Slow Down, Homeland Security: Does Everyone Really Agree That We Need Cybersecurity Legislation Now?

from the why-the-rush,-sparky? dept

We’ve been following the debate over the new cybersecurity bill, while still asking for detailed explanation of why it’s needed that is a bit more specific than politicians screaming about airplanes falling out of the sky. To date, no one seems to be able to show any real threat — other than a bunch of folks in a position to profit from the fear mongering, yelling “trust us! it’s bad!” But we’ve seen this game before, and it’s how a lot of money gets wasted, privacy rights are eroded, and nothing is done to deal with any real problem.

So why can’t we hit pause and ask for some actual evidence?

Yes, there’s a turf war between DHS and the NSA/DoD over who gets to control the purse strings and have more control, but no one seems to be asking for the actual evidence. Instead, they’re just trying to push forward as fast as possible. Witness this blog post from Mark Weatherford, Homeland Security’s Deputy Undersecretary for Cybersecurity, in which he insists that everyone agrees that we need a cybersecurity law and we need it now:

We must deliver and we must act quickly. It’s time to be bold. The troubling side of spending a week with some of the experts in the cybersecurity world is that when we compare notes on our views of the threat, we all agree that despite the firewalls and layered defenses, we are not always keeping intruders out. We need to continue to sharpen our response tactics and move even faster when an intruder gets inside to limit the damage and protect our information. That requires a fast, unified response between federal agencies and our private partners – which is where Congress can help.

I agree that we’re not always keeping intruders out — though I think it should be admitted that we’ll never “always” keep intruders out. That’s an impossible goal. And I agree that sharing information to build up better defenses could be a good thing. But how do we then take the logical leap that this “requires a fast, unified response” from the government? The operators of these networks already are working hard to keep intruders out and have tremendous incentive to keep improving their defenses. Why do we need regulations to continue that process? That’s the part that’s never been clearly explained, and it seems like a pretty big gap, which all this talk about the necessary “rush” is designed to paper over.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Slow Down, Homeland Security: Does Everyone Really Agree That We Need Cybersecurity Legislation Now?”

Subscribe: RSS Leave a comment
Anonymous Coward says:

No Legislation Required

Why would they need legislation in the event of an intrusion being discovered? Intrusions nearly always happen because of boneheaded mistakes by management. We are talking really dumb stuff here, like foolishly connecting SCADA systems to the general internet, failure to set the firewall rationally, allowing SQL injection attacks, and other stupidity. Preventing intrusions takes IT competence, not legislation.

It is total fantasy to imagine that criminals or foreign governments would be discouraged by legislation. The real problem is that there is no penalty imposed on managers who make dumb mistakes. That is a matter of political will and nothing to do with legislation. Bureaucrats who have been caught out not doing their jobs, often say things like, “Oh, minister, we do not have the power. We need more legislation.” That is standard practice. Any senior politician who falls for that line, is a gullible fool and has not learnt from history. Such a politician needs to leave politics.

Anonymous Coward says:

Some thought...

To address the issue they can create law the punish software vendors that release software found with vulunerabilities to the public.

But in that case, most of software vendors would have gone backruptted.


People using unanthorized software in government or mission critical organization need to be punished, but not by law.

Leaving the floor wet without warning is dangerous to others, but I’d think creating a law for this would be going too far…

Melissa Ruhl (profile) says:

Democracy thrives with an educated populace, right?

I don’t understand why the DHS/DoD/NSA doesn’t want this to be a more public discussion. It is not as though the government is a lone lighthouse up against universal crashing waves of evil. There are so many facets of government and national security that the best way to form a more complete national defense would be to have a more informed populace. If we know how to protect ourselves, we will all be safer. Instead, their talk of a strawman/boogyman just paralyzes people into inaction. Stupid.

Anonymous Coward says:

No Legislation Required

right, keep believing that!! HAHAH, amusing

name the organisation that employes more computer scientists, engineers, mathamations, programmers and software engineers that any other organisation on the planet bar none ? and that has the most powerfull supercomputers ?

was not DARPA a “government” ??? you know the guys who invented the internet ? Hmm !!!

“We just need to get rid of all the stupid users”

Anonymous Coward says:

Democracy thrives with an educated populace, right?

it what security IS Melissa, if the ‘other side’ knows what you are doing and how you are doing it, they can develop ‘counter-measures’ specifically to ‘counter’ that ‘measure’ (method). If they dont know what you are doing or how you are doing it, it is much harder for them to develop methods against what you are doing. This applies to all sides.

if you tell the enemy that at 3pm next tuesday you are going to invade a beach, with 10,000 troops and 20 tanks you would probably expect the enemy to be somewhat prepared for the assault. If you tell them nothing, the enemy will be somewhat LESS prepared for it.

Why would your Government want to inform YOU of what they are doing, after all, whatever they say or do according to masnick and his followers is wrong, and stupid, and they dont have a clue (but you do !!!)..

I would not bother informing you either, because either way you people appear to no understand it, therefore it’s a waste of time.

Anonymous Coward says:

Re: Democracy thrives with an educated populace, right?

First: You can’t just write legislation that magically protects everything.

The threat we face from an outside force without this cybersecurity information sharing nonsense is LESS THAN THE THREAT we face than if we blindly allow the government (who could be infiltrated by our enemy for all you know, but that’s not what I’m saying) to make this legislation without the consent of the people.

… The CIA thought it was a good idea to commit false flag operations at home to turn political sentiment against Cuba a long time ago.
That’s one of those things they (and you) would like to keep secret for security purposes, but which is FAR MORE IMPORTANT for the people of our country to know about.

AndyB (profile) says:

Why the rush? Simple: $$

Take a quick perusal through the list of groups that have written letters in support of the Cybersecurity Act of 2012:

What do basically all of these groups have in common? They either a) provide products or services that will be mandated by the Act or b) lobby/represent those companies. This isn’t proof that we do or don’t need some sort of cybersecurity legislation, but it sheds some light on why “everyone” supports it – “everyone” stands to increase budgets or make money.

Same story for the hearings in February. You have DHS (wins the turf war under the CSA12), Stewart Baker (works for law firm that will get tons of work under the Act), Microsoft (will get tons of money securing networks), Tom Ridge (on behalf of US Chamber of Commerce).

BeeAitch (profile) says:

No Legislation Required

I had to actually look up “mathamation” to see if it was a real word (it’s not). Perhaps you meant “mathematician”?

Even so, having the most (powerful) tools means nothing if one doesn’t know how to use them properly.

DARPA was (is) not a “government”. It was (is) an agency of the USDoD (United States Department of Defense), and as Hephaestus pointed out already they did not ‘invent the internet’.

You, Mr. Anonymous Coward, have identified yourself as a stupid user. Please remove yourself from the internet immediately.

That is all.

Gerald Robinson (profile) says:

Do we need this law?

NO but. Currently SCADA systems are unsecured or poorly secured as a matter of convenience. This needs to be addressed but only the SCADA systems need to be addressed. So far there haven’t been verified cases of attacks on SCADA but that can change with large unpleasant consequences. This doesn’t mean that there haven’t been any attacks as most of the companies don’t want to admit it. But to date the SCADA related outages appear to be stupidity not malice. A bill that narrowly addresses SCADA systems would make sense. The current bill doesn’t make any sense. As a business owner its up to me to decide what my information is worth and how much to spend to protect it. Today Sarbanes?Oxley wastes millions of dollars a year as it is far too broad. Its tighter accounting controls were needed on the Big 8 Accounting firms. The controls on how automation is handled and IT is implemented waste billions a year, we don’t need a repeat on a much border scale.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...