoying, but I suppose cnet has never claimed to be an impartial news organization...or have they?
(d) CERTIFICATION.-Beginning 3 years after the date of enactment of
this Act, it shall be unlawful for an individual who is not certified
under the program to represent himself or herself as a cybersecurity
professional.
Highly unlikely that 3 years is sufficient time to devise a certification,
a testing program, and get enough people certified. 5 years would be much
more reasonable.
It will probably take over a year just to thrash out what a "certification" is.
Consider the vast difference in scope and depth between a CISSP and one of
the GIAC certs. (Ghod forbid somebody suggest something rational like "upper
managers need a CISSP-ish cert and line emplouees need a relevant GIAC-ish
cert.. 
(e) CERTIFIED SERVICE PROVIDER REQUIREMENT.-Notwithstanding any
provision of law to the contrary, the head of a Federal agency may not
use, or permit the use of, cybersecurity services for that agency that
are not managed by a cybersecurity professional who is certified under
the program.
Unintended consequences - will this encourage the head of an agency to
instead say "screw it" and *not* use any cybersecurity services?
A question for the NANOG community - if this section were to only apply
to US government employees would it be acceptable? In other words,
strike any reference to the private sector (except perhaps for those in
the private sector who are under contract to perform government work.)
Limiting it to "US government agencies, employees, and contractors" would
certainly trim out about 95% of the contentious areas. But it still leaves
me, personally, on the hot seat - am I on the hook because I'm responsible
for research data that's NSF-funded?
Highly unlikely that 3 years is sufficient time to devise a certification,
No big deal; they could just adopt the CISSP/GIAC cert without
modification as an interim step. Existing certs are already being
used in some court cases:
http://www.wisbar.org/AM/Template.cfm?Section=Home&TEMPLATE=/CM/ContentDisplay.cfm&CONTENTID=70438
Unintended consequences - will this encourage the head of an agency to
instead say "screw it" and *not* use any cybersecurity services?
Not likely. Corporate Officers must already make decisions that meet
a wide range of existing "reasonable man" tests with respect to
security. This is not the only law/regulation in existence.
David
Steven M. Bellovin wrote:
The order arose from Cobell v. Salazar (was C. v. Kempthorne, was C. v. Norton, was C. v. Babbitt). On October 20th, 2005, Judge Royce C. Lamberth ordered the Interior Department to disconnect from the Internet all computer systems that house or provide access to Individual Indian Trust records. "Indian Trust records continue to be in imminent risk of being manipulated and destroyed by computer hackers."
The link to the ruling is http://wampum.wabanaki.net/archives/20051020ITPI.pdf
Former Interior Deputy Secretary Steven Griles was sentenced to 10 months in prison for obstructing a U.S. Senate investigation of Jack A. Abramoff. He was also ordered to pay a fine of $30,000, and serve a term of three years of supervised release.
Eric
Reese wrote:
Sean,
We had a clipped conversation years ago. I'm no longer with the DIA or the
NSA or the ASA (an old '70's agency)
I've worked at Columbia University in the 80's, the NSA in the 70's, and a
lot of other places in the 90's and beyond. Because of my past, I have to
"lurk"...
However, and you must be getting tired after all these years but, please,
keep interjecting your points.
My 2 cents....
Best
Ed
* Scott Morris:
Florian Weimer wrote:
* Scott Morris:
I'm trying really hard to find my "paranoia hat", and just to relieve
some boredom I read the entire bill to try to figure out where this was
all coming from...."(2) may declare a cybersecurity emergency and order the limitation or
shutdown of Internet traffic to and from any compromised Federal
Government or United States critical infrastructure information system
or network;"
Wouldn't this mean you're allowed to set emergency ACLs only if a
cybersecurity emergency has been declared by the President?
I must have missed the phrasing that says "nobody else can make an
independent decision regarding any security measure above and beyond the
minimum standards"...I'll go back and look for that.
The thing your looking for is called "exclusio unius". 
Now the President will not only carry "The football" now he will also
start carrying "The switch".
Cheers
As secretary of the Internet Society's NY Chapter I'd like to back up
Chris's appeal. We are in a position of familiarity and consultation
with local government but definitely needful of the kind of technical
expertise so abundant in Nanog. We'd very much welcome fresh blood.
Steven - I believe you are in our neighborhood?
joly