Tuesday, December 14, 2010

S 4021 Introduced - Silly Cyber Security

Last week Sen. Cardin (D, MD) introduced a new piece of cyber security legislation, S 4021, (Corrected bill number 5:59 pm EST) the Internet and Cybersecurity Safety Standards Act. Since its introduction there have been a number of references in the press to this bill establishing ‘cybersecurity standards’. With the actual bill being published on the GPO website today, we can finally see that the press hype has been overblown as usual. All this bill does is require DHS to conduct yet another silly cybersecurity study.

WARNING: Dripping sarcasm alert...

Another DHS Study Required

This bill does not specifically address control system security issues, or even information system security issues. It is much more expansive than that. It proposes to address the prevention of “terrorists, criminals, spies, and other malicious actors from compromising, disrupting, damaging, or destroying computer networks, critical infrastructure, and key resources” {§4(a)}.

Actually it doesn’t even do that. What it does is to require the Secretary of DHS to take a year to “conduct an analysis to determine the costs and benefits of requiring providers to develop and enforce minimum Internet and cybersecurity safety standards for users of computers” to effect that prevention. Yes, it wants DHS to study the effectiveness of putting the onus for cybersecurity on the “users of computers”.

The scope of the study will be appropriately broad, requiring the Secretary to “consider all relevant factors, including the effect that the development and enforcement of minimum Internet and cybersecurity safety standards may have on homeland security, the global economy, innovation, individual liberty, and privacy” {§4(b)}. Let's not forget the sanctity of the flag, the protection of motherhood and the promotion of apple pie.

Of course, before the Secretary can conduct such an analysis, she is required to “consult with relevant stakeholders in the Government and the private sector, including the academic community, groups, or other institutions, that have scientific and technical expertise related to standards for computer networks, critical infrastructure, or key resources” {§5} How the Secretary is going to consult with such a disparate group of experts, and conduct the cost benefit analysis, has been left, appropriately, to the discretion of the Secretary.

Standards? We Don’t Need No Stinkin’ Standards

Of course the legislation completely ignores two essential prerequisites for a ‘cost-benefit’ analysis of this sort. First there would have to be a set of standards that could be evaluated for their effectiveness and second there would have to be an enforcement mechanism that could likewise be evaluated. Neither of these is addressed in this legislation.

Oh yes, I forgot to mention the most ludicrous part of this proposed bill. Back in Section 3, Sen. Cardin lists the Congressional Findings that provide the reasoning underlying the need for this legislation. The first predicate finding of this legislation concludes that “computers pose a risk to computer networks, critical infrastructure, and key resources in the United States”{§3(1)}. Yep, computers are the threat; not compromised computers, not inadequately secured computers, just ‘computers’. Burn em all and we'll have cyber security, you betcha.

Fortunately, this bill was introduced too late in the session to cause any significant embarrassment to the Chairman of the Senate Committee on Commerce, Science, and Transportation to whom it was referred for consideration. The bill, without any consideration, will die when the Senate adjourns sin die later this month. Hopefully, it will be buried in an unmarked grave with an oaken stake through its heart, so that it can never be resurrected.

No comments:

/* Use this with templates/template-twocol.html */