Rep. Mike Rogers, On His Way Out Of Congress, Slams Obama For Not Launching Premature Cyberwar Against North Korea
from the and-for-not-giving-his-precious-nsa-your-data dept
Rep. Mike Rogers is just about out of Congress, but the NSA’s biggest defender (despite his supposed role in “overseeing” the agency) is using his last days on Capitol Hill to keep pushing his favorite causes. Over the weekend, he complained that President Obama basically should have gone to “cyberwar” with North Korea over the Sony hack.
?Unfortunately, he?s laid out a little of the playbook,? Rogers said. ?That press conference should have been here are the actions.? …
Without discussing specifics, Rogers said the U.S. has the capability to cripple North Korea?s cyberattack capabilities, which have been rapidly improving over the last few years.
?I can tell you we have the capability to make this very difficult for them in the future,? he said.
And I can tell you that Mike Rogers is full of bluster with little basis. First off, there is still some fairly strong skepticism in the actual computer security field that North Korea was behind the hack. Launching an all out attack without more proof would seem premature. Second, Rogers is simply wrong or clueless. We don’t have the capability to “cripple” anyone’s “cyberattack capabilities” unless he means taking out the entire internet. There are always ways around that. Even the reports that we’ve seen that do blame North Korea don’t seem to think the full attack came from North Korea, so doing something like taking the few internet connections in North Korea off the map wouldn’t do much good if the actual attack came from, say, China or Eastern Europe or somewhere else.
Third, can we just get over this ridiculous idea that a hack of one company, which may or may not have been by actors working for a government, is an act of either “terrorism” or “war.” It’s not. It’s a hack. Tons of companies get hacked every day. Some have good security and still get hacked. Some, like Sony, appear to have terrible security and get hacked very easily. It’s not terrorism. It’s not war. It’s a hack. We shouldn’t be talking about retaliation or destroying countries over a hack. We should be talking about better security. Jim Harper does a good job explaining why an overreaction is a bad idea:
The greatest risk in all this is that loose talk of terrorism and ?cyberwar? lead nations closer to actual war. Having failed to secure its systems, Sony has certainly lost a lot of money and reputation, but for actual damage to life and limb, you ain?t seen nothing like real war. It is not within well-drawn boundaries of U.S. national security interests to avenge wrongs to U.S. subsidiaries of Japanese corporations. Governments in the United States should respond to the Sony hack with nothing more than ordinary policing and diplomacy.
But, no, not Mike Rogers. Instead, he’s using this as his opportunity to push for his favorite bad law: giving the NSA more power to sift through your data:
Rogers, who is retiring from Congress in just a few days, made a final plug for his bill to facilitate cybersecurity information sharing between the private sector and National Security Agency (NSA). The measure passed the House, but stalled in the Senate, held up by privacy concerns.
It?s necessary, Rogers argued, if the U.S. wants to protect itself from similar attacks in the future. Because of laws on the books, the NSA is limited in its ability to protect private critical infrastructure networks.
?This isn?t about reading your email, it?s about reading malicious source code,? Rogers said.
He’s talking, of course, about his beloved CISPA, which would effectively remove any liability from companies for sharing your private data with the NSA (and the rest of the government). But, as per usual with Rogers, he’s wrong about nearly all of the details. There is nothing in CISPA that would have made it so the NSA could have “protected” Sony. Sony’s problem here was Sony’s terrible computer security. So, no, we don’t need CISPA or other cybersecurity legislation to better protect the internet.
And is Mike Rogers really trying to argue that Sony’s private intranet is “critical infrastructure”?
Finally, there’s nothing in the law today that stops a company from sharing “malicious source code” with the government or others. We already have a good way for dealing with that that doesn’t require a new law that gives the NSA more access to everyone’s data.
Either way, it looks like Rogers is going out in typical fashion — shooting his mouth off in favor of his friends and pet projects, without actually understanding or caring about the details. No wonder he’s going into AM talk radio. He’ll be a perfect fit.