The Law of Unintended Cyber Consequences
Computer security seems to be an endlessly hot topic. Recently, there has been talk of a bill in the U.S. Senate that would dramatically change the security landscape in this country. Under the guise of protecting national infrastructure, this legislation would raise the price tag for security significantly while allowing the federal government to take charge of any and all systems and networks it happened to choose.
Great idea. “We’re from the government, and we’re here to help your computers. Here’s our secure example. It’s called Colossus” (That’s a somewhat obscure movie reference. See Colossus: The Forbin Project or even Colossus: The DVD. See what people worried about long before we ever heard of Skynet).
The bill is The Cybersecurity Act of 2009, co-sponsored by Democrat John Rockefeller of West Virginia and pretend Republican Olympia Snowe of Maine. As of yet (if I remember correctly and didn’t miss something in my reading), the bill has no sponsors in the House. That’s a hopeful sign. Let’s see why.
Among the bill’s provisions:
- Creation of a Cybersecurity Advisory Panel by the President (Pretty non-controversial and possibly even a good idea.)
- Creation by the Commerce department of a real-time cybersecurity dashboard. (Ummm, what? What a cool idea! Why didn’t anyone else ever think of that? Oh, right. Because it doesn’t make any sense. That’s why. But important decisions will be based on this “dashboard” which makes it really really scary.)
- Development by the National Institute of Standards and Technology of Cybersecurity standards to be followed by all government agencies, contractors and GRANTEES. (Oh, great! More paperwork!)
- Mandatory licensing and certification of cybersecurity professionals (uh-oh! See below).
What most reports about this bill have centered on is another provision that gives the president sweeping powers to basically take over the Internet in the event of what the president himself determines to be a national cyber emergency. Presumably the prez would be advised on this by the CyberSecurity Advisory Panel and by the real-time Cybersecurity Dashboard. What data does the dashboard present and how is it collected in real time? Does anybody have the slightest idea what this means? I’m just curious since it’s such an important part of our nation’s defense. At least it is according to the text of the Cybersecurity Act of 2009.
The last provision, though, for licensing of cybersecurity professionals, is more interesting for day to day operations and the long term health of security in this country. The provision would make it a crime (though in the text, I don’t see anything about penalties – the bill hasn’t yet been finalized so those could be added)
for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified …
… under a program yet to be developed to license cybersecurity professionals.
Get that? This provision doesn’t just apply to government systems, but to ANY system the president chooses. Or, as Mother Jones puts it Should Obama Control the Internet?. More to the point, should every president – Republican, Democrat or whatever – from now until the end of time control the Internet? That’s the thing about giving power to a president. Even if you like and trust the current one, that doesn’t mean the next one, or the next, or the next, will be just as good.
Anyway, let’s examine this licensing thing in slightly more depth with a quick lesson in economics. To whit, the effect of licensing is always to raise the bar for entry into a profession, reducing the supply of people pursuing that profession and, as a consequence of the relationship of supply and demand, raising the cost of those who possess the license (Really. See Occupational Licensing).
Got that? The bill would make it unlawful for government, suppliers for government and anyone else the government designates, to NOT have a licensed security professional on staff, even though mandatory licensing reduces the pool of people avilable to do the job AND makes the ones who are available more expensive.
Does not having a license mean that someone can’t do the job? At the moment, NO ONE has a license. The job is still getting done, more or less. There are some significant failures (particularly at, say, the U.S. Department of the Interior – See Report Says Interior Dept. Failed to Secure Network) but there are also many successes that don’t make headlines. Security is hard and needs all the skilled hands it can get. Driving people out of the field with licensing requirements is idiotic.
Don’t think that I have some personal reason for being against licensing cybersecurity professionals. I have a dozen years working in IT and considerable exposure to security. I have a bachelor’s degree in Information Technology and I’m working on a Master’s in Information Assurance. If anyone will be able to get a license under the yet-to-be-determined provisions, I probably will. And once I have the license, I’ll go into consulting and make a bundle of money. Maybe even enough to pay off my student loans!
So I’ll do fine. The country as a whole will suffer. Security will become more expensive – which means there will be less of it.
By the way, I should mention that my opinion is by no means universally held (though it is no less right, for that). See for example Proposed Cyber Security Legislation.
There are lots of other provisions in this bill. There are some for spending money on development of standards and education. Some of that may even be worthwhile, though the government involvement in it is questionable, especially since, by the terms of the bill, such grants could only go to institutions employing licensed security professionals. A full reading of the bill makes it seem that the true goal is to put the federal government firmly and completely in control of cybersecurity in this country.
This is a questionable goal at best. The Internet (or rather its military ancestor, ARPANET), one of the most successful technological innovations in human history, was originally developed with the intention of de-centralizing communications so they could survive an attack. The thrust of this bill would be to stupidly move many of our security eggs into one all-controlling basket. This is bad.
Simple analogy: Suppose some new law requires everyone to lock the driver’s door of their car but doesn’t even mention the other doors? How much will car thefts increase as even unskilled thieves learn that they can get in through the passenger door? Sure, most people will know better than to lock just one door. But some (especially some driving company or government supplied cars) will be more interested in not getting a ticket than anything else, so they’ll comply with the letter of the law and ignore the real needs of security.
Okay, maybe that analogy was too simple but I’m tired and don’t feel like coming up with an actually good one right now. The point is that even the parts of this bill that could plausibly be argued to be good will have costs that the people who wrote the bill have clearly not considered.
Politicians should keep their hands off of security. The Cybersecurity Act of 2009 should not become law.
Note
The Washington Post mentions a “cybersecurity czar” (See Senate Legislation Would Federalize Cybersecurity). This appears to be taken from the official entry in the house database which calls the bill “A bill to establish, within the Executive Office of the President, the Office of National Cybersecurity Advisor.” The text of that bill is not currently available online. The summary is here. The discussion in this post is based on text linked here, which doesn’t mention a cybersecurity czar at all. This disconnect appears to mean that any of the provisions discussed here may or may not be included in the final version. The general idea that the bill represents a poorly thought out power grab with potentially dangerous consequences, remains.
LinkedIn
Technorati Favorites