US Senate: security through (more) bureaucracy
When I first read the news on the Washington Post web site, I thought this is a 1 April joke: Senate Legislation Would Federalize Cybersecurity. The April Fool's day has come and gone but all the signs are to that this is for real: the press releases trumpeting arrival of the legislation are still there. The bill's summary is available from the US Senate Web site (I cannot find the full text of proposed legislation yet). The problem definition is a typical scaremongering:
This comprehensive legislation addresses our country’s unacceptable vulnerability to massive cyber crime, global cyber espionage, and cyber attacks that could cripple our critical infrastructure. We presently have systems to protect our nation’s secrets and our government networks against cyber espionage, and it is imperative that those cyber defenses keep up with our enemies’ cyber capabilities. However, another great vulnerability our country faces is the threat to our private sector critical infrastructure–banking, utilities, air/rail/auto traffic control, telecommunications–from disruptive cyber attacks that could literally shut down our way of life.
So get ready for digital Pearl Harbor. Real one: Conficker virus, another April Fools' event, which some described as just that, caused zero noticeable impact.
Coming from professional politicians, the bill unsurprisingly proposes to improve the cybersecurity situation by introducing colossal new bureaucracy, headed by the US Cybersecurity Fuehrer (or Tzar, or Leader, if you so wish). If it becomes a law then the governemnt will have control over information security matters in private sector:
The legislation would require the National Institute of Standards and Technology to establish measureable and auditable cybersecurity standards that would be applicable both to government and the private sector.
Although the press release and the summary mention specifically critical infrastructure controlled by private entities - utilities, banking, transportation, health and telecommunications - apparently the bill's scope is not limited thereto. That would dwarf Sarbanes-Oxley and HIPAA information security rackets and create massive compliance burden on the economy. Layers upon layers of firewalls, "endpoint security" and "intrusion prevention" technologies, and regular compliance audits may become mandated by the law.
The bill would also attempt to place a dollar value on cybersecurity risk. Ironically placed uder the Foster innovation section, it means this:
The legislation would require the Advisor to provide a report on the feasibility of creating a market for cybersecurity risk management, to include civil liability and government insurance.
Welcome to the cybersecurity cap-and-trade scheme!
This is not the first attempt to create cybersecurity bodies in the government. Think of the DHS and its Cybersecurity Center, the people who brought us this:
Yet according to the senators all the efforts have basically failed. Maybe that signifies a problem with the approach? It does. Government-mandated dogma is not a substitute for a pragmatic approach to security threats.