Last week Rep. Cartwright (D,PA) introduced HR 4773, the ANecessary and Targeted Impediment to (ANTI) Viruses Act. The bill would require
the General Services Administration to acquire license to an antivirus computer
product to give to people whose personal identifiable information was lost in a
breach of a Federal computer system. Funding for the AV product would be
provided by the agency [“derived from amounts made available to the agency for
operating expenses {§2(d)}
whose computer system was breached.
Moving Forward
Both Cartwright and his sole cosponsor {Rep. Norton (D,DC)}
are members of the House Oversight and Government Reform Committee to which
this bill was assigned for consideration. This means that it is possible that
this bill could receive consideration in that Committee.
There is nothing in this bill that would engender
significant opposition (beyond an obvious point that I will raise in the
Commentary section below). Even the funding for the measure is unlikely to
raise any serious discussion. Thus, it is possible that this bill could receive
bipartisan support in Committee and on the floor of the House.
Commentary
Okay, the bar has been officially and substantially raised
for when it becomes necessary to determine the silliest piece of legislation
offered in the 115th Congress. With almost a full year to go, I am
pretty confident (and really very hopeful) that this bill will be the hands
down winner.
There is nothing in the bill (no ‘findings’ section, for
example) that would explain why Cartwright and Norton believe that it will
provide any sort of significant relief to provide an individual with computer antivirus
protection when their personally available information has been lost in the
breach of any computer network. Even if we assume that network log-in
information is among the data lost and further assuming that the individuals
use the same log-in credentials on their home computer, an antivirus package is
not going to stop someone from using that log-on information in accessing that
home computer.
The only thing that could have made this more ludicrous
would for the bill to have included a provision prohibiting the GSA from
allowing Kaspersky Labs from submitting or being awarded a bid to provide the
AV product. {Disclosure Note: I have been using the Kaspersky AV suite for
quite some time now and do not see any reason to stop}.
One can only hope that Cartwright and Norton (and the Norton
AV people cringe every time I mention her name in this post) a pandering to a
specific segment of the technical ignorati in offering this bill for consideration.
The only other thing that would explain this cyber-silliness is that neither of
these two congresscritters (nor their staff) has any idea what an antivirus
program does or how personally identifiable information is misused.
I wrote above that there was nothing in this bill that would
engender any specific (‘active’ probably would have been a better work)
opposition. What I meant is that there is no political, ideological or
financial reason for this bill to draw opposition. The fact that there is no
connection between lost PII and computer hacking (the other sequence certainly)
so there is no need for providing people with AV protection is not sufficient
to draw opposition to the bill.
Okay, I just thought of something. Maybe there is a useful
purpose in this bill. Since the agency whose computer system was breached is responsible
for paying for the AV product out of their operating budget, this bill would
effectively be a fine on that agency for their lack of cybersecurity
competency. This could end up being a sizeable financial incentive to have
adequate cybersecurity in place. Of course, it could end up bankrupting an
agency (Wouldn’t you just love to be the Bankruptcy Judge sitting on that
case????) and in many cases that could be a good thing. But if that is the ‘purpose’
of this bill, please spend the money on something else; give the folks a tank
of gas, or something else worthwhile, not an antivirus program.
Posts
No comments:
Post a Comment