Tuesday, January 16, 2018

HR 4773 Introduced – AV for Federal Breaches

Last week Rep. Cartwright (D,PA) introduced HR 4773, the ANecessary and Targeted Impediment to (ANTI) Viruses Act. The bill would require the General Services Administration to acquire license to an antivirus computer product to give to people whose personal identifiable information was lost in a breach of a Federal computer system. Funding for the AV product would be provided by the agency [“derived from amounts made available to the agency for operating expenses {§2(d)} whose computer system was breached.

Moving Forward

Both Cartwright and his sole cosponsor {Rep. Norton (D,DC)} are members of the House Oversight and Government Reform Committee to which this bill was assigned for consideration. This means that it is possible that this bill could receive consideration in that Committee.

There is nothing in this bill that would engender significant opposition (beyond an obvious point that I will raise in the Commentary section below). Even the funding for the measure is unlikely to raise any serious discussion. Thus, it is possible that this bill could receive bipartisan support in Committee and on the floor of the House.


Okay, the bar has been officially and substantially raised for when it becomes necessary to determine the silliest piece of legislation offered in the 115th Congress. With almost a full year to go, I am pretty confident (and really very hopeful) that this bill will be the hands down winner.

There is nothing in the bill (no ‘findings’ section, for example) that would explain why Cartwright and Norton believe that it will provide any sort of significant relief to provide an individual with computer antivirus protection when their personally available information has been lost in the breach of any computer network. Even if we assume that network log-in information is among the data lost and further assuming that the individuals use the same log-in credentials on their home computer, an antivirus package is not going to stop someone from using that log-on information in accessing that home computer.

The only thing that could have made this more ludicrous would for the bill to have included a provision prohibiting the GSA from allowing Kaspersky Labs from submitting or being awarded a bid to provide the AV product. {Disclosure Note: I have been using the Kaspersky AV suite for quite some time now and do not see any reason to stop}.

One can only hope that Cartwright and Norton (and the Norton AV people cringe every time I mention her name in this post) a pandering to a specific segment of the technical ignorati in offering this bill for consideration. The only other thing that would explain this cyber-silliness is that neither of these two congresscritters (nor their staff) has any idea what an antivirus program does or how personally identifiable information is misused.

I wrote above that there was nothing in this bill that would engender any specific (‘active’ probably would have been a better work) opposition. What I meant is that there is no political, ideological or financial reason for this bill to draw opposition. The fact that there is no connection between lost PII and computer hacking (the other sequence certainly) so there is no need for providing people with AV protection is not sufficient to draw opposition to the bill.

Okay, I just thought of something. Maybe there is a useful purpose in this bill. Since the agency whose computer system was breached is responsible for paying for the AV product out of their operating budget, this bill would effectively be a fine on that agency for their lack of cybersecurity competency. This could end up being a sizeable financial incentive to have adequate cybersecurity in place. Of course, it could end up bankrupting an agency (Wouldn’t you just love to be the Bankruptcy Judge sitting on that case????) and in many cases that could be a good thing. But if that is the ‘purpose’ of this bill, please spend the money on something else; give the folks a tank of gas, or something else worthwhile, not an antivirus program.

No comments:

/* Use this with templates/template-twocol.html */