Amid all the brouhaha over the health care bill, there's another bill currently in committee in the Senate which probably will make it out of committee without much in the way of serious debate. As reported by Declan McCullagh on this CNET news piece, Sen. Jay Rockefeller (D-WV) has reintroduced a bill that went nowhere fast last year. While a large chunk of the text of the bill appears to be proposed rules for certification of cybersecurity professionals, there are some elements of the bill that are particularly disturbing despite language which states that civil liberties will be protected.
Towards the start of the so-called Cybersecurity Act of 2010 (S.773), one of the stated goals of the bill is to grant the President the power to designate a specific system as a "United States critical infrastructure information system" which meets sufficient criteria (to be determined later) such that if said system was compromised, it would constitute a threat to "strategic national interests." While there is a phrase buried halfway into the text that states the act is not to be construed as an expansion of existing Presidential authorities, it seems exceedingly difficult not to quantify what is essentially nationalization of currently held private sector Internet assets by Presidential fiat under the guise of a "cybersecurity emergency" as anything less than such an expansion. Language further down in the text may delimit how long such an emergency may be used as justification, but the language doesn't feel like it is sufficiently robust to guarantee a showdown between Congress and the President will end well for Congress, or by extension American users of the Internet.
I'll be the first to admit that when it comes to cybersecurity, America could probably learn to do a lot better keeping the doors locked. And while there's a part of me that wouldn't mind seeing cybersecurity get some genuine attention from the government, I think this is the wrong way to go about it. I think federally mandated and designed certification schemes do not carry any inherently greater likelihood of effectiveness than MCSE, A+, Net+, CCNA, or any one of the other dozens of alphabet soup certifications that overpromise and underdeliver. If I've learned anything in my hunt for employment, it's that hiring managers are desperate to see those certifications on resumes while recruiters are perfectly aware that the certs aren't worth a damn. They look pretty but they're proof only that somebody paid to take a test and didn't flunk it. While the bill calls for people who have plans for a career in cybersecurity to be the primary beneficiary of the training programs, I can't help but suspect that it will soon become the latest "trendy" certification. The shiny new degree that everybody will be scrambling to get and nobody will actually be able to practice.
Cybersecurity should not be quantified by committees and academics. It should not be raised to the level of a specialized discipline divorced from the larger fields of computer science and information technology. It should be a brutal Darwinian process that recognizes only the quick and the dead, or the l33t and the pwned if you prefer. It should be an endless battle of wits between the most vicious, most brilliant, most fearless and inventive minds who ever got root access on a box. Let the private sector take care of the private sector and the feds take care of the feds. If a company or government agency wants to go hunting for talent, let them pony up for contests where "capture the flag" becomes "own the box" and pick out the people who've proven they're the best at what they do instead of smiling at the shiny little acronym on their resume.
However great it sounds on the surface, this bill is not going to help America figure out how to protect itself on the Internet. It's an unworthy effort for unsavory ends by means of ineffective policies.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment