Congressional Reps Pushing CISPA Cybersecurity Bill Don't Even Know How To Secure Their Own Websites

from the don't-regulate-what-you-don't-know dept

One of the big concerns we've had over politicians trying to regulate technology, is how gleefully ignorant they often seem to be about the technology they seek to regulate. It's no different with the cybersecurity bill CISPA. We've been asking for months for some actual evidence that shows that we really need a cybersecurity bill, and all we get are fanciful stories about planes falling from the sky and hackers taking down powergrids. If either thing was possible, the real response shouldn't be to set up a cybersecurity bill, but to disconnect those key infrastructure pieces from the internet.

Either way, we're learning, once again, that the backers of CISPA don't seem to know the slightest thing about "cybersecurity." Actual cybersecurity expert, Chris Soghoian has highlighted how the key sponsors of CISPA fail at basic cybersecurity for their own websites, raising serious questions about their competence in writing a cybersecurity bill.
Congressmen Rogers and Ruppersberger are, respectively, the chairman and ranking member of the House Intelligence Committee. Although it is no secret that most members of Congress do not have technologists on staff providing them with policy advice, we can at least hope that the two most senior members of the Intelligence Committee have in-house technical advisors with specific expertise in the area of information security. After all, without such subject area expertise, it boggles the mind as to how they can at least evaluate and then put their names on the cybersecurity legislation that was almost certainly ghostwritten by other parts of the government - specifically, the National Security Agency.

So, given that these two gentlemen feel comfortable forcing their own view of cybersecurity on the rest of the public, I thought it would be useful to look at whether or not they practice what they preach. Specifically, how is their own information security. While I am not (for legal reasons) going to perform any kind of thorough audit of the two members' websites or email systems, even the most cursory evaluation is pretty informative.
Take a wild guess what he found. First, he looks at whether or not they use HTTPS. As he notes, "It is now 2012. HTTPS is no longer an obscure feature used by a few websites. It is an information security best practice and increasingly becoming the default across the industry." So, what did Soghoian find? It appears that neither Reps Rogers nor Ruppersberger do a very good job securing their own sites. He finds some sites without any HTTPS at all, and the others have it configured incorrectly.

When I manually tried to visit the HTTPS URL for Congressman Ruppersberger's website last night, it instead redirected me to the Congressional Caucus on Intellectual Property Promotion. Soon after I called the Congressman's office this morning to question his team's cybersecurity skills, the site stopped redirecting visitors, and now instead displays a misconfiguration error.

Congressman Dutch's campaign webserver appears to support HTTPS, but returns a certificate error.

He notes that there is really no excuse for these configuration errors, because the House appears to be setup with an HTTPS server, and other Reps. have it properly configured on their site. Not much really needs to be done. However, the fact that other Reps have set up HTTPS really raises concerns about these two Reps and their staff when it comes to cybersecurity:
The webserver that runs all of the websites is listening on port 443 and it looks like Akamai has issued a wildcart * certificate that can be used to secure any Congressional website. As an example, Nancy Pelosi's website supports HTTPS without any certificate errors (although it looks like there is some non-HTTPS encrypted content delivered from that page too.) This means that the Congressional IT staff can enable HTTPS encryption for Rogers, Ruppersberger and every other member without having to buy any new HTTPS certificates or setting up new webservers. The software is already all there - and the fact that these sites do not work over HTTPS connections already suggests that no one in the members' offices have asked for it.
Rep. Rogers, of course, recently stated that he's so concerned with the threats of cybersecurity that he literally "can't sleep at night." Funny, then, that he never bothered to make sure his own website was secure, huh?

Filed Under: cispa, congress, cybersecurity, fail, https

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 19 Apr 2012 @ 4:01pm

    Re: It would be instructive and useful if...

    They would explain how the 'bad' cash being pushed in the wrong direction (to the people, not to the congress critters) is poisoning the public to the views that they have been demanding.... or something similarly silly.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.