Congress Can't Even Get Its Own Cybersecurity Right, So Why Should We Let It Define Everyone Else's?

from the questions-worth-pondering dept

Congress claims to be really, really serious about passing cybersecurity bills this session — even though each of the proposals it seems to put forth don’t seem to have anything to do with cybersecurity, but plenty to do with increasing surveillance capabilities. We’re still waiting for someone (anyone!) to explain what kind of cyberattack the latest bills would have stopped? Looking at the details, as has been the case for years, it really looks like these bills are about increasing the budget for various government agencies while simultaneously increasing surveillance capabilities.

And, as Trevor Timm points out, how could you possibly trust Congress on cybersecurity when those writing the bills don’t seem to understand the basics themselves:

Just look at Congress? own cybersecurity practices. None of the members of the Senate?s Intelligence Committee – the most influential cybersecurity oversight body in Congress – have websites that use HTTPS encryption, which is increasingly becoming the standard for websites who want to provide basic security protections for the people who visit them (Google and others have had it for years).

It?s such a vital tool that the executive branch recently promised to move all its websites over to HTTPS within two years – many of its agencies, though not all, have already made the switch. But there?s not even a hint that Congress is attempting to do the same. (The website of the Senate Intelligence Committee, which is in charge of cybersecurity oversight on the Senate side, also looks like it was designed in 1996.)

Elsewhere in the article, Timm notes that almost no one in Congress uses encrypted emails or encrypted phone systems, and that pretty much all of Congress is easy prey for foreign intelligence agencies looking to snoop on it.

Perhaps Congress should get its own house in order before telling the rest of the country how to improve its cybersecurity?

And the key decision makers appear to be even worse than the rank and file:

Consider the qualifications of the members who are in charge of cybersecurity oversight and who are leading the push for these invasive new laws. The man in charge of the subcommittee on cybersecurity and the NSA in the House, Representative Lynn Westmoreland, has a background in construction and is best known for trying to pass a Ten Commandments law (while only being able to name three of them). His actual expertise in cybersecurity is anyone?s guess, besides having an NSA facility in his district.

It gets worse. The Congressman who oversees the appropriation of billions of dollars in cybersecurity funding for the Department of Homeland Security, Representative John Carter, said this about cybersecurity and encryption recently: ?I don?t know anything about this stuff?. Yes, that is an exact quote.

We wrote about that comment by John Carter, in which he followed it up by proving that he was absolutely clueless about encryption. And yet he’s looked at to help decide how these things are regulated.

Timm also reminds us how Congress used to have an Office of Technology Assessment, a non-partisan organization that advised Congress on technology issues from 1972 until 1995. That’s when Newt Gingrich defunded it. An effort last year by Rush Holt to bring it back was overwhelmingly rejected, suggesting that Congress wants to remain ignorant, even as it has to make laws on this stuff.

At least it appears that more Congressional reps are finally figuring out how to use HTTPS — with 214 members now at least supporting HTTPS, if only 76 default to it. That’s not everything they need to know about cybersecurity, but it at least starts the conversation. Though it seems notable that no Senate site does. It really seems that if Congress wants to write laws about cybersecurity, it should first be required to get its own online security straight first.

Filed Under: ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Congress Can't Even Get Its Own Cybersecurity Right, So Why Should We Let It Define Everyone Else's?”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Politics as usual

Congress is responsible for 95% of the trouble

They first create problems then campaign against them. They let Obama run wild, they let law enforcement run wild, they let bureaucracies “They Created” run wild! They let the COURTS run wild. They let business run wild.

You pesky citizens ares stupid and deserve the shit you are about to get, it just sucks I have to deal with it because you are all too stupid to vote the correct way.

the correct way to vote has been and will always be… for the voter to first eliminate all candidates that are corrupt, this is not hard actually, then vote for the candidate that stands for your principals.

Reagan is currently the last president that deserved any respect or dignity. Clintoon, Bushtard, and Osama are dirt bags. The house and senate have been corrupt for decades. Radio and the media consistently get it wrong and the people just eat it up left and right.

We deserve this miserable nation we have flushed down the shitter! Once enough illegals get here you will lose your country just like the Europeans are losing theirs. Enjoy losers!

Jair says:

Re: Re: Re:2 Politics Unusual

I would add a third step:

3. Remove corporate personhood.

Without it. large companies would be unable to both grow larger and influence the governing process in any way, as they would no longer have the rights of people. And companies that own other companies could be broken up, as that ownership would no longer be legal. It would also make the MAFIAA’s shell game of Hollywood accounting impossible, as it relies on front companies which cannot exist and do what they do without having the rights of people.

Mason Wheeler (profile) says:

Re: Re: Re:4 Politics Unusual

I actually don’t think the solution is to get rid of political parties, because as you point out, realistically, that won’t work. What we need to get rid of is “two political parties.”

In 2003, I was living in Argentina. It was an interesting time, and one of the things that happened was a presidential election. There were five major candidates, and in the end it came down to two guys, where the margin of victory was smaller than the margin of error. Former president Carlos Ménem, trying to win his way back into La Casa Rosada (in the USA we have the White House; the Argentine equivalent is the Pink House,) garnered a very narrow plurality of the vote, with Néstor Kirchner coming in a very close second.

The most recent US election at the time was the one in 2000, and we all remember what a horrendous mess that was. (For values of “all” including US citizens who are not significantly younger than myself.) So it was interesting to watch what happened.

The short version is, instead of wasting time and money on endless recounts and re-recounts and re-re-recounts and court cases and whatnot, they scheduled a runoff election in a few weeks’ time. But here’s the interesting thing: that runoff election never happened. It quickly became clear that almost everyone who had not voted for Ménem the first time was going to support Kirchner in the runoff, and so Ménem conceded. And I couldn’t help but think, this is so much more civilized than the way we did it.

But something like that can’t happen without multiple strong parties in the first place.

John Fenderson (profile) says:

Re: Politics as usual

“for the voter to first eliminate all candidates that are corrupt, this is not hard actually”

In what sense is that not hard? Do you have a magical corrupt politician detector?

In my opinion the problem isn’t corrupt politicians as much as it’s a system that requires honest politicians to behave in corrupt ways if they want to accomplish anything at all.

Mason Wheeler (profile) says:

Re: Re: Politics as usual

For the life of me I can’t figure out how a guy who got caught giving weapons to America’s enemies, who inflated the national debt like a balloon, and who championed a law severely weakening traditional marriage and the family, laying the foundation that the gay marriage movement built upon in later years, is considered some sort of paragon to conservatives today.

Could someone please explain this?

Rich Kulawiec (profile) says:

It's this bad everywhere

There are precious few people in positions of political power who have even a rudimentary grasp of science, medicine, technology, computing, mathematics, or engineering. Worse, most of them don’t even try to acquire a back-of-the-envelope level of understanding. And still worse, some of them are actually proud of their ignorance.

The societal cost of this is already enormous and is still growing as the intersection of those areas with law increases. But I don’t see a way out, as large swaths of the electorate simply don’t see this complete lack of qualification as an issue.

Anonymous Coward says:

Re: It's this bad everywhere

Science, medicine, technology, computing, mathematics, engineering?! Those don’t get you elected. Look at our Congress. They are post-docs in mudslinging, political grandstanding, fundraising, speculative innuendo, and pandering. Those are the attributes that get you elected and re-elected. Voters don’t want to vote for people they think are smarter than they are… and the voter of today is a product of the education of today. It requires actual work to get an education, and outside of enough to get a job, and to reinforce what you already believe, the average American is decidely that – just average. We have the Congress we deserve, sadly. We do, we voted it in… but don’t blame any Republicans on me .

Anony says:

Think about it....

“Elsewhere in the article, Timm notes that almost no one in Congress uses encrypted emails or encrypted phone systems, and that pretty much all of Congress is easy prey for foreign intelligence agencies looking to snoop on it. “

Just watch it will come out later that the NSA won’t let Congress secure themselves because Terrorism!

Anonymous Coward says:

... and whose fault is that, eh?

‘Congress Can’t Even Get Its Own Cybersecurity Right, So Why Should We Let It Define Everyone Else’s?’

This article posits that congresscritters don’t understand cybersecurity like technologists do, don’t use it in spite of being in a position where heightened security is important, and are making laws despite apparent ignorance of the issues.

The article misses at least two points: The members are congress are not by trade technologists. It’s not their job to completely understand every nuance of a subject. That’s why they have staffs. So argue instead about the ignorance of their staffs. You might also spend some time griping about the congressional IT infrastructure.

One of my favorite lines from this article was Most members of Congress and most congressional staff use unencrypted email … (quoting ultimately from Chris Soghoian). Most of the world uses unencrypted email. Most often, it’s over HTTPS. Sometimes it is on a system “entirely behind a firewall”. It’s still unencrypted.

Consider the intersection of public records laws and encryption, for congressional email. There were a couple of stories about the Clinton email scandal not so long ago. Now picture if the emails themselves were encrypted.

Finally, what was entirely missing from this article was a plan of action. What are you -we- going to do about this situation? Are you just going to tut-tut, “how terrible this is”?

Because if you’re really concerned about this issue, you’re going to do something. Contact your representatives (and/or their staffs) and ask to talk about this issue in depth. Don’t just inform them of your concerns, ask them what the problems are on their end. Refer them to well known experts so that you don’t come across as a special interest lobbyist.

Without the “Do”, this article is just blindly repeating someone else’s reporting and trolling for an emotional response.

Mason Wheeler (profile) says:

Re: ... and whose fault is that, eh?

Finally, what was entirely missing from this article was a plan of action.

I believe that was actually the point of the article: we don’t need to do anything, and more specifically, we don’t need Congress to pass cybersecurity laws, especially since they don’t seem to even be aware of the basics.

(Note: I’m not saying here that I agree with that viewpoint, only that I believe that that was (at least part of) the argument being made in this article.)

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...