Congress Can't Even Get Its Own Cybersecurity Right, So Why Should We Let It Define Everyone Else's?

from the questions-worth-pondering dept

Tue, Apr 21st 2015 2:38pm — Mike Masnick

Congress claims to be really, really serious about passing cybersecurity bills this session -- even though each of the proposals it seems to put forth don't seem to have anything to do with cybersecurity, but plenty to do with increasing surveillance capabilities. We're still waiting for someone (anyone!) to explain what kind of cyberattack the latest bills would have stopped? Looking at the details, as has been the case for years, it really looks like these bills are about increasing the budget for various government agencies while simultaneously increasing surveillance capabilities.

And, as Trevor Timm points out, how could you possibly trust Congress on cybersecurity when those writing the bills don't seem to understand the basics themselves:

Just look at Congress’ own cybersecurity practices. None of the members of the Senate’s Intelligence Committee - the most influential cybersecurity oversight body in Congress - have websites that use HTTPS encryption, which is increasingly becoming the standard for websites who want to provide basic security protections for the people who visit them (Google and others have had it for years).

It’s such a vital tool that the executive branch recently promised to move all its websites over to HTTPS within two years - many of its agencies, though not all, have already made the switch. But there’s not even a hint that Congress is attempting to do the same. (The website of the Senate Intelligence Committee, which is in charge of cybersecurity oversight on the Senate side, also looks like it was designed in 1996.)

Elsewhere in the article, Timm notes that almost no one in Congress uses encrypted emails or encrypted phone systems, and that pretty much all of Congress is easy prey for foreign intelligence agencies looking to snoop on it.

Perhaps Congress should get its own house in order before telling the rest of the country how to improve its cybersecurity?

And the key decision makers appear to be even worse than the rank and file:

Consider the qualifications of the members who are in charge of cybersecurity oversight and who are leading the push for these invasive new laws. The man in charge of the subcommittee on cybersecurity and the NSA in the House, Representative Lynn Westmoreland, has a background in construction and is best known for trying to pass a Ten Commandments law (while only being able to name three of them). His actual expertise in cybersecurity is anyone’s guess, besides having an NSA facility in his district.

It gets worse. The Congressman who oversees the appropriation of billions of dollars in cybersecurity funding for the Department of Homeland Security, Representative John Carter, said this about cybersecurity and encryption recently: “I don’t know anything about this stuff”. Yes, that is an exact quote.

We wrote about that comment by John Carter, in which he followed it up by proving that he was absolutely clueless about encryption. And yet he's looked at to help decide how these things are regulated.

Timm also reminds us how Congress used to have an Office of Technology Assessment, a non-partisan organization that advised Congress on technology issues from 1972 until 1995. That's when Newt Gingrich defunded it. An effort last year by Rush Holt to bring it back was overwhelmingly rejected, suggesting that Congress wants to remain ignorant, even as it has to make laws on this stuff.

At least it appears that more Congressional reps are finally figuring out how to use HTTPS -- with 214 members now at least supporting HTTPS, if only 76 default to it. That's not everything they need to know about cybersecurity, but it at least starts the conversation. Though it seems notable that no Senate site does. It really seems that if Congress wants to write laws about cybersecurity, it should first be required to get its own online security straight first.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: congress, cybersecurity

31 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 21 Apr 2015 @ 2:50pm

Politics as usual
Congress is responsible for 95% of the trouble

They first create problems then campaign against them. They let Obama run wild, they let law enforcement run wild, they let bureaucracies "They Created" run wild! They let the COURTS run wild. They let business run wild.

You pesky citizens ares stupid and deserve the shit you are about to get, it just sucks I have to deal with it because you are all too stupid to vote the correct way.

the correct way to vote has been and will always be... for the voter to first eliminate all candidates that are corrupt, this is not hard actually, then vote for the candidate that stands for your principals.

Reagan is currently the last president that deserved any respect or dignity. Clintoon, Bushtard, and Osama are dirt bags. The house and senate have been corrupt for decades. Radio and the media consistently get it wrong and the people just eat it up left and right.

We deserve this miserable nation we have flushed down the shitter! Once enough illegals get here you will lose your country just like the Europeans are losing theirs. Enjoy losers!
[ link to this | view in thread ]
Anonymous Coward, 21 Apr 2015 @ 2:57pm

If you think voting is going to fix this, you're as stupid as the rest of us.
[ link to this | view in thread ]
Rich Kulawiec, 21 Apr 2015 @ 2:58pm

It's this bad everywhere
There are precious few people in positions of political power who have even a rudimentary grasp of science, medicine, technology, computing, mathematics, or engineering. Worse, most of them don't even try to acquire a back-of-the-envelope level of understanding. And still worse, some of them are actually proud of their ignorance.

The societal cost of this is already enormous and is still growing as the intersection of those areas with law increases. But I don't see a way out, as large swaths of the electorate simply don't see this complete lack of qualification as an issue.
[ link to this | view in thread ]
Anonymous Coward, 21 Apr 2015 @ 2:58pm

Re: Politics as usual
If you think voting is going to fix this, you're as stupid as you claim the rest of us to be.
[ link to this | view in thread ]
Anonymous Coward, 21 Apr 2015 @ 3:00pm

Re: Re: Politics as usual
You are the stupid one for believing that voting will not fix it.

And since you think voting will not be fixing it, what pray tell, do you say will fix it?
[ link to this | view in thread ]
Anonymous Coward, 21 Apr 2015 @ 3:06pm

Re: It's this bad everywhere
They are busy with their left vs right, repuke vs demtard rhetoric to notice they are being played for fools.

Sure I, like everyone else, likes to pick on the other side of the isle, but the bigger problem is those on this & that side protecting the dirt bags!
[ link to this | view in thread ]
Anonymous Coward, 21 Apr 2015 @ 3:14pm

sounds like a typical government to me. too much power in the hands of those least capable of using it correctly!
[ link to this | view in thread ]
Anonymous Anonymous Coward, 21 Apr 2015 @ 3:25pm

Politics Unusual
Two things, neither easy.

1. Get rid of money in politics.

2. Get rid of political parties.

Neither of these are new ideas, and it may take a gun to the head of those needed to make the changes, but I see these as the way.
[ link to this | view in thread ]
John Fenderson (profile), 21 Apr 2015 @ 3:26pm

I think I spotted the problem...
Apparently, those in power think that surveillance and security are the same thing. Which, if you're in power and worried about the unwashed masses getting too angry about your BS, might not be wrong.
[ link to this | view in thread ]
Anonymous Coward, 21 Apr 2015 @ 3:26pm

Congress wants to define cybersecurity for the people so that their cybersecurity definition (which is wrong)will become 'right.' (which still makes it wrong)
[ link to this | view in thread ]
John Fenderson (profile), 21 Apr 2015 @ 3:28pm

Re: Politics as usual
"for the voter to first eliminate all candidates that are corrupt, this is not hard actually"

In what sense is that not hard? Do you have a magical corrupt politician detector?

In my opinion the problem isn't corrupt politicians as much as it's a system that requires honest politicians to behave in corrupt ways if they want to accomplish anything at all.
[ link to this | view in thread ]
John Fenderson (profile), 21 Apr 2015 @ 3:28pm

Re: Politics as usual
Oh, and Reagan was corrupt as hell.
[ link to this | view in thread ]
Anonymous Coward, 21 Apr 2015 @ 3:42pm

What do you expect from people who fall for the old "please input your password" trick from something in their junk box?
[ link to this | view in thread ]
Padpaw (profile), 21 Apr 2015 @ 3:43pm

"Do what we say, not what we do" is the cornerstone for everything that is wrong with people in power in the states do business.
[ link to this | view in thread ]
Anonymous Coward, 21 Apr 2015 @ 4:54pm

Re: It's this bad everywhere
Science, medicine, technology, computing, mathematics, engineering?! Those don't get you elected. Look at our Congress. They are post-docs in mudslinging, political grandstanding, fundraising, speculative innuendo, and pandering. Those are the attributes that get you elected and re-elected. Voters don't want to vote for people they think are smarter than they are... and the voter of today is a product of the education of today. It requires actual work to get an education, and outside of enough to get a job, and to reinforce what you already believe, the average American is decidely that - just average. We have the Congress we deserve, sadly. We do, we voted it in... but don't blame any Republicans on me .
[ link to this | view in thread ]
Anony, 21 Apr 2015 @ 5:09pm

Think about it....
"Elsewhere in the article, Timm notes that almost no one in Congress uses encrypted emails or encrypted phone systems, and that pretty much all of Congress is easy prey for foreign intelligence agencies looking to snoop on it. "

Just watch it will come out later that the NSA won't let Congress secure themselves because Terrorism!
[ link to this | view in thread ]
Anonymous Coward, 21 Apr 2015 @ 5:44pm

Re: Re: Politics as usual
Two words: Iran-Contra Affair!
[ link to this | view in thread ]
Anonymous Coward, 21 Apr 2015 @ 5:53pm

Upgrading web security with best practices from the eff is the very least the congressional IT guys should do.
[ link to this | view in thread ]
Jair, 21 Apr 2015 @ 6:06pm

Re: Politics Unusual
I would add a third step:

3. Remove corporate personhood.

Without it. large companies would be unable to both grow larger and influence the governing process in any way, as they would no longer have the rights of people. And companies that own other companies could be broken up, as that ownership would no longer be legal. It would also make the MAFIAA's shell game of Hollywood accounting impossible, as it relies on front companies which cannot exist and do what they do without having the rights of people.
[ link to this | view in thread ]
orbitalinsertion (profile), 21 Apr 2015 @ 6:51pm

Keep complaining about this. Maybe we will eventually get in-the-loop experts in government who will all be of the pro-surveillance and aggression industries.
[ link to this | view in thread ]
toyotabedzrock (profile), 21 Apr 2015 @ 6:58pm

The child anti trafficking act they want to pass has an army staffed anti economic crime cyber unit attached.
[ link to this | view in thread ]
Anonymous Coward, 22 Apr 2015 @ 2:34am

'Congress Can't Even Get Its Own Cybersecurity Right, So Why Should We Let It Define Everyone Else's?'

because it's Congress and they dont do anything wrong and never lie (or so they say!)!!
[ link to this | view in thread ]
Pragmatic, 22 Apr 2015 @ 6:46am

Re: Re: Politics Unusual
If you succeed in getting rid of political parties, what will you do about caucusing? Human beings are social creatures, it's normal to form tribes.
[ link to this | view in thread ]
Pragmatic, 22 Apr 2015 @ 6:49am

Re: Re: Re: Politics as usual
The Far right has deified Reagan, forgetting that they'd call him a liberal socialist if he ever entered their hallowed halls, the hypocrites.

Hell, I'm conservative and get called that on a regular basis for not toeing the party line. I'm not going to.
[ link to this | view in thread ]
Mason Wheeler (profile), 22 Apr 2015 @ 7:22am

Re: Re: Politics as usual
For the life of me I can't figure out how a guy who got caught giving weapons to America's enemies, who inflated the national debt like a balloon, and who championed a law severely weakening traditional marriage and the family, laying the foundation that the gay marriage movement built upon in later years, is considered some sort of paragon to conservatives today.

Could someone please explain this?
[ link to this | view in thread ]
Mason Wheeler (profile), 22 Apr 2015 @ 7:36am

Re: Re: Re: Politics Unusual
I actually don't think the solution is to get rid of political parties, because as you point out, realistically, that won't work. What we need to get rid of is "two political parties."

In 2003, I was living in Argentina. It was an interesting time, and one of the things that happened was a presidential election. There were five major candidates, and in the end it came down to two guys, where the margin of victory was smaller than the margin of error. Former president Carlos Ménem, trying to win his way back into La Casa Rosada (in the USA we have the White House; the Argentine equivalent is the Pink House,) garnered a very narrow plurality of the vote, with Néstor Kirchner coming in a very close second.

The most recent US election at the time was the one in 2000, and we all remember what a horrendous mess that was. (For values of "all" including US citizens who are not significantly younger than myself.) So it was interesting to watch what happened.

The short version is, instead of wasting time and money on endless recounts and re-recounts and re-re-recounts and court cases and whatnot, they scheduled a runoff election in a few weeks' time. But here's the interesting thing: that runoff election never happened. It quickly became clear that almost everyone who had not voted for Ménem the first time was going to support Kirchner in the runoff, and so Ménem conceded. And I couldn't help but think, this is so much more civilized than the way we did it.

But something like that can't happen without multiple strong parties in the first place.
[ link to this | view in thread ]
Anonymous Coward, 22 Apr 2015 @ 8:44am

... and whose fault is that, eh?
'Congress Can't Even Get Its Own Cybersecurity Right, So Why Should We Let It Define Everyone Else's?'

This article posits that congresscritters don't understand cybersecurity like technologists do, don't use it in spite of being in a position where heightened security is important, and are making laws despite apparent ignorance of the issues.

The article misses at least two points: The members are congress are not by trade technologists. It's not their job to completely understand every nuance of a subject. That's why they have staffs. So argue instead about the ignorance of their staffs. You might also spend some time griping about the congressional IT infrastructure.

One of my favorite lines from this article was Most members of Congress and most congressional staff use unencrypted email ... (quoting ultimately from Chris Soghoian). Most of the world uses unencrypted email. Most often, it's over HTTPS. Sometimes it is on a system "entirely behind a firewall". It's still unencrypted.

Consider the intersection of public records laws and encryption, for congressional email. There were a couple of stories about the Clinton email scandal not so long ago. Now picture if the emails themselves were encrypted.

Finally, what was entirely missing from this article was a plan of action. What are you -we- going to do about this situation? Are you just going to tut-tut, "how terrible this is"?

Because if you're really concerned about this issue, you're going to do something. Contact your representatives (and/or their staffs) and ask to talk about this issue in depth. Don't just inform them of your concerns, ask them what the problems are on their end. Refer them to well known experts so that you don't come across as a special interest lobbyist.

Without the "Do", this article is just blindly repeating someone else's reporting and trolling for an emotional response.
[ link to this | view in thread ]
Anonymous Coward, 22 Apr 2015 @ 8:52am

Re: Re: Re: Re: Politics Unusual
...something like that can't happen without multiple strong parties...

More importantly: this could not happen in the US without a constitutional amendment!
[ link to this | view in thread ]
John Fenderson (profile), 22 Apr 2015 @ 9:23am

Re: Re: Re: Re: Re: Politics Unusual
Instant runoff voting can be done in the US without amending the Constitution.
[ link to this | view in thread ]
Mason Wheeler (profile), 22 Apr 2015 @ 10:15am

Re: ... and whose fault is that, eh?
Finally, what was entirely missing from this article was a plan of action.

I believe that was actually the point of the article: we don't need to do anything, and more specifically, we don't need Congress to pass cybersecurity laws, especially since they don't seem to even be aware of the basics.

(Note: I'm not saying here that I agree with that viewpoint, only that I believe that that was (at least part of) the argument being made in this article.)
[ link to this | view in thread ]
Anonymous Coward, 23 Apr 2015 @ 5:02am

(The website of the Senate Intelligence Committee, which is in charge of cybersecurity oversight on the Senate side, also looks like it was designed in 1996.)

From the bottom of the linked page:

"Copyright © 2006 United States Senate Select Committee on Intelligence"
[ link to this | view in thread ]