Congressional Reps Pushing CISPA Cybersecurity Bill Don't Even Know How To Secure Their Own Websites

from the don't-regulate-what-you-don't-know dept

One of the big concerns we've had over politicians trying to regulate technology, is how gleefully ignorant they often seem to be about the technology they seek to regulate. It's no different with the cybersecurity bill CISPA. We've been asking for months for some actual evidence that shows that we really need a cybersecurity bill, and all we get are fanciful stories about planes falling from the sky and hackers taking down powergrids. If either thing was possible, the real response shouldn't be to set up a cybersecurity bill, but to disconnect those key infrastructure pieces from the internet.

Either way, we're learning, once again, that the backers of CISPA don't seem to know the slightest thing about "cybersecurity." Actual cybersecurity expert, Chris Soghoian has highlighted how the key sponsors of CISPA fail at basic cybersecurity for their own websites, raising serious questions about their competence in writing a cybersecurity bill.
Congressmen Rogers and Ruppersberger are, respectively, the chairman and ranking member of the House Intelligence Committee. Although it is no secret that most members of Congress do not have technologists on staff providing them with policy advice, we can at least hope that the two most senior members of the Intelligence Committee have in-house technical advisors with specific expertise in the area of information security. After all, without such subject area expertise, it boggles the mind as to how they can at least evaluate and then put their names on the cybersecurity legislation that was almost certainly ghostwritten by other parts of the government - specifically, the National Security Agency.

So, given that these two gentlemen feel comfortable forcing their own view of cybersecurity on the rest of the public, I thought it would be useful to look at whether or not they practice what they preach. Specifically, how is their own information security. While I am not (for legal reasons) going to perform any kind of thorough audit of the two members' websites or email systems, even the most cursory evaluation is pretty informative.
Take a wild guess what he found. First, he looks at whether or not they use HTTPS. As he notes, "It is now 2012. HTTPS is no longer an obscure feature used by a few websites. It is an information security best practice and increasingly becoming the default across the industry." So, what did Soghoian find? It appears that neither Reps Rogers nor Ruppersberger do a very good job securing their own sites. He finds some sites without any HTTPS at all, and the others have it configured incorrectly.

When I manually tried to visit the HTTPS URL for Congressman Ruppersberger's website last night, it instead redirected me to the Congressional Caucus on Intellectual Property Promotion. Soon after I called the Congressman's office this morning to question his team's cybersecurity skills, the site stopped redirecting visitors, and now instead displays a misconfiguration error.

Congressman Dutch's campaign webserver appears to support HTTPS, but returns a certificate error.

He notes that there is really no excuse for these configuration errors, because the House appears to be setup with an HTTPS server, and other Reps. have it properly configured on their site. Not much really needs to be done. However, the fact that other Reps have set up HTTPS really raises concerns about these two Reps and their staff when it comes to cybersecurity:
The webserver that runs all of the websites is listening on port 443 and it looks like Akamai has issued a wildcart * certificate that can be used to secure any Congressional website. As an example, Nancy Pelosi's website supports HTTPS without any certificate errors (although it looks like there is some non-HTTPS encrypted content delivered from that page too.) This means that the Congressional IT staff can enable HTTPS encryption for Rogers, Ruppersberger and every other member without having to buy any new HTTPS certificates or setting up new webservers. The software is already all there - and the fact that these sites do not work over HTTPS connections already suggests that no one in the members' offices have asked for it.
Rep. Rogers, of course, recently stated that he's so concerned with the threats of cybersecurity that he literally "can't sleep at night." Funny, then, that he never bothered to make sure his own website was secure, huh?

Filed Under: cispa, congress, cybersecurity, fail, https

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 19 Apr 2012 @ 1:08pm

    Congress a place of marvelous ignorance of everything, it is just shocking how intelligent individuals packed together can become so dumb.

    TreeHugger: CA Senator Wants Warning Labels on Reusable Bags: "Can Cause Serious Illness, Cancer"

    Maybe we should call this the age of paranoid politics. Well not really looking at history is just impressive that after millenia we still do the same exact things that people did in antiquity or the middle ages.

    People intelligent in one area or otherwise, that get to power suddenly believe they can regulate all other areas according to their own bias because everything that they experience is applicable to other areas, without having to respect true democratic values which where build exactly to address those shortcomings of top down BS management.

    There is not a way to secure the internet, you can secure information for a short while anything that needs a long term secrecy about it should never transverse open channels but exclusive ones, punishing people for your own failings will not save you from people who want to do real harm since they don't care about the punishment, further trying to create cybersecurity BS bills that criminalize experimentation in security harms your own prospects to have the necessary people with the necessary skills to protect anything.

    Yes you can disable the US navy through the internet it is doable because the navy uses the fucking open internet to communicate important data, it is possible to destroy a pump somewhere using SCADA which begs the question why are these dumb people allowing it to communicate over unsecure channels at all, most importantly it shows the weakness of central single point of failures, if they were really interested in securing the nation they would be thinking in decentralization and the P2P'fying of the entire vital infra-structure, production of energy should be distributed if possible to the family level, water needs should be met with new technologies for treatment and recycling inside a home and so forth then there is no risk from the internet anymore, it would become impossible to disable the country.

    Taking those steps you reduce dramatically the apocalyptic scenarios that cyber-dumb people can come up with.

    I am calling them cyber-dumb-people because that is what they are, they could be very knowledgeable in some other area but are completely stupid about how technology really works and what it can do and so are undermining democracy to get the feel of security, that can't be had by such measures but real work, real innovation, we are not going to secure America by legislating bad guys out they don't care, we will secure America the only way that is proven to work and that is innovating and working on the real solutions that will upset many deep rooted interests.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.