Some Violent Entertainment Causes No Harm. Guns on the Other Hand...

In the wake of the NRA's bizarre press conference today, the news media will no doubt look into the gun group's accusations that entertainment media, with its propensity to violence, causes gun violence, if for no other reason than to debunk the NRA's bitter-toned deflection of blame.  So I'm hesitant to even address the issue lest I give credence to that misdirection.

But there can be no question that the causal link between entertainment violence (whether in the form of video games or TV programming or even web content) and gun violence (or any other violent act for that matter) is complex and subtle, while the existence of guns and gun violence are 100% causally linked. It is a tautological truism that guns cause gun violence.  And often lost in the debate over entertainment violence is research that clearly concludes that some kinds of entertainment violence are not harmful.

According to the bona fide top researchers in the field of video violence and its effects on viewers, particularly children,  the context or way in which violence is depicted dictates whether the violence might lead to pro-social benefits or anti-social risks.  In short, when it comes to entertainment violence, the kinds of messages portrayed by the violence determine its impact.

For example, "violence that is undeserved or purely malicious decreases the risk of imitation or learning of aggression" while "portrayals of punished violence can  decrease the chances that viewers will learn aggression."  Perhaps most importantly in documenting the non-harmful effects of entertainment violence, studies indicate that "showing the serious harm and pain  that occurs from violence can discourage viewers from imitating or learning aggression."

Still, no one in the academic community seriously doubts that there is too much violence in entertainment or that depicted violence can cause fear and aggression.  Many of those same researchers cited above spearheaded the largest television violence study conducted to date, which examined over 10,000 hours of television over a three-year period involving 300 people across four universities. (Full disclosure:  I was involved in the launch and first year of this study on behalf of the cable industry).

Although the goal of that study was not to assess the impact of video entertainment violence, but rather to look at the frequency and types of violence shown, among other goals, it nonetheless started with the foundation that television violence contributes to harmful effects on viewers.  So there's no question that society should continue to monitor and even limit the violent messages we embrace.

It's murky territory when it comes to tying violent entertainment to violent behavior.  It's not at all murky that the sole purpose of guns is to cause violence or at least the threat of violent, bodily harm.  The two things, violent entertainment and the existence of so many guns, should not therefore be conflated.

Read More

Are You a Key Energy or Telecom Cybersecurity Professional? Let Us Know

DCT Associates will soon publish its first public product, an Energy and Telecom Cybersecurity databook, which we hope will serve as a useful reference tool for technical, operational and policy professionals working in the energy and telecom cybersecurity arenas.  It's a big task, but our goal is to help everyone navigate the complex cybersecurity arena by focusing first on the two most important critical infrastructure sectors, energy and telecom.

The book will feature concise snapshots of the technical, policy and organizational challenges and opportunities in the hideously complex cybersecurity world.  We'll start off providing an overview of who does what, where and why, (which may be a fool's errand when it comes to the arcane and complex world of cybersecurity, but that makes the work all the more fun).

As part of the project we've developed a directory of nearly 400 individuals that we've loosely categorized as key technical, legal, policy, government and operational experts on cybersecurity in the energy and telecom realms - but we don't want to overlook anyone.    We're including all kinds of organizations in our list, including technology supply, academic, trade, government, consulting and industry organizations, along with key contacts at energy and telecom companies.  If you believe you or a colleague should be featured as a key contact, please fill out a form we've set up to collect the relevant pieces of information we seek.

Although we encourage as many suggestions as possible, we're not making any commitments to including all submissions in the directory; we reserve editorial judgment to make the list as useful and targeted as possible.  Drop me an email at cynthia@dct-associates.com if you have any questions or comments.

Image Courtesy of Photoxpress.

Read More

Mike Rogers: We've Still Got Two Weeks to Pass a Cybersecurity Bill

In the probable wishful thinking category, Rep. Mike Rogers (R-MI), Chairman of the House Permanent Select Committee on Intelligence, said today that despite the political high drama surrounding the so-called fiscal cliff and defense sequestration issues crippling the Congress, there is still time to pass a critical infrastructure cybersecurity bill before Congress recesses later this month.  "I haven’t given up yet – we still have a couple of weeks," he said during an event hosted by the George Washington University Cybersecurity Initiative.

However, most of the high-powered panelists believe that with or without legislation, the Obama White House will still make good on its vow to pass an executive order on cybersecurity because the stakes are too high. "We are probably going to get an executive order out of the White House," Howard Schmidt,  former White House cybersecurity coordinator said.

When the new Congress arrives in January, it will work in a bi-partisan way to revisit any outstanding cybersecurity issues, Rep. Michael McCaul (R-TX), incoming House Homeland Security Committee Chairman predicted.  "I think this is an area where we'll have bipartisanship and do it in a bicameral way," he said.

Business lobbyists are putting the nation's security at risk by continually derailing any meaningful cybersecurity legislation, Mort Zuckerman, co-chair of the Bipartisan Policy Center’s (BPC) Cyber Security Task Force, said.  "The conclusions are so unbelievably obvious.  You reel back in shock that you can’t get something so obvious like this through Congress."

The long-time newsman advocated mounting a grassroots public information campaign that bypasses powerful business groups, such as the U.S. Chamber of Commerce, which has lobbied hard against all but the weakest cybersecurity measures.  We need to "have some series of national programs that just indicate what would happen and find some way to get this on television networks or in newspapers" so that citizens will pressure Congress into taking action over the objections of industry interests,  Zuckerman said.  "The country is at risk on levels that we have never experienced." 

Read More

New Cybersecurity Executive Order is Business-Friendly, Far Less Regulatory

On Friday, the White House circulated a revised draft cybersecurity executive order to the press and various interested parties.  The new order, dated November 21, 2012, is a significant departure from the previous publicly available draft executive order, ostensibly dated September 28, 2012, because the latest version strips out the more stringent requirements on critical infrastructure owners, enhancing the voluntary nature of the order, and significantly weakens the regulatory roles of the sector-specific government agencies.  (I’ve pasted at the end of this post for easy reference an excel table with the new order in its entirety, with some of the more salient new sections and language highlighted in red).

In addition, the new draft order is far more business friendly, granting greater flexibility to critical infrastructure owners and relevant technology suppliers to 

• inject industry expertise and input into how cyber threat information sharing occurs by having their experts more easily attain security clearances as well as gain temporary government employment for the purposes of aiding the cybersecurity program, 
• explain how business policies may “align” with the new cybersecurity regime, 
• avoid having their commercial information technology products identified by name,
• opt-out of being classified as critical infrastructure,
• provide feedback on any burdens that may flow from the new regime and 
• receive cyberthreat information from the government rather than merely serve as sources that feed cyberthreat incident information to the federal authorities.

The White House thus apparently heeded the criticism of Congressional Republicans and business lobbying groups, who earlier this fall decried the Obama Administration’s lack of consultation with key interested parties while drafting the order.  In responding to press calls regarding the latest draft, a White House spokesperson issued the same statement to all inquiries:  "The National Security Staff has held over 30 meetings with industry, think tanks, and privacy groups, meeting directly with over 200 companies and trade organizations representing over 6,000 companies that generate over $7 trillion in economic activity and employ more than 15 million people."

Quick and Dirty Comparison of the Two Orders

Although it’s difficult to produce a clean comparison between the two draft orders, it’s clear that in almost every major component, the latest order weakens the regulatory authority of the sector specific agencies, specifically as it relates to information sharing, while incorporating the expertise of critical infrastructure owners into the process.  Moreover, the latest order features a looser definition of what constitutes critical infrastructure and builds in a more market-based approach to the creation of the overarching framework that would be the cornerstone of the program

Weaker regulatory authority of sector specific agencies, particularly regarding information sharing

The November 21 draft order replaces the earlier draft’s detailed directives to the sector specific government agencies, which are currently responsible for some oversight or regulation of each of the 20 critical infrastructure sectors (energy, telecommunications, chemical, critical manufacturing and so forth).  Those earlier directives in the ostensible Septmber 28 draft order, which were largely originating from or coordinated through DHS, mandated that the agencies:

• Develop reports detailing the legal authorities under which they can regulate the cybersecurity of critical infrastructure.
• Follow a set of actions developed by DHS and OMB to mitigate cybersecurity risks.
• Propose regulations of critical infrastructure owners to mitigate cybersecurity risks.
• Receive reports from critical infrastructure owners of cybersecurity risks.
• Follow implementation guidance from DHS to encourage a comprehensive and integrated cybersecurity approach across all sectors.

That earlier system, which does not appear in the new order in any form, is now replaced by a more voluntary approach:

• The sector specific agencies will now engage in a consultative process with DHS, OMB and the National Security Staff to review a preliminary cybersecurity framework developed by NIST  to determine  if current cybersecurity regulatory requirements are sufficient given current and projected risks.
• Within 90 days of publication of the preliminary NIST framework, the agencies will submit to the President a report that states whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, any additional authority required, and the extent to which existing requirements overlap, conflict, or could be harmonized.
• If the agencies deem current regulatory requirements insufficient, they can propose actions within 60 days of the publication of the final NIST requirements.
• Within two years after publication of the final NIST Framework, agencies shall, in consultation with owners and operators of critical infrastructure, report to OMB on any critical infrastructure subject to duplicative, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements.
• The DHS will now establish “procedures” that allow critical infrastructure owners to participate in the information sharing system on a voluntary basis.  (The earlier version specified that DHS shall request owners and operators of critical infrastructure to report promptly to the Secretary or other appropriate agency cybersecurity incidents and threats.)
• DHS will expedite security clearances of critical infrastructure personnel, presumably to enable their greater participation in the whole program.
• DHS will expand the use of programs that bring private sector subject-matter experts into federal service on a temporary basis. These subject matter experts should provide advice regarding the content, structure, and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.

Looser Definition of Critical Infrastructure

The earlier version of the draft cybersecurity order required that the Department of Homeland Security (DHS) would rely upon a prioritized critical infrastructure security list required under the Homeland Security Act.  This list resulted in the creation of a controversial database that identified hundreds of thousands critical infrastructure assets. 

The latest draft order relies instead on a looser consultative process as well as the expertise of the sector-specific agencies to identify critical infrastructure, using what it says is a risk-based approach.  The new order also prohibits identifying any commercial information technology products (presumably this means no specific vendor’s products can be named) and provides for the creation of a process under which identified critical infrastructure owners can be removed from the list.

More Market-Based Approach to the Baseline Cybersecurity Framework

Both the earlier and the latest orders direct the National Institute of Standards and Technology (NIST) to develop a framework to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.  The new draft order, however, gives NIST more time to develop the initial framework – 240 days as opposed to 180 days.

The new draft order also incorporates more business-friendly language.  For example, the new draft order states that “the Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”

It also states that:

“the Framework will also identify potential gaps that should be addressed through collaboration with particular sectors and industry-led standards organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide cybersecurity guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks.”

It further provides for business confidentiality protection by stating that “the Cybersecurity Framework shall include methodologies to identify and mitigate impacts of the Cybersecurity Framework and associated information security measures or controls on business confidentiality.”

Finally, while the earlier order said the the Framework shall “include metrics for measuring the performance of an entity in implementing the Cybersecurity Framework,” the new draft merely calls for “guidance” in measuring the performance of an entity.

I’ve pasted below a table that includes the new draft order in its entirety, with the key new sections and language highlighted in red.

Read More

What Century is Lord Justice Leveson Living In?

On a day when world politics was rocked by the news that the Syrian government shut down the country's Internet in an ostensible attempt to stymie opposition groups, an English judge issued the much-anticipated findings of his eight-month inquiry into the culture, practice and ethics of the British press. The nearly 2,000-page report (a 48-page executive summary is available), spawned by an eight-year and increasingly explosive phone-hacking scandal by News International newspaper journalists, is a sprawling deep dive into the UK media landscape, press ethics and values in addition to a detailed analysis of the complex scandal itself.

The massive condensation of materials examined, interviews conducted and hearings held is a prosecuting jurist's dream and a media analyst's delight, featuring facts, analysis, history and wonderfully colorful condemnation of some of Britain's most powerful figures and institutions, primarily Rupert Murdoch's News International., which has dominated British press and politics for well over a quarter of a century.  I'll leave it to others to accurately and adequately summarize the Proustian report, except to say that Lord Justice Leveson, the judge who led the inquiry, concluded his work by recommending an intricate system of British press self-regulation back-stopped by legislation and public officials to "guard the guardians."

This prospect of further intrusion by the British government into the workings of the press is only now being digested by the press and politicians, although Conservative Party Prime Minister David Cameron immediately and summarily dismissed the report's call for statutory oversight of the press.  And by "press," Leveson does indeed mean only the traditional press, the kind that uses paper and ink.  

Any notion of regulating Internet-based journalism or publishing was roundly rejected by Leveson because, well, the Internet is not the press, in his eyes, because it is unregulated, does not operate according to ethical standards and in any event, web-based content such as blogs or tweets are barely ready by anyone and "rarely read as news or factual."  

Yes, that's what he said.

What follows are selected sections from the report where, in essence, Leveson says, unlike the Syrian government, that the Internet does not matter.  

Regarding blogs (and here Leveson even cites newspaper blogs, such as those maintained by the Guardian newspaper):

These vastly different sites are all offered to the public in the same way; they all have the same theoretical reach to the entire internet-connected population at the touch of a button (particularly when facilitated by search engines). They are also, with the regulatory exceptions set out above, entirely unregulated, though subject to civil and criminal law in appropriate jurisdictions. However, it is noteworthy that although the blogs cited here are read by very large numbers of people, it should not detract from the fact that most blogs are read by very few people. Indeed, most blogs are rarely read as news or factual, but as opinion and must be considered as such. [emphasis added]

How Twitter is not really that important a new source because so few tweets are read:

However, it is worthy of note that despite their extraordinary growth, as with most blogs, in the main few tweets or social network pages are read by very large numbers of people.

The Internet does not operate by ethical standards:

...the internet  does not claim to operate by any particular ethical standards, still less high ones. Some have called it a ‘wild west’ but I would prefer to use the term ‘ethical vacuum’. This is not to say  for one moment that everything on the internet is therefore unethical. That would be a gross  mischaracterisation of the work of very many bloggers and websites which should rightly and  fairly be characterised as valuable and professional. The point I am making is a more modest one, namely that the internet does not claim to operate by express ethical standards, so that  bloggers and others may, if they choose, act with impunity.

Because it does not operate according to ethical standards, the Internet is not really the press:

The press, on the other hand, does claim to operate by and adhere to an ethical code of  conduct. Publishers of newspapers will be (or, at least, are far more likely to be) far more  heavily resourced than most, if not all, bloggers and websites that report news (as opposed  to search engines that direct those on line to different sites). Newspapers, through whichever  medium they are delivered, purport to offer a quality product in all senses of that term.  Although in the light of the events leading to the setting up of this Inquiry and the evidence  I have heard, the public is entitled to be sceptical about the true quality of parts of that  product in certain sections of the press, the premise on which newspapers operate remains  constant: that the Code will be adhered to, that within the bounds of natural human error  printed facts whether in newsprint or online will be accurate, and that individual rights will  be respected. In contrast, the internet does not function on this basis at all. People will not  assume that what they read on the internet is trustworthy or that it carries any particular  assurance or accuracy; it need be no more than one person’s view. There is none of the notional imprimatur or kitemark which comes from being the publisher of a respected  broadsheet or, in its different style, an equally respected mass circulation tabloid.

So, in the end, Leveson is recommending government regulation (through the formation of a statutorily backed independent self-regulatory body) of only print products and, vaguely, for web-based news produced by traditional print media.  And the only entities subject to that regulation would be UK-based press outlets.

At first blush, while Leveson may have noble intentions to elevate the British press to a more sacred purveyor of only ethical news that serves the public interest, his garbled grasp of how the Internet works might only serve to weaken the very institution he seeks to strengthen.  By burdening the already beleaguered print media with the prospect of a new regulatory body, given the force of law by the government (the prospective weakening of the "free" press that would occur from this move will likely and should receive more analysis), Leveson's recommendations, if carried out, could be yet another nail in the old media's coffin, at least in the UK.

Read More

Here Comes the Cybersecurity Executive Order with Its Insane Deadlines

In a move engineered by Majority Leader Harry Reid (D-NV), the Senate shot down two days ago the prospect of comprehensive cybersecurity legislation during the lame duck Congress, ratcheting up the prospects that President Obama will make good on his threats to sign an executive order that achieves what Congress has so far failed to accomplish.  Proponents for a cybersecurity bill lost 51 to 47 and some of the smarter (and perhaps more cynical)  thinkers on the cybersecurity tussle believe that the fast post-election effort to give Congress another run at the goal line was nothing more than a hail Mary maneuver to give Obama political cover to issue the order.

Whatever the case may be, all signs point to Obama issuing that order any day now.  Amid all the political wrangling, little attention has been paid to the actual substance of the order itself.  Although little more than a dozen pages long, the order is a vast, gnarly beast that will put into motion massive activity throughout the federal government, involving virtually every agency, administrative office, military branch and, of course, hundreds of thousands of businesses, non-profit organizations, public agencies and state and local governments.

Not only is the scope of the order vast, but also the deadlines specified in the latest version of the "public" draft order are insanely ambitious for such a complex undertaking.  I've mapped out the key deadlines in the table below.

Assuming that Obama signs the order before Thanksgiving (as is widely believed), and assuming the final order resembles the current draft, the complex apparatus needed to fulfill the order's directives must swing into gear to accomplish a host of intricate things in extremely short time frames.  For example,

• via a consultative process throughout the federal government (and relying on an existing and controversial database involving hundreds of thousands of entities), the Department of Homeland Security has to identify all critical infrastructure assets covered under the order by mid-April.  
• The National Institute of Standards and Technology has to develop a framework for identifying and managing cyber risks across a host of diverse critical infrastructure sectors by mid-May.  
• Also by mid-May DHS has to implement guidance on how critical infrastructure owners can voluntarily share cybersecurity information, 
• and on and on.

Each of the deadlined tasks spelled out in the order will require fast, nimble and extraordinarily skilled bureaucratic scrambling throughout the government and heretofore unseen policy, technical and administrative process expertise by the critical infrastructure owners.  Then there's the matter of the all-important privacy-related items, which appear to have no deadline affixed to them, as of the latest public draft.

Quite a few people, it seems, will be toiling away during the holiday season..and for years afterward.

 

Read More

It’s the Back-Up Power, Stupid: Communications, Electricity and Service Restoration Following Hurricane Sandy

Hurricane Sandy, like Hurricane Katrina before it, highlights a little-examined but perennial riddle:  what comes first in restoring life to normal after a major crisis, electricity or communications?  Without electricity, there can be no form of electronic communications but without the ability to communicate, power providers are ill-equipped to restore electricity in anything but a haphazard manner.

In the wake of Sandy’s damage, both critical infrastructure providers, telecommunications and electricity, were hard hit with outages due to downed lines and damaged, flooded hardware.  But as the days wore on, a crucial distinction emerged between the two providers:  with no electricity and back-up fuel in extremely short supply, communications providers simply had no power to operate their networks, particularly their wireless networks.  Last Friday, the FCC commented on the situation, acknowledging that “replenishing fuel supplies for generators that are enabling communications networks to continue operating is a particularly critical challenge.”

This assessment echoes the conclusions of an FCC panel asked to address how well communications networks fared in the aftermath of Hurricane Katrina.  That panel found that among the chief causes of communications failure after Katrina were faulty batteries used by the telcos combined with lack of power given that utilities had been knocked out too.  The panel also found that communications networks owned and operated by utilities fared fairly well because they were designed to remain intact to aid restoration of service following a significant event. 

The importance of maintaining robust communications in a crisis situation is one of the top reasons why utilities tenaciously argue they need to maintain their own communications networks, such as private land mobile radio communications and fiber and microwave-based systems that allow system-wide communications, independent of and apart from the so-called “public carrier” networks.   Since the dawn of both industries, which occurred at roughly the same time period -- Alexander Graham Bell and Thomas Edison were both pushing wires to homes and businesses simultaneously -- utilities have been fighting with telecom providers to maintain their own communications networks while telecom providers have been arguing that this duplication of infrastructure is a waste of society’s resources and ignores the highly specialized and valuable expertise that telecom companies bring to the table. 

And both industries are correct.  Utilities are rarely on the cutting-edge of technology innovation, a handicap that is becoming clear, for example, in the cybersecurity arena, where communications providers must develop razor sharp protection schemes or else lose out to smarter, more technologically savvy rivals, while utilities have no economic incentive – and indeed are often discouraged by regulators – to spend more money or time on maintaining digital security.  And yet, when it comes to crisis situations, it all comes down to back-up power.

To keep their communications networks running, most utilities use interim battery and long-term generator back-up which is usually indefinite – practically unlimited storage of diesel, gas or other fuel sources is one of the perks of being a power company.   No other industry, including telecom providers, can keep back-up power going for more than a day or two.  A study I conducted in 2010 found that one of the top reasons utilities are reluctant to rely on communications providers is "insufficient levels of power back-up."  Another top reason that utilities are reluctant to rely on phone company networks for their mission critical functions, according to the study’s findings, are "concerns over disaster preparedness" on the part of telecom providers.

While telecom companies have made great strides since Katrina in ensuring better power back-up during crisis situations, Hurricane Sandy answers, for now, the riddle of what comes first in restoring life to normal, electricity or communications.  The answer, of course, is that they both come first.

(With full disclosure, I spent three-and-a-half years studying what most people, prior to the advent of the “smart grid,” used to consider the arcane niche of “utility communications” on behalf of the utility industry.  But I also spent years many more years before that conducting analyses on behalf of a host of traditional communications providers so I’d like to think I’m coming at this fully informed by the cultures and arguments of both industries.)

Image source:  Power outage screen capture from Google Maps.

Read More

Lieberman Aide: Cybersecurity Executive Order Will Move Forward No Matter What

A top aide to cybersecurity legislation proponent Senator Joseph Lieberman (I-CT) said today that the administration will move forward on a cybersecurity executive order no matter what happens in the presidential election next Tuesday.  Speaking at a cybersecurity summit hosted by the Washington Post, Jeff Ratner, Counsel and Senior Advisor for Cybersecurity, Senate Homeland Security & Government Affairs Committee said "regardless of what happens on Tuesday, the executive order will move forward" because the Obama administration does not view cybersecurity as a political issue as much as it does a vital issue of national security.

What then will the Congress do given that Senator Majority Leader Harry Reid (D-NV) has announced his intention to bring up a cybersecurity bill during the upcoming lame duck Congressional session?  Ratner indicated that any cybersecurity bill that follows the executive order will likely fill in the gaps that the executive order cannot legally address, such as offering liability protection to critical infrastructure industries covered by the bill.  This protection offers affected companies some insulation from civil or criminal prosecution for activities carried out under the bill (such as information sharing) if conducted in good faith.  (A lot of debate has cropped up regarding what constitutes good faith under earlier legislative language and how effective the liability protection provisions are).

"Much of what we did in our new bill in Title I can be done via executive order," Ratner said.  "What can’t be done is the incentives.  You can’t offer [via executive order] incentives like liability protections, which the Congress can."

Kicking off the event, Department of Homeland Security Secretary (DHS) Janet Napolitano likened the effect of a cyberattack to Frankenstorm Sandy, and likened DHS to FEMA, the Federal Emergency Management Agency.  "We look and act like a cyber-FEMA," she said.

Whether DHS should have that kind of power, as is likely under the Executive Order and as was specified in cybersecurity legislation, has been subject to heated debate.  "People don't think DHS should be given more authority," Jim Lewis, Senior Fellow and Program Director at CSIS said.  But then the problem becomes:  which arm of the federal government should be given authority?

One other logical government agency that could be assigned cybersecurity responsibility is the National Security Agency (NSA). "When you say to people that you want to put NSA in charge of public information, it doesn’t bring screams of joy," Lewis joked.  How about the FBI, the other government arm arguably qualified to do the job?  Affected industries are bound to ask "am I going to want the FBI crawling over our networks?" Lewis said.  By default, for now, the DHS seems the best, if not optimal, government agency to take on the task.

Read More

Hurricane Sandy’s Crucial Technology Chain

Hurricane Sandy, with its wide swath of destruction and long duration, served as a case study of how important technology, particularly communications technology, has become during a crisis situation.  Most of us in Sandy’s path spent at least some time glued to our big and small screens over the past few days, but it’s interesting to take a step back and look at the very complex chain of technology that made surviving the storm easier. 

The following are just some of the crucial links in the technology chain surrounding the big storm.

• Weather Satellites:  Most of the intelligence and analysis that gave us all uncannily accurate and advance warning of the hybrid conditions that would foster this superstorm came from satellites that fly pole-to-pole, taking snapshots and measurements of the entire earth’s conditions and producing data that make weather prediction a far more exact science than in decades past.    These satellites, however, are aging and bad planning by the Department of Commerce’s National Oceanic and Atmosphere Agency threatens to soon leave the U.S. with a potential three-year gap before replacement satellite capability can resume the data gathering capabilities.  Launching one of these birds takes a lot of advanced work and money (“it’s not simply like replacing a burned-out light bulb,” American Meteorological Society President-Elect J. Marshall Shepard said) and so far no good solution to the impending weather satellite intelligence drought has emerged. 

• A Smarter Energy Grid:  The most fundamental technology that maintains acceptable quality of life during and after a weather emergency is electric power.  Although millions of homes are still without power in the Northeast, the situation could have been a lot worse, particularly in the DC and mid-Atlantic regions served by Pepco, which left hundreds of thousands of homes sweltering in triple-digit misery after the big derecho storm in July.  This go-around Pepco fared far better in maintaining and restoring power, with comparatively few homes in its service territory suffering lengthy outages.  Part of Pepco’s turn-around is no doubt a result of political heat placed on the utility by powerful people, including Democratic Maryland Governor Martin O’Malley, one of the party’s rising stars.  But part of the utility’s improved performance might be traced back to its ramped-up deployment of smart grid technology, two key benefits of which are improved resiliency and reduced power restoration time.  “Smarter” grid improvements by hard-hit New York area utilities and pre-emptive shut downs by ConEd may also be making the electricity down times shorter even though that region is still suffering widespread outages.

• Smart Phones:  Not only were smart phones the top choice for connecting to the Internet during power outages, but they also served as Internet hot spots for some users.  And crucial services, including utilities and emergency responders, devised mobile apps for communications or urged affected citizens to stay in touch via handheld devices.    Flooding and power outages disrupted mobile  and other forms of communications throughout the storm-hit areas, but thousands of tweets and Facebook posts attest to the popularity of smart phones as a critical means of staying connected during the deluge.

• Twitter:  Without a doubt, Twitter was a prime, if not the prime, news source for timely information during Sandy, serving as a real-time newswire that proved more informative than most newspapers and news channels.  In fact, the most useful information on most traditional newspaper websites came from curated tweets, with the “real” news articles often dated and inaccurate by the time they were posted.  Government officials and politicians (including heavily damaged Newark’s mayor Cory Booker) used Twitter as a primary mode of communications throughout the crisis.

• Big Data:  Big data played a very useful role during the storm, helping to map everything from transportation problems to school closing to power outages.  The granddaddy of big data analytics, Google, created a SuperStorm Sandy mapping tool that detailed everything from power outages to emergency shelter locations to evacuation routes to live webcams.

• Emergency Response Communications:  Although it’s too soon to say how well the first-responder community fared across the multiple states where Sandy hit, the storm does serve as an object lesson regarding why the upcoming First Responder Network, authorized under the Middle Class Tax Relief and Job Creation Act of 2012, is needed .  FirstNet will be a nationwide interoperable broadband communications network that allow emergency responders, including police, firefighters and emergency medical personnel, to have access to a common network dedicated to public safety purposes.

Update:  Right after posting this piece, I read Josh Smith's piece about how both TV broadcasters and wireless carriers are making their arguments for more spectrum on the basis of the vital information roles they played during Sandy.  I realize, dumbfounded, I left out television and radio out altogether in the crucial technology chain.  I suppose that most people do indeed watch broadcast stations during storms these days, but as Mathew Ingram noted, much of the TV reports "amounted to reading reports from Twitter, and interviewing their own news reporters standing hip-deep in the water in places like Atlantic City or Battery Park."  Radio is, of course, different and important.  But the fact that I genuinely "forgot" about TV and radio speaks volumes, whether it's about my skills as a media analyst or about the fading away of traditional broadcasting as an important communications tool in the U.S., I'm not sure.

Read More

Panetta Issues Cybersecurity Clarion Call...But Why?

The big cybersecurity news of the week is Defense Secretary Leon Panetta's high-profile clarion call for the Congress to pass a cybersecurity bill because the U.S.otherwise faces a possible "cyber-Pearl Harbor."  During his speech at an award dinner hosted by a group of security-focused business executives, Panetta also hinted that the government's interest isn't merely in defending against critical cyber threats but could extend to something more proactive.  "If we detect an imminent threat of attack that will cause significant physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us, to defend this nation when directed by the president," Panetta said. 

The speech is notable for three things. First, it's the most comprehensive statement by the Defense Secretary on the issue.  Secondly, it's clearly timed to either push the Congress into immediate action on passing a cybersecurity bill during the lame duck Congress or provide the President with enough rhetorical cover if he does issue an executive order on cybersecurity.  Finally, although the spin by administration flacks was that Panetta was disclosing new previously classified threats in his speech, the examples he offered -- DDoS attacks on U.S. financial institutions and the Shamoon malware that plagued Aramco and RasGas late this summer -- are all old news in cybersecurity terms, as Wired's Noah Schachtman points out. 

But why amp up the rhetoric regarding threats that are, by now, extensively known?  And for that matter, why is the Administration turning up the heat on the issue in general?  There is no question that cyberthreats are the 21st century version of nuclear warfare and should be much feared.  But, Republicans and business lobbies oppose anything beyond simple information sharing, and the relatively arcane issue of cybersecurity won't interest or sway many voters, so the Obama Administration stands to gain very little politically by continuing to push the issue. 

The clues to the puzzle of why Obama is pressing cybersecurity so hard are shrouded by the nature of the subject matter itself.  If there were a new threat on the horizon that could derail trains or "contaminate the water supply in major cities, or shut down the power grid across large parts of the country," as Panetta said in his speech, only a handful of people are allowed to know that, just as only a handful of people are allowed to know the launch codes for nuclear weapons. Panetta isn't going to trot out the latest intelligence on a potentially catastrophic cyber weapon during a black tie dinner and we are likely never going to hear what's really going on, or at least not for years.

It's also possible that the Administration plans to ramp up its own military capabilities in the cyber realm and the strong language used by Panetta (and others) helps to provide cover for stepped-up military action.  The U.S., after all, is the creator of the most potent cyber weapon the world has known so far (Stuxnet) and the Administration could be beefing up its military muscles not necessarily to defend against threats but to take the offense against enemies.

Whatever the case may be, the Administration is getting more serious every day about cybersecurity.  And we may never know why.

Shamoon image via SecureList

Read More

Rogers: White House “Irresponsible” for Failing to Consult on Cyber Executive Order

House Intelligence Committee Chairman Mike Rogers (R-MI) said today “it’s irresponsible” that the Obama administration failed to consult with the committee while drafting the impending executive order on cybersecurity.  Speaking at a U.S. Chamber of Commerce Cybersecurity Summit, Rogers said “we have been consulted as much as you have been consulted, which is a huge problem. “

“I don’t get it. I don’t understand it. I think it’s irresponsible.  We’re equally as frustrated as you are.” Rogers told the mostly pro-business audience.  The U.S. Chamber of Commerce opposes the President’s cybersecurity order, which mirrors to a large degree Senate cybersecurity legislation that failed to pass in August.  The Chamber also opposed that Democractic-backed bill, arguing that it creates an unnecessary regulatory structure.

Rogers said that the White House has also failed to seek private sector input when drafting the order.  “It’s just odd you would do it this way.  Why you wouldn’t want input from the outside is beyond me and that tells me what kind of product you’re going to get too.”

Cyber security legislation, along the lines of the Cyber Intelligence Sharing and Protection Act (CISPA), still stands a chance of passage during the upcoming lame duck session of Congress, Rogers said.  Rogers was a co-sponsor and proponent of that legislation, which established a voluntary cyber threat information sharing framework.  

Boosting the bill’s chance are recent classified briefings some members of Congress have received on “what appears to be a new level of threat from an unusual source that has some very real consequences,” Rogers said.  When pressed on the nature of this new threat, Rogers was vague – “I look really bad in orange,” he quipped.  But he seemed to indicate that perhaps a new nation-state has emerged as a cyber enemy.  “Our concern is nation-states that are gaining capabilities,” was the closest he came to an explanation of the new threat.

Read More

Utilities, Tech Industry Face Culture Clash in the Smart Grid

(Washington, DC)  As the nation’s electric infrastructure struggles to get smarter, a culture clash has emerged between the rapid-pace high-tech industry and the very slow-moving utility industry as they both try to inject intelligence into the grid.  Google-backed Silicon Valley-based Silver Spring Networks has experienced this first-hand as it pitches its 21^st Century software, networking and platform solutions to utilities.

“We have to work to the biorhythms of our clients,” Eric Dresselhuys, Silver Spring’s EVP of Global Development said today at GridWeek 2012, held here.  “A utility client said ‘we don’t want you to force us into an upgrade more than every seven years.’ It made me realize the chasm we have to cross.”

“This [technology change] is coming at us in a lot of different directions,” Heather Sanders, Director of Smart Grid Technologies and Strategy, California ISO said.  The biggest challenge, Sanders said, is not technological but regulatory, with heavily rate-regulated utilities constrained by state public utility commissions in terms of how easily they can spend capital to upgrade technology.

“It's not clear that there is a regulatory meeting of the minds on how we're going to pay for this,” Dresselhuys said.  Regarding a recent case of regulatory lag in Illinois, “the absolute amount of money we're talking about here is so small, $1.50 per customer per month.  Nothing's happening and it's stunning.”

Not all utilities are foregoing technology upgrades pending regulatory approval.  “We're spending money on projects for which we don't have regulatory approval because we have to move forward,” Lee Krevat, Smart Grid Director San Diego Gas & Electric (SDG&E) said.

Indeed, SDG&E is out ahead of the industry’s vendors, asking for more up-to-date technologies than the vendors’ products offer.  “We have things that we want and they don't exist the way we want them,” Krevat said.  “It's the utility wanting to move faster than the suppliers.  It's bizarre.”

Read More

Napolitano: We Still Need Comprehensive Cybersecurity Legislation

(Washington, DC)  Although President Obama plans to issue an executive order on cybersecurity, Congress still needs to pass comprehensive cybersecurity legislation, Department of Homeland Security (DHS) Secretary Janet Napolitano said today. Speaking at the Cybersecurity Summit hosted by the National Journal and Government Executive here, Napolitano said that “an executive order will help but we still need comprehensive cybersecurity legislation.”

An executive order can’t do a lot of things that legislation can do, such as give critical infrastructure industries liability protection or give DHS relief to offer higher civil service salaries in order to attract the much in-demand specialists the agency needs.  “Congress has had a full opportunity to act and that is the preference.  Any executive order cannot do what legislation can do but in the meantime there are things the president can do under existing authority,” she said.

Some Republicans and scholars have indeed challenged the President’s legal authority to issue an executive order on cybersecurity, a thorny and complex constitutional question that has arisen time and again when the administrative branch has taken action on matters without specific Congressional directives to do so.  One option for Obama is to issue the current order as a modification of an earlier, related executive order, arguably giving him greater legal justification for this latest action.

But, Napolitano said, the current order will instead likely be in the format of a new order, not a modification of an existing order.  When asked under what authority, if not Congressional directive, the new order will be issued she said that Article II of the Constitution, which grants the President executive power and assigns him responsibility as Commander in Chief of the military, is sufficient legal authority.  (CRS has a recent and concise overview and the history of executive orders in this PDF, including discussion of Article II authority.)

When the executive order will come out is unclear.  “I can’t give you a firm timeline,” Napolitano said.  The executive order is still in draft form and the “president has not yet had an opportunity to review it.”

On the subject of cyberwar, Napolitano advocated greater international collaboration in developing conventions of use, much the way countries have cooperated in developing accepted practices regarding traditional warfare.  “It’s time for the nations of the world to have some kind of opportunity to come together and look at a global convention...for having a safe cyber environment for everybody’s benefit.  That international dialog has been missing.”

Read More

Does Obama Dare to Issue a Cybersecurity Executive Order Before Election Day?

Next Monday, the Department of Homeland Security (DHS) kicks off National Cybersecurity Awareness Month, which features events and initiatives aimed at stressing the importance of good cyber security practices.  The timing of this annual event could not be more propitious given the mounting battle between President Obama and his Republican (and business lobby) adversaries over the expected, imminent executive order on cyber security the Administration has developed in the wake of failed cyber security legislation.

A  draft of the order was circulated earlier this month and it looks a lot like the Democratic-backed Cybersecurity Act of 2012, which was aimed at setting up government programs to ensure better cyber security information sharing for critical infrastructure industries.  (One major difference between the order and the Senate bill is that the order specifies by name 16 different sectors that constitute the “critical infrastructure” industries covered by the order, although energy and communications are spelled out upfront as “uniquely” critical sectors that cut across all the other industries.)

A growing number of developments hint that the executive order could come out any day now.  DHS Secretary Janet Napolitano told the Senate last week that the order is near completion, a host of current and former Pentagon officials are speaking out daily about the threat lax cyber security poses to the nation’s welfare while the Senate champion of the Cybersecurity Act, Joe Lieberman (I-CT) is pushing the president to get the order out the door.

Does all this add up to Obama issuing the executive order before the end of October?  Not exactly.  Despite the intense pressure and momentum, this is an election year and despite Obama’s current comfortable lead in the polls and the resulting lift for all Democratic contests, some smart insiders say the Administration won’t needlessly give Republicans any new ammunition before the polls close on Election Day by issuing what is already a controversial order.   Further dimming the order's pre-election day prospects are Republican rumblings of late that the Congress might still pass a bill before Inauguration Day.  Obama might be reluctant to look like he's pulling ahead of the legislative branch, even if it’s unlikely that the lame duck Congress can get the job done. 

On the other hand, the President could gain even more points in the polls by issuing the order, burnishing his already strong image on national defense.  But, if the smart money is right, look for an executive order no sooner than November 7.

Read More

Nod to Energy in Obama's Speech Tonight? Maybe, Even If It's "Boring"

Energy independence has been a staple of American presidential politics since the early 1980s, a hot button issue that nevertheless hasn't triggered the vitriolic level of discord between the two parties typical of other important (and not so important) issues.  High-wire fights over drilling and cap-and-trade notwithstanding, both parties are generally rowing in the same direction on energy independence and efficiency.

Over the past month both parties have embraced the "all-of-the-above" approach, a pragmatic view of energy issues, recognizing that the shift to renewable energy will be a longer slog than optimists thought.  At  a panel during the Democratic National Convention yesterday, Howard Dean, former Democratic Governor of Vermont and a one-time presidential contender himself acknowledged what Democrats have reluctantly embraced:  The country and the economy is dependent on non-renewable energy sources and will be for a long time.   "We're going to need petroleum for the foreseeable future," Dean said.

Still, it's a good idea for the government to push the country in the direction of non-renewable energy as much as is practicable, Dean said.  "I do think there are some reasons to spread out the use of this stuff and to minimize carbon footprint."

One barrier to the shift to renewable energy sources, or to lowering energy consumption, is that to most consumers "energy is boring," according to Art Lasky, President and Founder of consumer energy management company Opower, speaking on a separate panel at the DNC yesterday.  Although "90% of people at this convention and elsewhere would say saving money is important...the only time you think about energy in the home is when the power is out," he said, noting that research shows the average customer spends only six minutes per year actively engaged with their energy utility.

If that's the case, will Obama push energy issues high on his reelection agenda and will we hear much about energy in tonight's speech?  According to some sources, Obama plans to promote his track record on energy issues tonight, pointing to reduced oil imports, improved vehicle efficiency and more renewable energy generation.

In his now-revered nominating speech, Bill Clinton mentioned but only touched on energy, praising Obama's all-of-the-above energy strategy.  It's possible that because both parties seem to agree on the big points, or that most people think the topic is boring, that energy isn't a big issue this election season that will sway voters one way or the other.

Read More

RuggedCom is the Tip of the Iceberg When It Comes to Vulnerable Power Grid Gear

As President Obama weighs the decision to issue an executive order following the failed Cyber Security Act of 2012, a security alert issued by an arm of the Department of Homeland Security (DHS) earlier this week cast a spotlight on the vulnerabilities of networking and other gear that make up the U.S. electric grid.

DHS warned that security researcher Justin Clarke of Cylance had discovered a vulnerability in Siemens-owned RuggedCom’s Rugged Operating System (ROS) which could decrypt secure traffic between RuggedCom networking equipment and end-users.  Reuters, which broke the news of Clarke's finding (his second discovery of a flaw in RuggedCom gear this year), characterized the flaw as "one that could enable hackers to attack power plants and other critical systems."

Although that contention is likely an overstatement, RuggedCom's networking gear, designed to withstand harsh environments, is indeed widely used by the nation's electric utilities to support communications to remote power stations and other mission-critical functions.  And RuggedCom's faulty security could be the tip of the iceberg when it comes to vulnerable equipment deployed by utilities.

What other vendors sell vulnerable gear to the energy industry and which vendor is likely to pop up next in a DHS alert?   "You could throw a dart at a dartboard with a list of a vendors and come up with the next one," according to Patrick Miller, President and CEO of EnergySec, an industry body focused on cyber security.

"But it's like a bell curve. Some are on the front end and are doing good things, there is a bunch in the middle and a lot of bad ones at the end," Miller said.  

In fact, there is less security testing of the components that make up the electric grid than there is for the switches, routers and other devices that make up the Internet. "If it's intended to go into a substation, depending on the type of device, there is a higher likelihood that it hasn't gone through the same security measures as have the devices that go on the Internet," according to Miller, who is also the Principal Investigator for the National Electric Cybersecurity Organization (NESCO).

Two big factors foster energy industry use of vulnerable gear.  First, secure devices are very expensive, requiring secure coding, secure supply chain procedures and other costly steps.  And state public utility commissions keep a tight rein on utility expenses, forcing utilities to cut costs at every corner.

Utility "profits are regulated.  Every step along the way in terms of expenses is regulated. Are ratepayers going to want to pay that?" Miller said.   "The commissioners pride themselves on making sure the expenditures are prudent. If it looks like you're gold-plating," they won't approve utility expenditures. 

Even if utilities were able to persuade regulators to sanction more expensive, more secure gear, any technology upgrade could trigger a chain reaction of additional costs, which would also have to be passed onto ratepayers.  "If you can economically support that kind of technology refresh, they may end up voiding the warranty on their multimillion dollar management system," because other components in the system won't have been tested and warranted for compatibility with the new gear.

If energy industry gear is so widely considered to be vulnerable (which several industry cyber security technologists have confirmed) and regulators won't allow utilities to raise rates to pay for better gear, what's the solution? 

"The solution is basically better architectures," Miller said. "You have to get past the mindset that the system is 100% secure" and instead work on ideas that teach utilities how to operate through an attack, how to operate through a vulnerable state.

Because no matter how secure or new the devices, energy sector companies will have to constantly battle device breaches from here on out.  "It's almost whack-a-mole," Miller said.  Technology breaches happen so regularly and so frequently that "there's another problem with the next device, another problem with the next device, another problem with the next device."

Image credit:  Siemens.

 

Read More

Our First Supporter at Digital Crazy Town

Digital Crazy Town is happy (and happily surprised given that I haven't been angling for supporters or sponsors on this blog) to announce our first supporter, government IT solutions provider Carahsoft.  The folks at Carahsoft have teamed with Symantec to offer a free webcast on today's cyber security threat landscape and a strategic approach to strengthening enterprise security.  

Find out more at our supporter page and sign up today.  Don't wait though - the webcast is this Thursday, August 23 at 2 pm ET.

Read More

Utility Cyber Security Hampered by Standards, Vendors, Industry Culture

Electric utilities are our nation's critical infrastructure ground zero. But the lack of standards, vendor inadequacy and the glacial pace of utility technological change are among the top challenges to keeping the grid safe from digital threats according to industry experts speaking at the Smart Grid Security Virtual Summit today.  It's very difficult for utilities to "create a process to achieve security because they are always waiting for a standard," Ward Pyles, Senior Security Analyst, Southern Company said.

Speaking of the morass of ever-changing cyber security protocols available to utilities from the government and private sector groups, Pyles recommended that each utility develop its own standard and then stick to it.  "It's hard to choose what is the best one for you but you have to look at each of them and then create your own standard.  Pick one if you can and if you can't come up with a compilation."

Utility vendors must be more attentive to, and utilities must demand in their RFPs and RFIs, stronger cyber security technologies, Ward said.  "We're seeing solutions today that have default passwords that are embedded in code," a cyber security risk that utilities must mitigate.

"There is little or no cybersecurity in the devices utilities deploy," Patrick Miller, President and CEO of utility security group EnergySec said.  "The vendors have come a long way but it is still not a pretty picture."

The utility culture is "much more resistant to change," facing technology life cycles that typically span twenty years, making the new digital era particularly challenging for utilities looking to implement adequate cyber security procedures according to John Stewart, a cyber security specialist engineer at the Tennessee Valley Authority.  IT technology is truly a "different paradigm" for most utilities, Stewart said. The IT sector is a culture of constant change and "it's definitely different from the power industry" where change is "not one of our cultural strong suits."

Moreover, utilities don't have the luxury of interrupting service to install new software or technologies, as do many IT-based businesses.  "It's hard to imagine a world where substations operate in a patch Tuesday mindset," he said.  

Stewart argues that cyber security and utility communications infrastructure be separated from core operations while minimizing the amount of "daylight" between security and core function devices.  "Longer term we will push vendors toward more modular solutions that separate security and communications from core functionality just because the two industries are so different."

Slide from presentation by John Stewart, TVA

Read More

Lieberman is Not Proud of the Senate. But Is Any Cyber Security Bill Doomed?

After two years of work, and on the eve of a month-long election year recess, the U.S. Senate failed today to move forward a controversial cyber security bill.  S. 3414, the Cyber Security Act of 2012 introduced by Senator Joseph Lieberman (I-CT) and Senator Susan Collins (R-ME), was shot down in a maneuver by Senator Majority Leader Harry Reid (D-NV) to introduce a cloture motion, ending any further debate or amendments.  The final vote was 52 Senators in favor of cloture and 46 against it; Senate rules require at least 60 votes in favor of cloture.

Two things scuttled the bill's prospects in the Senate.  First, the emergence of partisanship on the previously non-partisan issue of cyber security pitted the Administration and Senate Democrats against Republicans, a newly formed rift heightened all the way around by the Supreme Court's decision to affirm Obama's health care law.  Secondly, private sector critical infrastructure entities covered by the bill, with particularly potent representation by the U.S. Chamber of Commerce, opposed what they perceived as unnecessary government regulation of their cyber security practices, even as Senate Democrats (with an assist by the Obama administration) watered down provisions in the bill regarding mandates on critical infrastructure industries into "voluntary" reporting procedures regarding discovered cyber security threats.

Speaking before the vote occurred, Lieberman said "this is one of those days that I fear for our country and I'm not proud of the United States Senate. It's not that there is a speculative threat to our country – it's real and it's here now."

Lieberman said that "when it comes to cyber war, we are where we were in 1993 with Islamic terrorism," quoting General Keith Alexander, Head of the National Security Agency and a proponent of the bill who helped the Obama Administration lobby for it during a last-minute push.  "We pretty much all agree on that here and yet we've descended once again into gridlock. The end result of that is a lot of sound and fury that will accomplish nothing and leave our country vulnerable."

Lieberman may be right that we're in the ignorance-is-bliss phase that precedes unexpected, impending disaster when it comes to cyber security, particularly security for our most critical infrastructures, such as the electric grid.  But, like the volatile, unpredictable set of forces that gave rise to 9/11, security in the cyber age  is an elusive, ever-changing target, which is why some experts favor flexible solutions as opposed to government-defined answers.

The inherently ungraspable nature of cyber security also leads to the confusing set of often contradictory rules under which most critical infrastructure providers operate.  Electric utilities, for example, try to abide by the fluid (and often unclear) set of requirements and recommendations that flow forth from at least 27 different bodies, from the Cross Sector Cyber Security Working Group at DHS to the Critical Infrastructure Protection requirements mandated by industry group North American Electric Reliability Corporation to U.S. Cyber Command at the Department of Defense to a host of industry technical standard setting bodies.

It's no surprise, then, that the Senate came close but failed to pass a cyber security bill.  Against the backdrop of partisan fighting and industry opposition and crazy quilt rules which attempt to make sense of a highly specialized and abstract topic, it's possible that any cyber security legislation is doomed at the outset.  Lieberman says he's not "going to be petulant" and is willing to continue trying to hammer out a compromise, so don't rule out a surprise rescue.

But, as Paul Rosenzweig points out, the more likely scenario is for the Obama Administration to simply chuck the Congress and adopt many of the bill's requirements through executive order.  Senator Dan Coats (R-IN) predicted as much before the cloture vote.

Read More