Another sad example of why IT, not government, is ultimately responsible for cybersecurity

Another sad example of why IT, not government, is ultimately responsible for cybersecurity

Summary: We continue to follow the kindergarten antics of our politicians. But there's only one real truth, and that's this: when the bits hit the firewall, it's the techies who get called.


My brain sometimes makes strange connections. For example, when I learned that Republican senators are blaming Democratic senators for blaming Republican senators for not passing a cybersecurity bill, I somehow thought of Huey Lewis' 1984 hit, "I Want a New Drug".

The song seems weirdly appropriate in a few different ways. First, of course, "I Want a New Drug" was a hit back in 1984, the year of George Orwell's anachronistic but moderately prophetic tome on nationalism, repression, censorship, and the surveillance society. It's important to be thinking about issues of liberty and privacy when thinking about a new, comprehensive cybersecurity bill.

But, secondly, the song "I Want a New Drug" is, essentially, a laundry-list of specifications. Huey wants a drug that won't make him sick, won't make him nervous, won't spill, won't cost too much, won't keep him up all night, and so forth.

Our cybersecurity bills are also laundry lists -- and we also have a laundry list of bills. Whether it's the Cyber Intelligence Sharing and Protection Act, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011, the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012, the Cybersecurity Act of 2012 (PDF), the Cybersecurity Enhancement Act of 2012, or even the FISMA update, Federal Information Security Amendment Act of 2012 -- these bills are all laundry lists of features.

One grants the government better access to shared information. Another expands the role of the Department of Homeland Security so that it can set security standards required of certain companies and agencies, another sets up a threat-sharing center inside the NSA. The list goes on. And on. And on. And on.

Although I've said that the Cybersecurity Act of 2012 probably should be passed into law, the bill really isn't much more than Huey's wish for a new drug, in that it's a wish list, a paper tiger. On the other hand, many others, including the EFF, have stated that some of these proposed laws might be over-reaching and probably unnecessary.

Here's the thing, though -- if our politicians think a mere wish list will make a difference in defending against digital attacks from real foes, they're probably high.

While Rome burns, while cyberattacks are reported at a blistering rate, our politicians fiddle around, blaming each other for blaming each other for not getting things done.

Now, think about it. Who gets things done when management fiddles around? IT professionals, of course. You folks.

And who will protect your users and servers when a distributed denial of service hits? Some piece of legislation? No. You geeks will.

And who will clean up a malware infested computer when some nasty worm hits it? Our illustrious U.S. Senate? No, of course not. Y'all will.

The point is, whether or not new laws are passed, whether or not we even need new laws, the troops on the front lines of the cyberwar aren't politicians. They're not lawyers. They're not even law enforcement. Nope.

They're IT professionals. They're you.

And, so, yes, we'll continue to follow the kindergarten antics of our political class, and I may even tell you this bill or that bill has merit. But there's only one real truth, and that's this: when the bits hit the firewall, it's the techies who get called.

Topics: Security, Government, Government US, Privacy


David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • "We continue to follow the kindergarten antics of our politicians."

    Well...maybe YOU do...but IMO...there isn't ONE who is worth their weight in dog poo...and I could care less about the whole lot.
    • If you don't care about the whole lot,

      then why do you live in the country the lot represents?

      Just curious.
    • If you don't care about the whole lot,

      then why do you live in the country that the "whole lot" represent?
  • If like hot dogs and you respect the law.. should never witness how either one is made.
  • "geeks" aren't going to protect vital systems against Chinese hackers

    Yeah, they may be able to bring the electrical grid, transit system, bank website, etc back up a few days later, but that doesn't mean much if you depend on those systems for every day life. I agree with certain Republican senators that we should have legislators dictating security requirements, however I do believe that vital systems will be far more secure if we hold the executives in charge of those systems personally liable for security-related failures. In other words, "we won't tell you what your security needs to be, but it better be good because if you get hacked you're going to jail."
    • Uh, that should be:

      "I agree with certain Republican senators that we SHOULDN'T have legislators dictating security requirements" Bring back the Edit function ZD!
    • Yes they will

      Even if Congress passes laws mandating certain security measures, it's the geeks who implement them, which is precisely David's point. And if captains of industry do the mandating instead of the politicians (which is preferred, if they'll do it), it's still the geeks who implement the mandates.

      Sysadmins may or may not succeed in defending their systems, but if they don't, nobody else is going to either.
      John L. Ries
      • "it's the geeks who implement them"

        And every geek knows how to make it APPEAR that auditors' recommendations and requests are implemented.
        Nothing's gonna change till some very high profile security breach - asking overworked/understaffed/underpaid/lacking expertise IT departments to worry about security beyond basics is like asking a homeless to maintain good hygiene.
        • If that's the sort of company you work for...

 should probably look for another job.
          John L. Ries
          • Ahhh - we all work for that kind of company.

            Formalized security requirements have nothing to do with actual security. One example: as long as it has a lock, paper bag is HIPAA compliant for transporting patients records. Does that make any sense to you?
            Another example - few years back auditors required us to limit root access for ERP box to maximum 3 people (why 3? what's tha magic number?). They were ok though with pretty much anybody we want having sudo access to root shell.
            Does that make any sense to you?
            That's the kind of "security" we as IT are forced to implement.
          • I'll accept that

            Security requirements should be written by people who actually understand the issues, which is not the typical MBA or JD.
            John L. Ries
          • The big IT security lies

            1.) We put this new deadbolt on the front door. Look how secure we are now. Never mind there's a giant hole in the wall and you can walk right in. (metaphorically speaking)

            2.) That really sensible thing that would make your job easy but would make IT have to not be completely lazy pieces of crap for two seconds ... yeah, we can't do that because ... SECURITY!!!!
          • completely lazy pieces of crap

            sure - most IT workers are "completely lazy pieces of crap", but so are most non-IT workers. :-P
    • Geeks/

      If the geeks don't, it is certain the the Senators can't.
  • Huey Lewis Was Singing About Marijuana?

    Never thought about it, but it seems to come closest to matching the requirements you list.
    • No, he wasn't

      He was singing about how good a particular girl made him feel.
      • Exactly

        "One that makes me feel like I feel when I'm with you".

        No downside, apparently.
        John L. Ries
      • But If He Already Had The Girl ...

        ... why did he need the drug?

        Simple logic, really.