Diary

What the new Federal Cyber Security Bill means

First read CNET’s Declan McCullagh’s write up of the bill

The political blogosphere is more excited over the prospect of President Obama being able to shutdown networks or otherwise declare Cyber-Martial Law. The real risk is much subtler.

The key is in his passage:

Other sections of the proposal include a federal certification program for “cybersecurity professionals,” and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.

So, step one is to require certain networks to be managed by people licensed by the Government. I’ve been predicting this for awhile, and I can’t really say I’m 100% opposed to it. Too many times in my career non-technical management has decreed that an insecure, even dangerous, solution be deployed due to “market pressure” or just the fact that someone in the Board Room made an arbitrary decision about when a deployment would happen and no one has the guts to stand up and say no.

Those decisions have consequences well beyond the enterprise. Take Microsoft: their products are notoriously vulnerable to viruses, worms and Trojans. While dumb users are a component, the architectural design of their product is a primary contributor. Microsoft releasing a product that permits thirty million PCs to be turned into zombies controlled by the Russian Mob, Chinese State Security Services, or a random computer savy Al Qaeda sympathizer in Berkley is a National Security matter.

Sure the examples you’re given are nuclear power plants, or the electric grid. But I bet the first groups that are required to be managed by licensed professionals are the consumer based networks run by AT&T, Comcast and Verizion. The networks that provide connectivity to your home.

Now think about the guy who just got his Federal Certification. He probably had to pass a lot of tests, paid a lot of money to get certified, got his “I’m not a terrorist” background check etc. If the FBI or Homeland security asks him – off the record – “go take a look and see what Mr. Farris is up to”, is he gonna risk his certification and his high paying job by telling them “Get a Warrant”? No. He will comply. And he’ll probably have legal immunity for complying with law enforcement requests.

Of course as we’ve seen with Bush’s federalization of Airport Security, nothing is actually made any safer. The Federal Government doesn’t know jack squat about secure network design or software development. And the lobbyists for the companies that have created the problem (think Microsoft as an example) will make damn sure the regulations don’t put them out of business or raise their expenses. In fact, I wouldn’t be surprised one bit if they use this process to cut out their competitors in the Open Source (Linux) realm.

When the men and women who manage our systems and networks are no longer beholden to their management or technical abilities, but instead beholden to the Federal Government for their jobs the whole picture will change.