[ISN] [infowarrior] - Comments on Recent Security Legislation Proposals

From: InfoSec News (isnat_private)
Date: Sun Feb 03 2002 - 22:23:11 PST

  • Next message: InfoSec News: "[ISN] Interview with an ex-hacker"

    ---------- Forwarded message ----------
    Date: Fri, 01 Feb 2002 12:22:35 -0500
    From: Richard Forno <rfornoat_private>
    To: rfornoat_private
    Subject: [infowarrior] - Comments on Recent Security Legislation Proposals
    A few comments on the two pieces of legislation making the security
    news this week - the "Cyberterrorism Preparedness Act" and the
    "Cyberterrorism Preparedness Act" of 2002. Pardon the parts that sound
    like a rant, but sometimes, a rant is a good thing. :)
    Reference: http://www.fas.org/irp/congress/2002_cr/s1900.html
    When will Congress and the US Government get over their infatuation
    with the sensational term "Cyber"?? Professionals in the security
    field rarely if ever use the term "cyber" anymore.  Our elected
    leaders sound like a bunch of uninformed cable news analysts with
    their constant use of 'cyber' buzzwords - although the moniker
    'cyber-clueless' seems appropriate for many of these folks given what
    I've seen so far. 'Cybersecurity' is a meaningless term that tells me
    that nine times out of ten, the person saying it has little or no
    understanding of information assurance practices.
    Note both of these proposed Acts throw large money for research and
    long-term analysis of security-related problems. It seems to me
    there's more money being spent analyzing our problems than actually
    addressing them, even though we already KNOW what (and where) the
    problems are!
    For those that don't yet know, the government continues to ignore the
    clear, present, and immediate issues in favor of long-term 'problem
    deferrments' because of two words - ignorance and politics...the
    things that make Washington go 'round and 'round year after year.
    Comments on - "Cyberterrorism Preparedness Act of 2002".
    Note in the definitions for this bill there is not one reference to
    "cyberterrorism" yet it's the short name of the introduced
    legislation. One wonders again how many times we'll see "terrorism" in
    the short name of a bill just to garner attention and make it sound
    Seems like anything with the word "terrorism" in it is almost
    guaranteed to reach a floor vote in the House and Senate these days.
    That being said, I wonder how long until our favorite industry cartels
    - the RIAA and MPAA - begin lobbying to introduce the "Entertainment
    Terrorism Prevention Act" to classify anyone not buying multiple
    identical copies of copy-protected content as terrorists and a threat
    to national economic welfare and security (wait - Jack Valenti did
    that two years ago in a Senate hearing); and if certain folks in
    government and the private sector have their way, the "Knowledge-Based
    Terrorism Preparadness Act" will prohibit anyone from knowing anything
    that could harm anyone at any time in any fashion. (Okay, that's a bit
    far, but you get the idea....)
    FWIS, this Act proposes to create yet another government bureaucracy
    to support long-term projects, research, and guidance. Yet there's
    once again NOTHING to address immediate, tactical, already-known
    vulnerabilities in our national information infrastructure.
    This is simply another strategic, not tactical or operational,
    approach to a partial solution.
    Comments on - "Cyberterrorism Preparedness Act of 2002".
    How quickly people forget that waving a magic wand, getting a
    certification or degree does not make someone an instant professional
    in ANY discipline, contrary to what the companies/vendors/lawmakers
    preach and think.
    In this Act, the definition of what constitutes courses in
    'cybersecurity' leads me to believe that any institution teaching
    students how to deploy routers, build networks, or troubleshoot
    Windows could qualify it under this program. An interesting stretch,
    if not a partially valid statement. For now, I'll agree with it.
    FWIS, this proposed bill establishes professional criteria for the
    initial crop of 'cybersecurity professors' but does not specify what
    criteria or professional involvement/activities they must continue to
    perform to remain eligible for program participation, nor does it
    specify what the school must do to insure that their intitial crop of
    'cybersecurity' professors don't become tenured and fall into that
    'tenured tunnel-vision job-is-safe rut' that many of us have suffered
    through as either students or departmental colleagues - leading to
    poor education and classroom lectures based on antequated knowledge.
    We need to ensure these professors have, and continue to conduct,
    truly recognized research, writing, and operational work in the
    security arena, otherwise this grant program becomes nothing more than
    academic welfare for our universities and will hinder, not help, our
    national information security posture.
    If done correctly - this could become a beneficial program for the
    security profession - and as a security professional, I'm thankful for
    any qualified assistance we could get in this field. As with all
    things, the proof will be in the first crop or two of graduates. If
    this program can produce graduates that have the academic technical
    background -and- the appropriate hands-on expertise (from internships
    or relevant lab work) it may indeed become a good
    program....book-smarts, like an industry or vendor certification,
    won't cut it alone.  Time will tell on this one.
    (See also my Securityfocus column "White House CyberSecurity - Jobs,
    Research, and Rhetoric, but Few Results" at
    Just a few thoughts.
    Visit www.infowarrior.org/lists for list information or to
    unsubscribe. This message may be redistributed freely in its entirety.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 02:26:41 PST