Letting our lawmakers make laws about cybersecurity is probably a mistake
Yes, I am fully cognizant of the paradox of this article's headline. We in America are stuck with the problem that our laws, if not written by, are at least approved by...politicians. As a result, our laws often reflect political reality more than, say, real reality.
Take CISPA. No, please. Take it.
We've talked about CISPA before. We've talked about how important it is for America to have strong cybersecurity protection, but how we also need to protect the privacy of American citizens.
We've talked about how that's a fine line to walk.
Sigh.
So, CISPA has passed the House, but now the Senate is debating their own version of the cybersecurity bill.
See also: CISPA: more heinous than SOPA, and it just passed
Here's the thing. Debating doesn't really mean "debating". Debating means that one party demands one thing, the other party demands the other thing, lots of phone calls and texts go back and forth, deals are made that sell out one segment of the populace or the other, and eventually a bill gets passed that doesn't really help anyone.
Cybersecurity is on that fast track. Oh, joy.
Now, let's understand something. Cybersecurity is about protecting America and American interests from attacks over the digital battlespace. It's about making sure terrorists or nation states or criminal groups can't take down critical Web sites and critical infrastructure.
But our lawmakers are somehow missing that important point.
For example, instead of just sticking to cybersecurity in the cybersecurity bill, some Senators are tossing in the entire cyber sink. Some of the Senators working on the Senate's version of the cybersecurity bill want to add provisions that allow not just cyberthreat information, but online personal information to be used in ways that might violate American's rights -- just because it's online.
See also: Ben Franklin would say our online liberty is the same as liberty itself
Some of the senators want to remove provisions that set mandatory standards in the cybersecurity bill which are designed to protect critical infrastructure, because, they claim that "mandates" (to some politicians, anything that's mandatory is a "mandate") are bad.
In fact, former Presidential candidate John McCain said, "Unelected bureaucrats at the DHS [Department of Homeland Security] could ... divert resources from actual cybersecurity to compliance with government mandates."
Here's my problem with this, and let's be clear that whether the speaker were Democrat or Republican, I'd have a problem with it.
If you're going to pass a cybersecurity bill, I would think that protecting our critical infrastructure would be, how can I say this, central to the purpose of the bill. That's what the whole bill is supposed to be about.
And that's why I think it's a shame that our lawmakers are the ones making the laws. Because somewhere between the problem statement (i.e., protect America's critical infrastructure from cyberthreat) and the solution (i.e., stick in everything we need to pass the sucker and take out everything that might require hard work), we LOST THE POINT!
We're probably going to wind up with a law that substantially reduces our privacy, increases costs to most companies, does not protect us from cyberattacks, and doesn't get the job done.
In other words, it's business as usual. You know what that means for us, you and me, and all the other IT people who read ZDNet?
Same ol', same ol'. Use best practices, update your software, install firewalls and intrusion detection and prevention gear, try not to let personal USB devices inside the firewall, and keep doing the job IT managers have had to do for years.
No Washington cybersecurity bill is going to help. Really? Did you ever expect it would?