A horse of a different color
Senate Cybersecurity Caucus’ founder Mark Warner put nine crucial questions to several federal agencies with some jurisdictional heft concerning the Dedicated Denial of Service that effectively blew up access to much of the eastern part of the country’s website access beginning Friday, October 21.
Like you, this congressional leader has some credentials in the realm of cyberspace, having been an early entrepreneur there in its nascence. Yet neither he nor you need be a Dylanesque Nobel Prize winner to know that the world wide web’s neutral administrators had better wise up to that ever-present warning of future’s constancy, i.e., the times they are a-changin.
The nine questions
In his deep dive into the problems, he fittingly nails nine protestant theses to e-commerce’s burgeoning money-colored emerald gates now loosely governed by the Oz-like Feds:
1. What types of network management practices are available for internet service providers to respond to DDoS threats?
2. Would it be a reasonable network management practice for ISPs to designate insecure network devices as “insecure” and thereby deny them connections to their networks, including by refraining from assigning devices IP addresses?
3. What advisories to, or direct engagement with, retailers of IoT devices have you engaged in to alert them of the risks of certain devices they sell?
4. What strategies would you pursue to take devices deemed harmful to the network out of the stream of commerce? Are there remediation procedures vendors can take, such as patching? What strategy would you pursue to deactivate or recall the embedded base of consumer devices?
5. What consumer advisories have you issued to alert consumers to the risks of particular devices?
6. To the extent that certain device security capabilities can be improved with software or firmware updates, how will you ensure that these updates are implemented?
7. Do consumers have meaningful ability to distinguish between products based on their security features? Are formal or third-party metrics needed to establish a baseline for consumers to evaluate products? If so, has your agency taken steps to create or urge the creation of such a baseline?
8. Should manufacturers have to abide by minimum technical security standards? Has your agency discussed the possibility of establishing meaningful security standards with the National Institute of Standards and Technology?
9. What is the feasibility, including in terms of additional costs to manufacturers, of device security testing and certification, akin to current equipment testing and certification of technical standards conducted by the Federal Communications Commission under 47 CFR Part 2?
Follow the yellow brick road
The foregoing queries (edited down from some of their greater detail) are taken directly from Warner’s Senate website and his letter to the Federal Communications Commission. Given the complexity of the questions, it may take some time to receive substantive answers.
[clickToTweet tweet=”Care about what ISPs are doing to respond to DDOS attacks? Here’s how to call your U.S. Senator. ” quote=”Perhaps the best course of action by you, the heart-felt intelligent brave pioneer in the nether world of the still promising e-commerce entrepreneur, is to communicate both with his Caucus as well as your own Senator. “]
For such a proactive purpose, the path on that yellow brick road is here provided:
Senate Cybersecurity Caucus: Given that all but one such group are ad hoc, and unofficial unfunded informal “arms” of this body, it is better to communicate with its two founding Senators, Warner of Virginia and Gardner of Colorado. Rafi Martina in Warner’s office at 202-224-2023 is the Senator’s own designee per his FCC letter.
U.S. Senate via Switchboard: Alternatively, you may phone the United States Capitol switchboard at (202) 224-3121. A switchboard operator will connect you directly with the Senate office you request.
#9Questions
