As usual, I greatly enjoyed your blog from 17 June, A Short History of Cyberwar Look-alikes, Rybolov. Moreover I really appreciated your historical examples. It warms my heart whenever an American uses the Russo-Japanese War of 1904/5 as a historic example of anything. Most Americans have never even heard of it. Yet, it is important event today if for no other reason than it established the tradition of having the US President intercede as a peace negotiator and win the Nobel Prize for Peace for his efforts. Because of this, some historians mark it as the historic point at which the US entered the world stage as a great power. By the way the President involved was Teddy Roosevelt.

Concerning the state and nature of Cyberwar today, I’ve seen Rybolov’s models and I think they make sense. Cyberwar as an extension of electronic warfare makes some sense. The analogy does break down at some point because of the peculiarity of the medium. For example, when considering exploitation of SCADA systems as we have seen in the Baltic States and in a less focused manner here in North America, it is hard to see a clear analogy in electronic warfare. The consequences look more like old-fashion kinetic warfare. Likewise, there are aspects of Cyberwarfare that look like good old-fashion human intelligence and espionage. Of course I also have reservations with the electronic warfare model based on government politics. Our friends at NSA have been suggesting that Cyberwarfare is an extension of signals intelligence for years, with the accompanying claim that they (NSA) should have the technical, legal, and of course budgetary resources that go along with it.

I’ve also have seen other writers propose other models of Cyberwarfare and they tend to be a mixed bag at best. At worst, many of the models proposed appear to be the laughable writings of individuals with no more insight to or knowledge of intelligence operations beyond the latest James Bond movie. My own opinion is that two models or driving forces behind international Cyberwarfare activity. The first is pure opportunism. Governments and criminal organizations alike, even authoritarian governments have seen the Hollywood myths and the media hysteria about hacker exploits. Over time, criminal gangs have created and expanded on their cyber capabilities driven by a calculation of profits and risks much like conventional businesses. Combine an international banking environment that allows funds to be transferred across borders with little effort and less time and an international legal environment that is largely out of touch with the Internet and international telecommunications, and we have a breeding ground for Cyber criminals in which the risks of cross-border criminal activity is often much less risky than domestic criminal activity.

As successful Cyber criminal gangs have emerged in totalitarian regimes, it shouldn’t be a surprise that eventually the governments involved would eventually take an interest in both their activities and techniques. There are several reasons that totalitarian government might want to do this. Perhaps the simplest motivation is that the corrupt officials would be drawn to share in the profits in exchange for protection. In addition, the intelligence arms of these nations could also leverage their services and techniques at a fraction of the cost of developing similar capabilities themselves. Additionally, using these capabilities would also provide the intelligence agencies and even the host government with an element of deniability if operations assigned to the criminal gangs were detected.

Monument to the International Brigade photo by Secret Pilgrim.  For more information, read the history of the International Brigade.

Perhaps the most interesting model of development and Cyberwarfare activity today would be based on the pre-WW II example of the Spanish Civil War. After World War I, a period of mental and societal exhaustion followed on the part of all participating nations. This was quickly follow by a period of self-assessment and rebuilding. In the case of the defeated Germany the reconstruction period protracted due to difficult economic conditions, in part created by the harsh conditions of surrender imposed by the winning European governments.

It was also important to remember that these same victorious European governments undermined many of social and moral underpinnings of German society by systematically all the basis of traditional German government and governmental legitimacy without regard for what should replace it. The assessments of most historians is that these factors combined to sow the seed of hatred against the victorious powers and created a social climate in which a return to open warfare at some time in the future was seen as unavoidable and perhaps desirable. The result was that Germany actively prepared and planned for what was seen as the commonly inevitable war in the future. New systems and technologies were considered, tested. However, treaty limitations also hampered some of these efforts.

In the Soviet Union a similar set of conclusions developed during this period of history within the ruling elite, specifically that renewed war with Germany was inevitable in the near term. Like Germany, the Soviet Union also actively prepared for this war. Likewise they considered and studied new technologies and approaches to war. Somewhat surprisingly, they also secretly conspired with the Germans to provide them with secret proving grounds and test facilities to study some to the new technologies and approaches to war that would otherwise have been banned under provisions of the peace treaties of World War I.

So, when Civil War broke out in Spain in the summer of 1936, both Germany and the Soviet Union were positively delirious at the prospects of testing their new military equipment and theories out under battlefield conditions but, without the risks of participating in a real shooting war as an active belligerent. So, both governments sent every military technology possible to their proxies in Spain under the auspices of “aid”. In some cases they even sent “advisors” who were nothing less than active soldiers and pilots in the conflict. At first, this activity took place under a shroud of secrecy. But, when you send military equipment and people to fight in foreign lands it usually takes no time at all for someone to notice that, “those guys aren’t from here”.

Bomber During the Spanish Civil War photo by -Merce-.  Military aviation, bombing in particular, was one of the new technologies that was tested during the Spanish Civil War.

Since the fall of the Soviet Union, I think the world has looked at the United States as the world’s sole superpower. Many, view this situation with fear and suspicion. Even some of our former Cold War allies have taken this view. Certainly our primary Cold War adversaries have adopted this stance. If you look at contemporary Chinese and Russian military writing it is clear that they have adopted a position similar to the pre- World War II notion that war between the US and Russia or war between the US and China is inevitable. To make matters worse, during much of the Cold War the US never seemed to pull it together militarily long enough to actually win a war. Toward the end of the Cold War we started smacking smaller allies of the Soviet Union like Grenada and succeeded.

We then moved on to give Iraq a real drubbing after the Cold War. The so-call “Hyperwar” in Iraq terrified the Russians and Chinese alike. The more they studied what we did in Iraq the more terrified they became. On of the many counters they have written about is posing asymmetric threats to the US, that is to say threatening the US in a way in which it is uniquely, or unusually vulnerable. One of these areas of vulnerability is Cyberspace. All sorts of press reporting indicate that the Russians and Chinese have made significant investments in this area. The Russians and Chinese deny these reports as quickly as they emerge. So, it is difficult to determine what the truth is. The fact that the Russians and Chinese are so sensitive to these claims may be a clear indication that they have active programs – the guilty men in these cases have a clear record of protesting to much when they are most guilty.

Assuming that all of this post-Cold War activity is true, I believe this puts us in much the same situation that existed in the pre-World War II Spanish Civil War era. I think the Russian and Chinese governments are just itching to test and refine their Cyberwarfare capabilities. But, at the same time I think they want to operate in a manner similar to how the Germans and the Soviet Union operated in that conflict. I think they want and are testing their capabilities but in a limited way that provides them with some deniability and diplomatic cover. This is important to them because the last thing they want now is to create a Cyber-incident that will precipitate a general conflict or even a major shift in diplomatic or trade relationships.

One of the major differences between the Spanish Civil War example and our current situation of course is that there is no need for a physical battlefield to exist to provide as a live testing environment for Cyber weapons and techniques. However, at least in the case of Russia with respect to Georgia, they are exploiting open military conflicts to use Cyberwar techniques when those conflicts do arise. We have seen similar, but much smaller efforts on the part of Iran, and the Palestinian Authority as embrace what is seen as a cheap and low risk weapon. However, their efforts seem to be more reactionary and rudimentary. The point is, the longer this game goes on without serious consequence the more it will escalate both vertically (in sophistication) and horizontally (be embraced by more countries). Where all of this will lead is anyone guess. But, I think the safe money is betting that the concept of Cyberwar is here to stay and eventually the tools and techniques and full potential of Cyberwar will eventually be used as part of as part of a strategy including more traditional weapons and techniques.

• A Short History of Cyberwar Lookalikes
• In Response to “Cyber Security Coming to a Boil” Comments….
• Cyber Security coming to a boil
• Beware the Cyber-Katrina!
• A Layered Model for Massively-Scaled Security Management

Saturday, June 20, 2009 from 8:00 AM – 5:00 PM (ET) in downtown DC.

I’ll be going.  This will be a “Bar Camp Stylie” event, where you’re not just an attendee, you’re also a volunteer to make it all happen.  You might end up running a conversation on your favorite privacy topic, so you have been warned. =)

*Most* of the folks going are of the civil libertarian slant.  With my background and where I work, I usually “bat for the other team on this issue”.  The organizers have assured me that I’ll be welcome and can play the heretic role.

How to play:

• Sign up here.
• Check out the wiki, help out with preparation.
• Follow @PrivacyCampDC on twitter
• Be a sponsor.

Some themes that I’ve seen develop so far:

• How some concepts (System of Record) from the Privacy Act are outdated or at least showing their age
• How the open government “movement” and the push for raw data means we need to look at the privacy concerns
• FOIA and privacy data
• Ending the political robocalls

See Y’all there!

• Privacy Camp DC–April 17th
• Certification and Accreditation Seminar, March 30th and 31st
• NIST Framework for FISMA Dates Announced
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 2
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 3

And by “We”, I mean the security industry as a whole.  And yes, this is your public-policy lesson for today, let me drag my soapbox over here and sit for a spell while I talk at you.

By “Survive”, I mean that we need some kind of self-regulatory framework that fulfills the niche that PCI-DSS occupies currently. Keep reading, I’ll explain.

And the “Why” is a magical phrase, everybody say it after me: self-regulatory organization.  In other words, the IT industry (and the Payment Card Industry) needs to regulate itself before it crosses the line into being considered for statutory regulation (ie, making a law) by the Federal Government.

Remember the PCI-DSS hearings with the House Committe on Homeland Security (AKA the Thompson Committee)?  All the Security Twits were abuzz about it, and it did my heart great justice to hear all the cool kids become security and public policy wonks at least for an afternoon.  Well, there is a little secret here and that is that when Congress gets involved, they’re gathering information to determine if they need to regulate an industry.  That’s about all Congress can do: make laws that you (and the Executive Branch) have to follow, maybe divvy up some tax money, and bring people in to testify.  Other than that, it’s just positioning to gain favor with other politicians and maybe some votes in the next election.

Regulation means audits and more compliance.  They go together like TCP and IP.  Most regulatory laws have at least some designation for a party who will perform oversight.  They have to do this because, well, if you’re not audited/assessed/evaluated/whatever, then it’s really an optional law, which doesn’t make sense at all.

Yay Audits photo by joebeone.

Another magical phrase that the public policy sector can share with the information security world: audit burden.  Audit burden is how much a company or individual pays both in direct costs (paying the auditors) and in indirect costs (babysitting the auditors, producing evidence for the auditors, taking people away from making money to talk to auditors, “audit requirements”, etc).  I think we can all agree that low audit burden is good, high audit burden is bad.  In fact, I think that’s one of the problems with FISMA as implemented is that it has a high audit burden with moderately tangible results. But I digress, this post is about PCI-DSS.

There’s even a concept that is mulling around in the back of my head to make a metric that compares the audit burden to the amount of security that it provides to the amount of assurance that it provides against statutory regulation.  It almost sounds like the start of a balanced scorecard for security management frameworks, now if I could get @alexhutton to jump on it, his quant brain would churn out great things in short order.

But this is the lesson for today: self-regulation is preferrable to legislation.

• Self-regulation is defined by people in the industry.  Think about the State Bar Association setting the standards for who is allowed to practice law.
• Standards ideally become codified versions of “best practices”.  OK, this is if they’re done correctly, more to follow.
• Standards are more flexible than laws.  As hard/cumbersome as it is to change a standard, the time involved in changing a law is prohibitive most of the time unless you’re running for reelection.
• Standards sometimes can be “tainted” to force out competition, laws are even more so.

The sad fact here is that if we don’t figure out as an industry how to make PCI-DSS or any other forms of self-regulation work, Congress will regulate for us.  Don’t like PCI-DSS because of the audit burden, wait until you have a law that requires you to do the same controls framework.  It will be the same thing, only with bigger penalties for failure, larger audit burdens to avoid the larger penalties, larger industries created to satisfy the market demand for audit.  Come meet the new regulatory body, same as the old only bigger and meaner. =)

However, self-regulation works if you do it right, and by right I mean this:

• The process is transparent and not the product of a secret back-room cabbal.
• Representation from all the shareholders.  For PCI-DSS, that would be Visa/MasterCard, banks, processors, large merchants, small merchants, and some of the actual customers.
• The standards committee knows how to compromise and come to a consensus.  IE, we can’t have both full hard drive encryption, a WAF, code review, and sacrificing of chickens in the server room, so we’ll make one of the 4 mandatory.
• The regulatory organization has a grievance process for its constituency to present valid (AKA “Not just more whining”) discrepencies in the standards and processes for clarification or consideration for change.
• The standard is “owned” by every member of the constituency.  Right now, people governed by PCI-DSS are not feeling that the standard is their standard and that they have a say in what comprises the standard and that they are the ones being helped by the standard.  Some of that is true, some of that is an image problem.  The way you combat this is by doing the things that I mentioned in the previous bullets.

Hmm, sounds like making an ISO standard, which brings its own set of politics.

While we need some form of self-regulation, right now PCI-DSS and ISO 27001 are the closest that we have in the private sector.  Yeah, it sucks, but it sucks the least, just like our form of government.

• Observations on PCI-DSS and Circular Arguments
• Metricon 5 Wrapup
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 3
• Preliminary Findings on Cybersecurity Review Now Out
• “Machines Don’t Cause Risk, People Do!”

Here in the information assurance salt mines, we sure do loves us some conspiracies, so here’s the conspiracy of the month: S.773 gives the Government the ability to view your private data and the President disconnect authority over the Internet, which means he can sensor it.

Let’s look at the sections and paragraphs that would seem to say this:

Section 14:

(b) FUNCTIONS- The Secretary of Commerce–

(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access;

Section 18: The President–

(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;

(6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security;

Taken completely by itself, it would seem like this gives the president the authorities to do all sorts of wrong stuff, all he has to do is to declare something as critical infrastructure and declare it compromised or in the interests of national security.  And some people have:

• S773… Government Control of Internet, Censoring Talk Radio!
• Censorship – A Political Rant
• Politics 4 All Comments

And some movies (we all love movies):

It makes me wonder since when have people considered social networking sites or the Internet as a whole as “critical infrastructure”. Then the BSOFH in me things “Ye gods, when did our society sink so low?”

Now, as far as going back to Section 14 of S.773, it exists because most of the critical infrastructure is privately-held.  There is a bit of history to understand here and that is that the critical infrastructure owners and operators are very reluctant to give the information on their piece of critical infrastructure to the Government.  Don’t blame them, I had the same problem as a contractor: if you give the Government information, the next step is them telling you how to change it and how to run your business.  Since the owners/operators are somewhat non-helpful, the Government needs more teeth to get what it needs.

But as far as private data traversing the critical infrastructure?  I think it’s a stretch to say that’s part of the requirements of Section 14, it’s to collect data “about” (the language of the bill) the critical infrastructure, not “processed, stored, or forwarded” on the critical infrastructure. But yeah, let’s scope this a little bit better, CapHill Staffers.

On to Section 18.  Critical infrastructure is defined elsewhere in law.  Let’s see the definitions section from HSPD-7, Critical Infrastructure Identification, Prioritization, and Protection:

In this directive:

The term “critical infrastructure” has the meaning given to that term in section 1016(e) of the USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e)).

The term “key resources” has the meaning given that term in section 2(9) of the Homeland Security Act of 2002 (6 U.S.C. 101(9)).

The term “the Department” means the Department of Homeland Security.

The term “Federal departments and agencies” means those executive departments enumerated in 5 U.S.C. 101, and the Department of Homeland Security; independent establishments as defined by 5 U.S.C. 104(1);Government corporations as defined by 5 U.S.C. 103(1); and the United States Postal Service.

The terms “State,” and “local government,” when used in a geographical sense, have the same meanings given to those terms in section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101).

The term “the Secretary” means the Secretary of Homeland Security.

The term “Sector-Specific Agency” means a Federal department or agency responsible for infrastructure protection activities in a designated critical infrastructure sector or key resources category. Sector-Specific Agencies will conduct their activities under this directive in accordance with guidance provided by the Secretary.

The terms “protect” and “secure” mean reducing the vulnerability of critical infrastructure or key resources in order to deter, mitigate, or neutralize terrorist attacks.

And referencing the Patriot Act gives us the following definition for critical infrastructure:

In this section, the term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

Since it’s not readily evident from what we really consider to be critical infrastructure, let’s look at the implemention of HSPD-7.  They’ve defined critical infrastructure sectors and key resources, each of which have a sector-specific plan on how to protect them.

• Agriculture and Food
• Banking and Finance
• Chemical
• Commercial Facilities
• Communications
• Critical Manufacturing
• Dams
• Defense Industrial Base
• Emergency Services
• Energy
• Government Facilities
• Healthcare and Public Health
• Information Technology
• National Monuments and Icons
• Nuclear Reactors, Materials and Waste
• Postal and Shipping
• Transportation System
• Water

And oh yeah, S.773 doesn’t mention key resources, only critical infrastructure.  Some of this key infrastructure isn’t even networked (*cough* icons and national monuments *cough*). Also note that “Teh Interblagosphere” isn’t listed, although you could make a case that information technology and communications sectors might include it.

Yes, this is not immediately obvious, you have to stitch about half a dozen laws together, but if we didn’t do pointers to other laws, we would have the legislative version of spaghetti code.

Going back to Section 18 of S.773, what paragraph 2 does is give the President the authority to disconnect critical infrastructure or government-owned IT systems from the Internet if they have been compromised.  That’s fairly scoped, I think.  I know I’ll get some non-technical readers on this blog post, but basically one of the first steps in incident response is to disconnect the system, fix it, then restore service.

Paragraph 6 is the part that scares me, mostly because it has the same disconnect authority as paragraph 2and the same scope (critical infrastructure and but the only justification is “in the interests of national security”. In other words, we don’t have to tell you why we disconnected your systems from the Internet because you don’t have the clearances to understand.

So how do we fix this bill?

Section 14 needs an enumeration of the types of data that we can request from critical infrastructure owners and operators. Something like the following:

• Architecture and toplogy
• Vulnerability scan results
• Asset inventories
• Audit results

The bill has a definitions section–Section 23.  We need to adopt the verbiage from HSPD-7 and include it in Section 23.  That takes care of some of the scoping issues.

We need a definition for “compromise” and we need a definition for “national security”. Odds are these will be references to other laws.

Add a recourse for critical infrastructure owners who have been disconnected: At the very minimum, give them the conditions under which they can be reconnected and some method of appeal.

• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 4
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 3
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 1
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 5
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 2

April Fools Day pranks aside, I’m wondering what happened to the 60-day Cybersecurity Review.  Supposedly, it was turned into the President on the 17th.  I guess all I can do is sigh and say “So much for transparency in Government”.

I’m trying hard to be understanding here, I really am.  But isn’t the administration pulling the same Comprehensive National Cybersecurity Initiative thing again, telling the professionals out in the private sector that it depends on, “You can’t handle the truth!”

And this is the problem.  Let’s face it, our information sharing from Government to private sector really sucks right now.  I understand why this is–when you have threats and intentions that come from classified sources, if you share that information, you risk losing your sources.  (ref: Ultra and  Coventry, although it’s semi-controversial)

Secret Passage photo by electricinca.

Looking back at one of the weaknesses of our information-sharing strategy so far:

• Most of the critical infrastructure is owned and operated by the private sector.  Government (and the nation at-large) depends on these guys and the resilience of the IT that these
• The private sector (or at least critical infrastructure owners and operators) need the information to protect their infrastructure.
• Our process for clearing someone to receive sensitive information is to do a criminal records investigation, credit report, and talk to a handful of their friends to find out who they really are.  It takes 6-18 months.  This is not quick.
• We have some information-sharing going on.  HSIN and Infragard are pretty good so far–we give you a background check and some SBU-type information.  Problem is that they don’t have enough uptake out in the security industry.  If you make/sell security products and services for Government and critical infrastructure, you owe it to yourself to be part of these.
• I’ve heard people from Silicon Valley talk about how the Government doesn’t listen to them and that they have good ideas.  Yes they do have some ideas, but they’re detached from the true needs because they don’t have the information that they need to build the right products and services, so all they can do is align themselves with compliance frameworks and wonder why the Government doesn’t buy their kit.  It’s epic fail on a macromarket scale.

In my opinion, Government can’t figure out if they are a partner or a regulator.  Choose wisely, it’s hard to be both.

As a regulator, we just establish the standard and, in theory anyway, the private sector folks don’t need to know the reasoning behind the standard.   It’s fairly easy to manage but not very flexible–you don’t get much innovation and new technology if people don’t understand the business case.  This is also a more traditional role for Government to take.

As a partner, we can share information and consequences with the private sector.  It’s more flexible in response but takes much more effort and money to bring them information.  It also takes participation from both sides–Government and private sector.

Now to tie it all off by going back to the 60-Day Cybersecurity Review….  The private sector needs information contained in the review.  Not all of it, mind you, just the parts that they need to do their job.  They need it to help the Government.  They need it to build products that fit the Government’s needs.  They need it to secure their own infrastructure.

• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 3
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 4
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 2
• The World Asks: is S.773 Censorship?
• Surprise Report: Not Enough Security Staff

Rybolov Note: this is part 4 in a series about S.773.  Go read the bill here.  Go read part one here.  Go read part two here.  Go read part three here. Go read part four here.

Themes: I’ve read this thing back and forth, and one theme emerges overall: We’ve talked for the better part of a decade about what it’s going to take to “solve” this problem that is IT security, from an internal Federal Government standpoint, from a military-industrial complex standpoint, from a state and local government standpoint, from a private-sector standpoint, and from an end-user standpoint.  This bill takes some of the best though on the issue, wraps it all up, and presents it as a “if you want to get the job done, this is the way to do it”.

Missing: The role of DHS.  Commerce is highly represented, over-represented to my mindset.  Looking at the pieces of who owns what:

Commerce security organizations:

NTIA–Technically not a security organization, but they manage the DNS root and set telecom policy.

NIST–They write the standards for security.

FTC–They regulate trade and have oversight over business fraud.

DHS Security organizations:

NPPD–They are responsible for critical infrastructure and national risk management.

NCSD–They do the security operations side of our national cybersecurity strategy and run US-CERT. (BTW, hi guys!)

Secret Service–They have the primary responsibility of protecting the US Currency which also includes computer crimes against financial infrastructure.

Science and Technology Directorate–They are responsible for research and development, including IT security.

DOJ Security Organizations:

FBI–Surprise, they do investigations.

So you see, some of the things that are tasked to Commerce are done by DHS and DOJ.  This is probably the nature of the bill, it was introduced in the Commerce committee so it’s understandable that it would be Commerce-centric.

Cost: One thing kept nagging me in the back of my head while going through this bill is the cost to do everything  We’re asking to do a lot in this bill, now what’s the total cost?  Typically what happens when a bill makes it out of committee is that the Congressional Budget Office attached a price to the legislation as far as the total cost and then what’s the breakdown for the average American household.  That data isn’t published yet on the bill’s page, so we’ll see in the next iteration.

In-Your-Face Politics: Really, this bill is showing us how to do the full security piece.  It includes everything.  It’s challenging people to come up with alternatives.  It’s challenging people to delete the sections that don’t make sense.  It’s challenging people to fix the scope issues.  Like it or hate it, it definitely stirs up debate.

Final Thoughts: S.773 is a pretty decent bill.  It has some warts that need to be fixed, but overall it’s a pretty positive step.

Capitol photo by bigmikesndtech.

• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 3
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 4
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 2
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 1
• The World Asks: is S.773 Censorship?