FC: Richard Forno on Congress' "cyberterrorism" bills

[Declan McCullagh <declan () well com>]

---------- Forwarded message ----------
Date: Fri, 01 Feb 2002 12:24:54 -0500
From: Richard Forno <rforno () infowarrior org>
To: declan () well com, politech () politechbot com
Subject: Comments on Recent Security Legislation Proposals

A few comments on the two pieces of legislation making the security news
this week - the "Cyberterrorism Preparedness  Act" and the "Cyberterrorism
Preparedness  Act" of 2002. Pardon the parts that sound like a rant, but
sometimes, a rant is a good thing. :)

Reference: http://www.fas.org/irp/congress/2002_cr/s1900.html

When will Congress and the US Government get over their infatuation with the
sensational term "Cyber"?? Professionals in the security field rarely if
ever use the term "cyber" anymore.  Our elected leaders sound like a bunch
of uninformed cable news analysts with their constant use of 'cyber'
buzzwords - although the moniker  'cyber-clueless' seems appropriate for
many of these folks given what I've seen so far. 'Cybersecurity' is a
meaningless term that tells me that nine times out of ten, the person saying
it has little or no understanding of information assurance practices.

Note both of these proposed Acts throw large money for research and
long-term analysis of security-related problems. It seems to me there's more
money being spent analyzing our problems than actually addressing them, even
though we already KNOW what (and where) the problems are!

For those that don't yet know, the government continues to ignore the clear,
present, and immediate issues in favor of long-term 'problem deferrments'
because of two words - ignorance and politics...the things that make
Washington go 'round and 'round year after year.

Comments on  - "Cyberterrorism Preparedness  Act of 2002".

Note in the definitions for this bill there is not one reference to
"cyberterrorism" yet it's the short name of the introduced legislation. One
wonders again how many times we'll see "terrorism" in the short name of a
bill just to garner attention and make it sound Homeland-Security-ish.

Seems like anything with the word "terrorism" in it is almost guaranteed to
reach a floor vote in the House and Senate these days. That being said, I
wonder how long until our favorite industry cartels - the RIAA and MPAA  -
begin lobbying to introduce the "Entertainment Terrorism Prevention Act" to
classify anyone not buying multiple identical copies of copy-protected
content as terrorists and a threat to national economic welfare and security
(wait - Jack Valenti did that two years ago in a Senate hearing); and if
certain folks in government and the private sector have their way, the
"Knowledge-Based Terrorism Preparadness Act" will prohibit anyone from
knowing anything that could harm anyone at any time in any fashion. (Okay,
that's a bit far, but you get the idea....)

FWIS, this Act proposes to create yet another government bureaucracy to
support long-term projects, research, and guidance. Yet there's once again
NOTHING to address immediate, tactical, already-known vulnerabilities in our
national information infrastructure.

This is simply another strategic, not tactical or operational, approach to a
partial solution. 

Comments on - "Cyberterrorism Preparedness  Act of 2002".

How quickly people forget that waving a magic wand, getting a certification
or degree does not make someone an instant professional in ANY discipline,
contrary to what the companies/vendors/lawmakers preach and think.

In this Act, the definition of what constitutes courses in 'cybersecurity'
leads me to believe that any institution teaching students how to deploy
routers, build networks, or troubleshoot Windows could qualify it under this
program. An interesting stretch, if not a partially  valid statement. For
now, I'll agree with it.

FWIS, this proposed bill establishes professional criteria for the initial
crop of 'cybersecurity professors' but does not specify what criteria or
professional involvement/activities they must continue to perform to remain
eligible for program participation, nor does it specify what the school must
do to insure that their intitial crop of 'cybersecurity' professors don't
become tenured and fall into that 'tenured tunnel-vision job-is-safe rut'
that many of us have suffered through as either students or departmental
colleagues - leading to poor education and classroom lectures based on
antequated knowledge. We need to ensure these professors have, and continue
to conduct, truly recognized research, writing, and operational work in the
security arena, otherwise this grant program becomes nothing more than
academic welfare for our universities and will hinder, not help, our
national information security posture.

If done correctly - this could become a beneficial program for the security
profession - and as a security professional, I'm thankful for any qualified
assistance we could get in this field. As with all things, the proof will be
in the first crop or two of graduates. If this program can produce graduates
that have the academic technical background -and- the appropriate hands-on
expertise (from internships or relevant lab work) it may indeed become a
good program....book-smarts, like an industry or vendor certification, won't
cut it alone. 

Time will tell on this one.

(See also my Securityfocus column "White House CyberSecurity - Jobs,
Research, and Rhetoric, but Few Results" at
http://www.securityfocus.com/columnists/46)


Just a few thoughts.

Rick
infowarrior.org






-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------
Events: Congreso Nacional de Periodismo Digital in Huesca, Spain from
Jan. 17-18 (http://www.congresoperiodismo.com) and the Second
International Conference on Web-Management in Diplomacy in Malta from
Feb. 1-3. (http://www.diplomacy.edu/Web/conference2/)
-------------------------------------------------------------------------