from the don't-regulate-what-you-don't-know dept
One of the big concerns we've had over politicians trying to regulate technology, is how gleefully ignorant they often seem to be about the technology they seek to regulate. It's no different with the cybersecurity bill CISPA. We've been asking for months for some
actual evidence that shows that we really need a cybersecurity bill, and all we get are fanciful stories about planes falling from the sky and hackers taking down powergrids. If either thing was possible, the real response shouldn't be to set up a cybersecurity bill, but to
disconnect those key infrastructure pieces from the internet.
Either way, we're learning, once again, that the backers of CISPA don't seem to know the slightest thing about "cybersecurity." Actual cybersecurity expert, Chris Soghoian has highlighted how the key sponsors of CISPA
fail at basic cybersecurity for their own websites, raising serious questions about their competence in writing a cybersecurity bill.
Congressmen Rogers and Ruppersberger are, respectively, the chairman and ranking member of the House Intelligence Committee. Although it is no secret that most members of Congress do not have technologists on staff providing them with policy advice, we can at least hope that the two most senior members of the Intelligence Committee have in-house technical advisors with specific expertise in the area of information security. After all, without such subject area expertise, it boggles the mind as to how they can at least evaluate and then put their names on the cybersecurity legislation that was almost certainly ghostwritten by other parts of the government - specifically, the National Security Agency.
So, given that these two gentlemen feel comfortable forcing their own view of cybersecurity on the rest of the public, I thought it would be useful to look at whether or not they practice what they preach. Specifically, how is their own information security. While I am not (for legal reasons) going to perform any kind of thorough audit of the two members' websites or email systems, even the most cursory evaluation is pretty informative.
Take a wild guess what he found. First, he looks at whether or not they use HTTPS. As he notes, "It is now 2012. HTTPS is no longer an obscure feature used by a few websites. It is an information security best practice and increasingly becoming the default across the industry." So, what did Soghoian find? It appears that neither Reps Rogers nor Ruppersberger do a very good job securing their own sites. He finds some sites without any HTTPS at all, and the others have it configured incorrectly.
When I manually tried to visit the HTTPS URL for Congressman Ruppersberger's website last night, it instead redirected me to the Congressional Caucus on Intellectual Property Promotion. Soon after I called the Congressman's office this morning to question his team's cybersecurity skills, the site stopped redirecting visitors, and now instead displays a misconfiguration error.
Congressman Dutch's campaign webserver appears to support HTTPS, but returns a certificate error.
He notes that there is really no excuse for these configuration errors, because the House appears to be setup with an HTTPS server, and other Reps. have it properly configured on their site. Not much really needs to be done. However, the fact that
other Reps have set up HTTPS really raises concerns about these two Reps and their staff when it comes to cybersecurity:
The webserver that runs all of the house.gov websites is listening on port 443 and it looks like Akamai has issued a wildcart *.house.gov certificate that can be used to secure any Congressional website. As an example, Nancy Pelosi's website supports HTTPS without any certificate errors (although it looks like there is some non-HTTPS encrypted content delivered from that page too.) This means that the Congressional IT staff can enable HTTPS encryption for Rogers, Ruppersberger and every other member without having to buy any new HTTPS certificates or setting up new webservers. The software is already all there - and the fact that these sites do not work over HTTPS connections already suggests that no one in the members' offices have asked for it.
Rep. Rogers, of course, recently stated that he's so concerned with the threats of cybersecurity that he literally "can't sleep at night." Funny, then, that he never bothered to make sure
his own website was secure, huh?
Filed Under: cispa, congress, cybersecurity, fail, https