« Releasing Skating on Stilts under Creative Commons License | Main | Louis Brandeis -- Wuss or Snob? »

Jun 13, 2010

Comments

Why do you provide credibility to Declan's commentary by responding to it? Enjoyed your discussion, nonetheless. Per usual, your logic is impeccable!

Some Definitions from the proposed bill you link to:

14) NATIONAL INFORMATION INFRASTRUCTURE.—The term ‘‘national information infrastructure’’ means information infrastructure— (A)(i) that is owned, operated, or controlled within or from the United States; or

‘‘(4) the term ‘covered critical infrastructure’ means a system or asset—
HEN10553 S.L.C. 21
1 ‘‘(A) that is on the prioritized critical in frastructure list established by the Secretary under section 210E(a)(2); and ‘‘(B)(i) that is a component of the national information infrastructure; or


It isn't clear to me how you're reaching the analysis that essentially all systems that are dependent on the Internet are not "national information infrastructure" and that they therefore are not covered by the rest of the requirements of the bill. I am analyzing it, and if you can't point out where I've misread the definitions here, or don't understand the text as written because of the context required from another law/regulation. Is it that systems aren't covered if they are not already on the list of critical infrastructure? This bill seems to actually say all information systems are critical information systems. Perhaps not its intent?

Thank you.

Stewart,

I really appreciate your context here and I also appreciate the way you can capture significant meaning in concise phrases. I personally plan on spreading this one around as much as I can: "Companies are quite capable of setting the stage for catastrophes well beyond their ability to remedy." You say a great deal in those few words.

Cheers,
Bob

To respond to Andy, here's the definition of covered critical infrastructure, which is what the bill gives authority over:

"(4) the term ‘covered critical infrastructure’means a system or asset—
‘‘(A) that is on the prioritized critical infrastructure list established by the Secretary under section 210E(a)(2); and
‘‘(B)(i) that is a component of the national information infrastructure; or
‘‘(ii) for which the national information infrastructure is essential to the reliable operation of the system or asset."

I think the structure and grammar are pretty clear. To be covered, an institution must satisfy both (A) and (B), which are joined in the conjunctive "and." To satisfy (B), the institution must meet either the criteria in (B)(i) or in (B)(ii), which are joined in the disjunctive. Both B)(i) and (B)(ii) can only be satisfied by ties to the national information infrastructure.

Or to put it in English, you can't be covered if you aren't on the list, and just being on the list is not enough. You also have to be part of the information infrastructure or the information infrastructure must be essential to your functioning.

Thanks for this note, though. It makes me realize that I was too quick to say that Microsoft and ISPs would be directly subject to regulation if they service the power grid. They would not, at least not for that reason. Only the grid would be subject to regulation, though of course any order to the grid owners about what standards their ISPs or operating systems must meet would have pretty profound indirect effects on Microsoft and ISPs.

To Gail: How about Justice Brandeis? *Now* am I picking on someone my own size?

Mechanism, hinged on cooperative behavior among a set of responding nodes. Since naïve cooperative behaviors might introduce new risks, including fragility in the face of poor or maliciously-generated information, particular attention must be paid to robustness in the cooperative strategy.
The difficulty of detecting, quarantining and recovering
from zero-day viruses is made easier if local sensors are
allowed more room for error. If we err on the side of allowing false alarms, then detectors can be cautious (paranoid!) and
conservatively flag anything that looks suspicious, and
depends on cooperative corroboration to determine whether
the attack is real or not. For this policy to be effective,
though, requires the entire anti-virus system to handle false
alarms quickly and cheaply and still respond rapidly to real
virus attacks.

Actually, Windows Embedded is used in infrastructure.

Dale: Aaaaaeeee!

If such attack are going to continue than this will be big loss for the country and i think quick solution should be find out to stop such attacks.

The comments to this entry are closed.