FC: Richard Forno on Congress' "cyberterrorism" bills

From: Declan McCullagh (declanat_private)
Date: Sat Feb 02 2002 - 01:02:59 PST

  • Next message: Declan McCullagh: "FC: Canada's proposed system for profiling air travelers"

    ---------- Forwarded message ----------
    Date: Fri, 01 Feb 2002 12:24:54 -0500
    From: Richard Forno <rfornoat_private>
    To: declanat_private, politechat_private
    Subject: Comments on Recent Security Legislation Proposals
    A few comments on the two pieces of legislation making the security news
    this week - the "Cyberterrorism Preparedness  Act" and the "Cyberterrorism
    Preparedness  Act" of 2002. Pardon the parts that sound like a rant, but
    sometimes, a rant is a good thing. :)
    Reference: http://www.fas.org/irp/congress/2002_cr/s1900.html
    When will Congress and the US Government get over their infatuation with the
    sensational term "Cyber"?? Professionals in the security field rarely if
    ever use the term "cyber" anymore.  Our elected leaders sound like a bunch
    of uninformed cable news analysts with their constant use of 'cyber'
    buzzwords - although the moniker  'cyber-clueless' seems appropriate for
    many of these folks given what I've seen so far. 'Cybersecurity' is a
    meaningless term that tells me that nine times out of ten, the person saying
    it has little or no understanding of information assurance practices.
    Note both of these proposed Acts throw large money for research and
    long-term analysis of security-related problems. It seems to me there's more
    money being spent analyzing our problems than actually addressing them, even
    though we already KNOW what (and where) the problems are!
    For those that don't yet know, the government continues to ignore the clear,
    present, and immediate issues in favor of long-term 'problem deferrments'
    because of two words - ignorance and politics...the things that make
    Washington go 'round and 'round year after year.
    Comments on  - "Cyberterrorism Preparedness  Act of 2002".
    Note in the definitions for this bill there is not one reference to
    "cyberterrorism" yet it's the short name of the introduced legislation. One
    wonders again how many times we'll see "terrorism" in the short name of a
    bill just to garner attention and make it sound Homeland-Security-ish.
    Seems like anything with the word "terrorism" in it is almost guaranteed to
    reach a floor vote in the House and Senate these days. That being said, I
    wonder how long until our favorite industry cartels - the RIAA and MPAA  -
    begin lobbying to introduce the "Entertainment Terrorism Prevention Act" to
    classify anyone not buying multiple identical copies of copy-protected
    content as terrorists and a threat to national economic welfare and security
    (wait - Jack Valenti did that two years ago in a Senate hearing); and if
    certain folks in government and the private sector have their way, the
    "Knowledge-Based Terrorism Preparadness Act" will prohibit anyone from
    knowing anything that could harm anyone at any time in any fashion. (Okay,
    that's a bit far, but you get the idea....)
    FWIS, this Act proposes to create yet another government bureaucracy to
    support long-term projects, research, and guidance. Yet there's once again
    NOTHING to address immediate, tactical, already-known vulnerabilities in our
    national information infrastructure.
    This is simply another strategic, not tactical or operational, approach to a
    partial solution. 
    Comments on - "Cyberterrorism Preparedness  Act of 2002".
    How quickly people forget that waving a magic wand, getting a certification
    or degree does not make someone an instant professional in ANY discipline,
    contrary to what the companies/vendors/lawmakers preach and think.
    In this Act, the definition of what constitutes courses in 'cybersecurity'
    leads me to believe that any institution teaching students how to deploy
    routers, build networks, or troubleshoot Windows could qualify it under this
    program. An interesting stretch, if not a partially  valid statement. For
    now, I'll agree with it.
    FWIS, this proposed bill establishes professional criteria for the initial
    crop of 'cybersecurity professors' but does not specify what criteria or
    professional involvement/activities they must continue to perform to remain
    eligible for program participation, nor does it specify what the school must
    do to insure that their intitial crop of 'cybersecurity' professors don't
    become tenured and fall into that 'tenured tunnel-vision job-is-safe rut'
    that many of us have suffered through as either students or departmental
    colleagues - leading to poor education and classroom lectures based on
    antequated knowledge. We need to ensure these professors have, and continue
    to conduct, truly recognized research, writing, and operational work in the
    security arena, otherwise this grant program becomes nothing more than
    academic welfare for our universities and will hinder, not help, our
    national information security posture.
    If done correctly - this could become a beneficial program for the security
    profession - and as a security professional, I'm thankful for any qualified
    assistance we could get in this field. As with all things, the proof will be
    in the first crop or two of graduates. If this program can produce graduates
    that have the academic technical background -and- the appropriate hands-on
    expertise (from internships or relevant lab work) it may indeed become a
    good program....book-smarts, like an industry or vendor certification, won't
    cut it alone. 
    Time will tell on this one.
    (See also my Securityfocus column "White House CyberSecurity - Jobs,
    Research, and Rhetoric, but Few Results" at
    Just a few thoughts.
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Events: Congreso Nacional de Periodismo Digital in Huesca, Spain from
    Jan. 17-18 (http://www.congresoperiodismo.com) and the Second
    International Conference on Web-Management in Diplomacy in Malta from
    Feb. 1-3. (http://www.diplomacy.edu/Web/conference2/)

    This archive was generated by hypermail 2b30 : Sat Feb 02 2002 - 04:02:41 PST