Slow Down, Homeland Security: Does Everyone Really Agree That We Need Cybersecurity Legislation Now?

from the why-the-rush,-sparky? dept

Thu, Mar 8th 2012 3:11pm — Mike Masnick

We've been following the debate over the new cybersecurity bill, while still asking for detailed explanation of why it's needed that is a bit more specific than politicians screaming about airplanes falling out of the sky. To date, no one seems to be able to show any real threat -- other than a bunch of folks in a position to profit from the fear mongering, yelling "trust us! it's bad!" But we've seen this game before, and it's how a lot of money gets wasted, privacy rights are eroded, and nothing is done to deal with any real problem.

So why can't we hit pause and ask for some actual evidence?

Yes, there's a turf war between DHS and the NSA/DoD over who gets to control the purse strings and have more control, but no one seems to be asking for the actual evidence. Instead, they're just trying to push forward as fast as possible. Witness this blog post from Mark Weatherford, Homeland Security's Deputy Undersecretary for Cybersecurity, in which he insists that everyone agrees that we need a cybersecurity law and we need it now:

We must deliver and we must act quickly. It’s time to be bold. The troubling side of spending a week with some of the experts in the cybersecurity world is that when we compare notes on our views of the threat, we all agree that despite the firewalls and layered defenses, we are not always keeping intruders out. We need to continue to sharpen our response tactics and move even faster when an intruder gets inside to limit the damage and protect our information. That requires a fast, unified response between federal agencies and our private partners – which is where Congress can help.

I agree that we're not always keeping intruders out -- though I think it should be admitted that we'll never "always" keep intruders out. That's an impossible goal. And I agree that sharing information to build up better defenses could be a good thing. But how do we then take the logical leap that this "requires a fast, unified response" from the government? The operators of these networks already are working hard to keep intruders out and have tremendous incentive to keep improving their defenses. Why do we need regulations to continue that process? That's the part that's never been clearly explained, and it seems like a pretty big gap, which all this talk about the necessary "rush" is designed to paper over.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, cyberwar, dhs, dod, evidence, mark weatherford, nsa

29 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Glen, 8 Mar 2012 @ 3:34pm

Oh good lord. The faster they act the worse off we will all be.
[ link to this | view in thread ]
Anonymous Coward, 8 Mar 2012 @ 3:50pm

can't keep illegal aliens out at just the borders
but can somehow keep hackers out? from anywhere in the world?
[ link to this | view in thread ]
She, 8 Mar 2012 @ 3:51pm

Require 'block' buttons on all sites with conversations and chats on it for the commenters than the only people that need to discuss and agree on things are the financial sites. Common Sense needed.
[ link to this | view in thread ]
PlagueSD (profile), 8 Mar 2012 @ 3:56pm

We just need to get rid of all the stupid users. Social Engineering is still the easiest way of hacking into a system. No matter what the sysadmins and IT Security folks do, we can't patch human stupidity.
[ link to this | view in thread ]
Capitalist Lion Tamer (profile), 8 Mar 2012 @ 3:59pm

Everyone agrees...

"...as a quick poll at the DHS offices confirmed."
[ link to this | view in thread ]
G-Man, 8 Mar 2012 @ 4:01pm

Interesting
That's interesting. I read the article, but all I heard was "Blah blah blah, I'm a terrorist." You can be expecting the black helicopters shortly.
[ link to this | view in thread ]
Thomas (profile), 8 Mar 2012 @ 4:31pm

Himmler..
would be proud of them. Maybe they are studying translations of Gestapo manuals, trying to figure out the best way to terrorize U.S. citizens.
[ link to this | view in thread ]
Anonymous Coward, 8 Mar 2012 @ 4:31pm

"... everyone agrees ..."

The most disturbing part is that they admit the public is not part of the process anymore, i.e. "everyone they think that matters".
[ link to this | view in thread ]
Anonymous Coward, 8 Mar 2012 @ 4:32pm

No Legislation Required
Why would they need legislation in the event of an intrusion being discovered? Intrusions nearly always happen because of boneheaded mistakes by management. We are talking really dumb stuff here, like foolishly connecting SCADA systems to the general internet, failure to set the firewall rationally, allowing SQL injection attacks, and other stupidity. Preventing intrusions takes IT competence, not legislation.

It is total fantasy to imagine that criminals or foreign governments would be discouraged by legislation. The real problem is that there is no penalty imposed on managers who make dumb mistakes. That is a matter of political will and nothing to do with legislation. Bureaucrats who have been caught out not doing their jobs, often say things like, "Oh, minister, we do not have the power. We need more legislation." That is standard practice. Any senior politician who falls for that line, is a gullible fool and has not learnt from history. Such a politician needs to leave politics.
[ link to this | view in thread ]
Anonymous Coward, 8 Mar 2012 @ 4:37pm

Re: No Legislation Required
The government is 10-20 years behind with technology. They want to legislate technology so it remains in step with what they can understand.
[ link to this | view in thread ]
Digitari, 8 Mar 2012 @ 5:17pm

RE
Of course this needs to be done fast, the longer it takes the more folks might try and think it through.....

Everyone (in Government) knows thinking is BAAAAD!!!

(it killed SOPA/PIPA doncha know?)
[ link to this | view in thread ]
Anonymous Coward, 8 Mar 2012 @ 7:01pm

Some thought...
To address the issue they can create law the punish software vendors that release software found with vulunerabilities to the public.

But in that case, most of software vendors would have gone backruptted.

******

People using unanthorized software in government or mission critical organization need to be punished, but not by law.

Leaving the floor wet without warning is dangerous to others, but I'd think creating a law for this would be going too far...
[ link to this | view in thread ]
Melissa Ruhl (profile), 8 Mar 2012 @ 10:54pm

Democracy thrives with an educated populace, right?
I don't understand why the DHS/DoD/NSA doesn't want this to be a more public discussion. It is not as though the government is a lone lighthouse up against universal crashing waves of evil. There are so many facets of government and national security that the best way to form a more complete national defense would be to have a more informed populace. If we know how to protect ourselves, we will all be safer. Instead, their talk of a strawman/boogyman just paralyzes people into inaction. Stupid.
[ link to this | view in thread ]
Anonymous Coward, 9 Mar 2012 @ 3:41am

Who said everyone has to agree ?
Come on Masnick, you must be able to do better than this ?
[ link to this | view in thread ]
Anonymous Coward, 9 Mar 2012 @ 3:49am

Re: Interesting
G(ee)-Man meet PlagueSD

"We just need to get rid of all the stupid users"

"I read the article, but all I heard was "Blah blah blah, I'm a terrorist."
[ link to this | view in thread ]
Anonymous Coward, 9 Mar 2012 @ 3:55am

Re: Re: No Legislation Required
right, keep believing that!! HAHAH, amusing

name the organisation that employes more computer scientists, engineers, mathamations, programmers and software engineers that any other organisation on the planet bar none ? and that has the most powerfull supercomputers ?

was not DARPA a "government" ??? you know the guys who invented the internet ? Hmm !!!

"We just need to get rid of all the stupid users"

[ link to this | view in thread ]
Anonymous Coward, 9 Mar 2012 @ 4:08am

Re: Democracy thrives with an educated populace, right?
it what security IS Melissa, if the 'other side' knows what you are doing and how you are doing it, they can develop 'counter-measures' specifically to 'counter' that 'measure' (method). If they dont know what you are doing or how you are doing it, it is much harder for them to develop methods against what you are doing. This applies to all sides.

if you tell the enemy that at 3pm next tuesday you are going to invade a beach, with 10,000 troops and 20 tanks you would probably expect the enemy to be somewhat prepared for the assault. If you tell them nothing, the enemy will be somewhat LESS prepared for it.

Why would your Government want to inform YOU of what they are doing, after all, whatever they say or do according to masnick and his followers is wrong, and stupid, and they dont have a clue (but you do !!!)..

I would not bother informing you either, because either way you people appear to no understand it, therefore it's a waste of time.
[ link to this | view in thread ]
Hephaestus (profile), 9 Mar 2012 @ 6:39am

Re:
I was going to make a similar argument. We need to stop this whole "rush this law through so you can see whats in it" thing that has become all the rage in politics recently.
[ link to this | view in thread ]
Hephaestus (profile), 9 Mar 2012 @ 6:42am

Re: Re: Re: No Legislation Required
DARPA did not invent the internet. They funded it there is a huge difference.
[ link to this | view in thread ]
AndyB (profile), 9 Mar 2012 @ 6:57am

Why the rush? Simple: $$
Take a quick perusal through the list of groups that have written letters in support of the Cybersecurity Act of 2012: http://www.hsgac.senate.gov/issues/cybersecurity.

What do basically all of these groups have in common? They either a) provide products or services that will be mandated by the Act or b) lobby/represent those companies. This isn't proof that we do or don't need some sort of cybersecurity legislation, but it sheds some light on why "everyone" supports it - "everyone" stands to increase budgets or make money.

Same story for the hearings in February. You have DHS (wins the turf war under the CSA12), Stewart Baker (works for law firm that will get tons of work under the Act), Microsoft (will get tons of money securing networks), Tom Ridge (on behalf of US Chamber of Commerce).
[ link to this | view in thread ]
Anonymous Coward, 9 Mar 2012 @ 8:59am

Smart Patch
For a short time only, I'm offering the Smart Patch for $9.99.

Just apply the patch to your arm, like a nicotine patch, and you�ll become Smarter! Send your money, along with a self-addressed envelope, to: PO BOX 343, New York, NY 01010
[ link to this | view in thread ]
BeeAitch (profile), 9 Mar 2012 @ 11:33am

Re: Re: Re: No Legislation Required
I had to actually look up "mathamation" to see if it was a real word (it's not). Perhaps you meant "mathematician"?

Even so, having the most (powerful) tools means nothing if one doesn't know how to use them properly.

DARPA was (is) not a "government". It was (is) an agency of the USDoD (United States Department of Defense), and as Hephaestus pointed out already they did not 'invent the internet'.

You, Mr. Anonymous Coward, have identified yourself as a stupid user. Please remove yourself from the internet immediately.

That is all.
[ link to this | view in thread ]
BeeAitch (profile), 9 Mar 2012 @ 11:44am

Re: Re: Democracy thrives with an educated populace, right?
What you (attempt to) define is "security through obscurity", and it has generally been shown to fail as a security policy.

If you're going to call someone out for being uninformed, you should pull your head out of your ass first, just sayin'.
[ link to this | view in thread ]
Gerald Robinson (profile), 9 Mar 2012 @ 12:16pm

Do we need this law?
NO but. Currently SCADA systems are unsecured or poorly secured as a matter of convenience. This needs to be addressed but only the SCADA systems need to be addressed. So far there haven't been verified cases of attacks on SCADA but that can change with large unpleasant consequences. This doesn't mean that there haven't been any attacks as most of the companies don't want to admit it. But to date the SCADA related outages appear to be stupidity not malice. A bill that narrowly addresses SCADA systems would make sense. The current bill doesn't make any sense. As a business owner its up to me to decide what my information is worth and how much to spend to protect it. Today Sarbanes�Oxley wastes millions of dollars a year as it is far too broad. Its tighter accounting controls were needed on the Big 8 Accounting firms. The controls on how automation is handled and IT is implemented waste billions a year, we don't need a repeat on a much border scale.
[ link to this | view in thread ]
monkyyy, 9 Mar 2012 @ 1:28pm

unplug anything life threatening from the internet, put all usb port behind locks, and nail harddrives to the floor then leave the internet alone

yep that should solve 99% of the issues
[ link to this | view in thread ]
fairuse (profile), 9 Mar 2012 @ 11:29pm

Listen to Rockefeller Rant
Hon. John Rockefeller starts out fine but speech goes "off world" later.

http://commerce.senate.gov/public/index.cfm?p=Multimedia

The scare everyone speech -- http://www.youtube.com/user/SenateCommercePress -- http://www.youtube.com/watch?v=ywfz0ZvNBfE

OMG we are all gonna die via cyber attack!
[ link to this | view in thread ]
Melissa Ruhl (profile), 11 Mar 2012 @ 11:45am

Re: Re: Democracy thrives with an educated populace, right?
To a certain extent security is secrecy, but taken too far secrecy becomes paranoia and eventually insecurity. Also, I don't think they should necessarily disclose their methods for handling security breaches, but rather the type and quantity of the breaches themselves.
[ link to this | view in thread ]
Anonymous Coward, 18 Apr 2012 @ 11:45am

Re: Re: Democracy thrives with an educated populace, right?
First: You can't just write legislation that magically protects everything.

Second:
The threat we face from an outside force without this cybersecurity information sharing nonsense is LESS THAN THE THREAT we face than if we blindly allow the government (who could be infiltrated by our enemy for all you know, but that's not what I'm saying) to make this legislation without the consent of the people.

... The CIA thought it was a good idea to commit false flag operations at home to turn political sentiment against Cuba a long time ago.
That's one of those things they (and you) would like to keep secret for security purposes, but which is FAR MORE IMPORTANT for the people of our country to know about.
[ link to this | view in thread ]
ED MOSS, 24 Apr 2012 @ 10:58pm

cispa
One of america's strongest values is freedom of speech. Why do we want to copy countries that do not have this freedom ? The free exchange of ideas should never be threatening unless you have something to hide .
[ link to this | view in thread ]