---------- Forwarded message ---------- Date: Fri, 01 Feb 2002 12:22:35 -0500 From: Richard Forno <rfornoat_private> To: rfornoat_private Subject: [infowarrior] - Comments on Recent Security Legislation Proposals A few comments on the two pieces of legislation making the security news this week - the "Cyberterrorism Preparedness Act" and the "Cyberterrorism Preparedness Act" of 2002. Pardon the parts that sound like a rant, but sometimes, a rant is a good thing. :) Reference: http://www.fas.org/irp/congress/2002_cr/s1900.html When will Congress and the US Government get over their infatuation with the sensational term "Cyber"?? Professionals in the security field rarely if ever use the term "cyber" anymore. Our elected leaders sound like a bunch of uninformed cable news analysts with their constant use of 'cyber' buzzwords - although the moniker 'cyber-clueless' seems appropriate for many of these folks given what I've seen so far. 'Cybersecurity' is a meaningless term that tells me that nine times out of ten, the person saying it has little or no understanding of information assurance practices. Note both of these proposed Acts throw large money for research and long-term analysis of security-related problems. It seems to me there's more money being spent analyzing our problems than actually addressing them, even though we already KNOW what (and where) the problems are! For those that don't yet know, the government continues to ignore the clear, present, and immediate issues in favor of long-term 'problem deferrments' because of two words - ignorance and politics...the things that make Washington go 'round and 'round year after year. Comments on - "Cyberterrorism Preparedness Act of 2002". Note in the definitions for this bill there is not one reference to "cyberterrorism" yet it's the short name of the introduced legislation. One wonders again how many times we'll see "terrorism" in the short name of a bill just to garner attention and make it sound Homeland-Security-ish. Seems like anything with the word "terrorism" in it is almost guaranteed to reach a floor vote in the House and Senate these days. That being said, I wonder how long until our favorite industry cartels - the RIAA and MPAA - begin lobbying to introduce the "Entertainment Terrorism Prevention Act" to classify anyone not buying multiple identical copies of copy-protected content as terrorists and a threat to national economic welfare and security (wait - Jack Valenti did that two years ago in a Senate hearing); and if certain folks in government and the private sector have their way, the "Knowledge-Based Terrorism Preparadness Act" will prohibit anyone from knowing anything that could harm anyone at any time in any fashion. (Okay, that's a bit far, but you get the idea....) FWIS, this Act proposes to create yet another government bureaucracy to support long-term projects, research, and guidance. Yet there's once again NOTHING to address immediate, tactical, already-known vulnerabilities in our national information infrastructure. This is simply another strategic, not tactical or operational, approach to a partial solution. Comments on - "Cyberterrorism Preparedness Act of 2002". How quickly people forget that waving a magic wand, getting a certification or degree does not make someone an instant professional in ANY discipline, contrary to what the companies/vendors/lawmakers preach and think. In this Act, the definition of what constitutes courses in 'cybersecurity' leads me to believe that any institution teaching students how to deploy routers, build networks, or troubleshoot Windows could qualify it under this program. An interesting stretch, if not a partially valid statement. For now, I'll agree with it. FWIS, this proposed bill establishes professional criteria for the initial crop of 'cybersecurity professors' but does not specify what criteria or professional involvement/activities they must continue to perform to remain eligible for program participation, nor does it specify what the school must do to insure that their intitial crop of 'cybersecurity' professors don't become tenured and fall into that 'tenured tunnel-vision job-is-safe rut' that many of us have suffered through as either students or departmental colleagues - leading to poor education and classroom lectures based on antequated knowledge. We need to ensure these professors have, and continue to conduct, truly recognized research, writing, and operational work in the security arena, otherwise this grant program becomes nothing more than academic welfare for our universities and will hinder, not help, our national information security posture. If done correctly - this could become a beneficial program for the security profession - and as a security professional, I'm thankful for any qualified assistance we could get in this field. As with all things, the proof will be in the first crop or two of graduates. If this program can produce graduates that have the academic technical background -and- the appropriate hands-on expertise (from internships or relevant lab work) it may indeed become a good program....book-smarts, like an industry or vendor certification, won't cut it alone. Time will tell on this one. (See also my Securityfocus column "White House CyberSecurity - Jobs, Research, and Rhetoric, but Few Results" at http://www.securityfocus.com/columnists/46) Just a few thoughts. Rick infowarrior.org -- Visit www.infowarrior.org/lists for list information or to unsubscribe. This message may be redistributed freely in its entirety. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 02:26:41 PST