Sunday, January 31, 2010
Reader Comment – 01-29-10 Cyber Response
A reader, D3, posted a response to my recent blog about the introduction of HR 4507. D3 wrote: “Why should it surprise you to learn that the Federal Government realizes that cyber security is "everyone's responsibility?" Assuming the Federal Government is the sole entity responsible for security in "cyberspace" is a lot like saying the fire department is the only entity qualified to respond to fire emergencies...just a thought--not an attack.” In the broader sense, D3 is certainly correct; everyone is responsible on some level for cyber security. If every computer user properly protected their own computers we would not have the wide spread ‘botnets’ that are being used in so many cyber attacks. If every organization properly trained their users and adequately monitored their own networks they would be much less susceptible to cyber attacks. If every equipment manufacturer and software developer adequately tested and evaluated the risks to their products, it would be much harder for cyber criminals to affect successful cyber attacks. If the wording of HR 4507 indicated that the consortium was designed to help State and local governments to protect their own computer systems against cyber attack, then I would be much more supportive of the measure. However, it seems to me that the intent of the bill is to enroll these State and local governments in the more general protection of the ‘Internet’. Those governments simply have no authority to affect cyber practices beyond their own internal systems. If Congressman Rodriguez (D, TX) was intending to ensure that the appropriate cyber security education was being developed and spread down to the State and local level so that they could protect their own systems, I think that it should have been more explicit. The current language does not appear to me to support that interpretation. A further suggestion; State and local governments are not the only entities that need outside assistance in the field of cyber protection and education. There are a very large number of users that do not have the internal resources to ensure that their organization is making the proper efforts to protect their systems from cyber attacks. The consortium could also be used to develop procedures and training for small businesses and non-profit organizations. If HR 4507 were expanded to cover this type of organization than the intent to help systems protect themselves this intention would be clearer.