Schneier on Security
A blog covering security and security technology.
« Outing a CIA Agent |
| New Lows in Secret Questions »
September 7, 2011
The Legality of Government Critical Infrastructure Monitoring
Mason Rice, Robert Miller, and Sujeet Shenoi (2011), "May the US Government Monitor Private Critical Infrastructure Assets to Combat Foreign Cyberspace Threats?" International Journal of Critical Infrastructure Protection, 4 (April 2011): 3–13.
Abstract: The government “owns” the entire US airspace–it can install radar systems, enforce no-fly zones and interdict hostile aircraft. Since the critical infrastructure and the associated cyberspace are just as vital to national security, could the US government protect major assets–including privately-owned assets–by positioning sensors and defensive systems? This paper discusses the legal issues related to the government’s deployment of sensors in privately owned assets to gain broad situational awareness of foreign threats. This paper does not necessarily advocate pervasive government monitoring of the critical infrastructure; rather, it attempts to analyze the legal principles that would permit or preclude various forms of monitoring.
Posted on September 7, 2011 at 2:32 PM
• 16 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
If the assets in question are so vital to national security that monitoring and threat interception is needed, then why not federalize the assets in question? (I realize this flies in the face of private ownership of property, but the government long ago crossed that line...)
>to Combat "Foreign" Cyberspace Threats?
And of course there is no way that any government security agency would mostly be used to spy on internal threats!
"Since the critical infrastructure and the associated cyberspace are just as vital to national security..."
Who said this is true? Oh wait, the International Journal of Critical Infrastructure Protection did...
Which eventually begs the question: is there anything a government can't or shouldn't do as long as in some way it serves "national security". I am pretty sure that in countries like China, Iran and the former USSR the answer to that is a unanimous no.
Whether or not this is also what the Founding Fathers had in mind is of course an entirely different issue. After all, these guys in their days were never exposed to the horrors of ubiquitous muslim terrorism or the perils of the digital age. They had fled Europe for quite frivolous reasons, drafting a constitution based on principles that for many today really are way out of touch with reality.
The fundamental point of the Constitution was to limit what government could do.
However, being both the guardians and interpreters thereof, they've managed to pretty much subvert it (not surprising, really. What's surprising is how long it lasted).
Techno Capability limited by some other consideration is almost always a bias of some sort.
I looked into that issue a couple of years back (trying to understand the ownership of smart grids in years to come) by evaluating what’s publicly available on the CIP programs within 24 countries against the “ International CIIP Handbook“. and mapped the CIP programs against (More) or (Less) government Intervention. and came up with a diagram that show the following:
It’s clear that we are going towards state mandated compliance and powerful intervention ..you can check the diagram below
The analogy between airspace and cyberspace is wrong. There is only one limited airspace, but there can be as much cyberspace as someone is willing to pay for.
Instead of seizing control of privately-owned assets for obscure security reasons, one can simply install a similar, redundant asset and protect it in any suitable way.
Either this blog has a lot more readers than we think, or the /. crowd has found the article. ScienceDirect is down ATM. :-)
Even worse than the site being down-it's behind a paywall. Abstract only available. Thanks but no thanks.
I don't think that the concept of "critical infrastructure" even existed in the time of the founding fathers. About the only parallel to critical infrastructure would have been rivers and waterways. A little communing with Google brings up "Admiralty Law", which as implemented by England was one of the driving factors behind the Revolutionary War.
But the US did have it's own provisions for Admiralty Law in Article 3, Section 2 of the Constitution, however those powers were expressly not exclusive, and further weakened by the 7th Amendment. These references also have more to do with which court tries cases, rather than saying anything about administration or regulation.
Still, so much has been done (grabbed) using the Interstate Commerce, it might be nice to see different justification, for a change.
Ask yourself this: If the Wicked Emperor Wang and his evil minions from the planet Mongo were to hack into some vulnerable SCADA system and take down the electrical grid of the eastern half of the US, kind of like what happened by accident not that long ago.... Who would you blame?
Rather than out-and-out freedom-to-crack for DHS, I might suggest penetration resistance standards along with random testing. This should be "owned" by local PSBs, though probably contracted back out to DHS.
After reading the paper, it is apparent that the U.S. government already monitors such assets and even goes further -- to the point of embedding federal workers in private companies.
For some reason, I thought this was already happening as part of government mandated cyber-security for utilities.
To Mr. Osherin:
it seems your diagram is based on D. Assaf's paper re Models of CIIP, International Journal of Critical Infrastructure Protection Volume 1. 2008.
"it seems your diagram is based on D. Assaf's paper..."
If you look at the botom of the page Mr Osherin links to you will see the following note,
Note: The “Gov/CIP involvement” Diagram is Based on the article “Models of CIIP” by Dan Assaf. Published in elsavier’s “International Journal of Critical Infrastructure Protection” Volume 1. 2008
Did you miss it for some reason you would care to share?
Or are you asking a question which is not apparent from your post?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.