"Kaspersky: In the Soviet days, we used to joke that an optimist learns English because he is hoping that the country will open up, that a pessimist learns Chinese because he’s afraid that the Chinese will conquer us, and that the realist learns to use a Kalashnikov. These days, the optimist learns Chinese, the pessimist learns Arabic…
SPIEGEL: …and the realist?
Kaspersky: …keeps practicing with his Kalashnikov. Seriously. Even the Americans are now openly saying that they would respond to a large-scale, destructive Internet attack with a classic military strike. But what will they do if the cyber attack is launched against the United States from within their own country? Everything depends on computers these days: the energy supply, airplanes, trains. I’m worried that the Net will soon become a war zone, a platform for professional attacks on critical infrastructure.
"
~ Evgeny Kaspersky in an interview with Der Speigel (via Schneier on Security)
Dear Congress… STOP writing laws (esp S.3480). Thanks.
Perhaps worse than a do-nothing congress is a “try to do everything at all right and fail” congress. Unable to compromise when cooler heads would’ve resulted in better laws (healthcare) and unable to lay off on a hot topic when that’s what would be best for the country.
The latest example of electioneering hilarity is S3480 - the “Protecting Cyberspace as a National Asset” act. Full text of the bill is at that link. Let’s disregard the fact that the bill has the word “Cyberspace” in it that nobody has used in industry with a straight face since War Games was released. Congress’ definition is: “The term `cyberspace’ means the interdependent network of information infrastructure, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries.” So… everything networked or not that has a microchip or a transistor in it. Most car stereos are now cyberspace. Congratulations.
I’ve read the text of the bill - I hope others do as well as we have a habit (to include those VOTING on the bill) of not reading through legislation and making rash judgments. While I don’t think there is anything particularly earth-shatteringly horrible written into the bill, I also don’t see why it needed to be written in the first place. If you’re like me, you believe that the government is not really all that efficient at getting things done, so it’s best if they stay out of things unless they have a reason.
First thing the bill creates is a Presidential appointee post of Director of National Cyberspace Series of Tubes Center for Protection from Cybercrime Chloe Specialists. No, that’s not the name, but it might as well be. Why do we need this position and this additional “national center” at the director level for this? We have USCYBERCOM, we have the NSA, we have a number of other organizations. In fact, the bill lists them… there are a LOT of other people already doing this mission. We don’t need more confusion or more interagency big whigs floating around. We need qualified ethical hackers to start fixing things. We need the government to start letting people know quietly when they find something’s awry.
In this author’s humble opinion, there are not enough qualified people to fill two agencies worth of highly cleared professionals in the government space, so the more grabby hands we’ve got trying to steal people and budgets, the less effective we’ll be at our mission. I submit this Onion article for reference. This bill won’t really get the job done - unless the job is to create another DNI focused specifically on Cyberspace, or to get Mr. McConnell to come back to government service.
Next, this bill enables the President to call for a “national state of cyber emergency” in certain scenarios that allows him (or her) to take control of certain infrastructure. If I were a more paranoid person I would say this enables censorship and turns us into China or Iran, etc. I don’t think logically this would result, but we’re not always logical. Sometimes, we’re crazy. Sometimes, we break FISA court regulations and tap phones. Just sayin’. The President has the power to do these kinds of things with the web anyway - no need to create a less-serious state of emergency to call. We’re still at Threat Level Orange after all.
If we need to shut some stuff down to protect thousands of innocent lives, I have a feeling it will get done regardless of the legislation. Let’s try and leave the internet alone.
In terms of what is useful in this bill, the Director of this new entity will be charged with coming up with a retention plan and recruitment plan for good federal cyberworkers. This is a good idea. The government has little idea how to maintain or manage an IT workforce effectively, and it’s important we begin to better understand how best to do that and plan for it moving ahead. You can also tie this to science and math development goals for children, just to keep things synchronized.
Bad idea in the retention part of the bill: Talk a whole bunch about GS-X employees and benefits and regulation and unions. IT workers don’t care and it just starts to sound like an organization to funnel recent graduates of UMUC’s Cyber Security certificate program into the federal workforce.
Other useful item in the bill - the Director is charged with revamping the training program for federal employees and establishing relationships between the government and the private sector to share information. All good things, but again we have 20,000 different departments already working on this. Nominate somebody already working it as the lead agency and call it a day. Please. This can be done without legislation.
To close - Congress, sometimes by not writing things you’re actually making a productive decision that voters appreciate. In this case, while I appreciate that right before an election you’re trying to be “tough” and “take on cybercriminals” this bill is not it. Instead, please just ask those agencies currently embroiled in the “fight” to take lead and give them some money if for some reason they haven’t already convinced you to give them enough.
Next, perhaps provide grants to public utilities and private companies struggling to secure infrastructure. Base the grants on open-sourcing their solutions so others can use them for free. (*gasp*) Then, sponsor the black-hat conference and use those guys to your advantage instead of arresting them.
In the meantime, if it’s all the same to you, I’ll just give you credit and thank you for your interest in national defense if you kill this thing and leave it dead on the committee floor. Deal?
More resources:
Senate Myths and Truths official page
PC Mag Article
Fox News
Open Congress
About Me
A strategy consultant with a passion for IT, geopolitics, economics, and the open ocean. Awed by simple, innovative solutions to difficult problems. This represents my favorite slices of the web and serves as networked storage for my brain which is now entirely pointer-based. Opinions expressed here are my own and do not represent those of any organization with which I may or may not be allegedly associated.
I Follow
Copyright © Theme created by 
