Wednesday, 21 March 2012 11:31

Bad Cybersecurity Laws All Boil Down To Ignorance and Greed

Written by

Reading time is around minutes.

17We have always been a supporter of certain Internet freedoms as well as individual privacy (no surprise there huh). Bills like PIPA and SOPA showed us a glaring issue with the existing level of knowledge currently held by the people that make our laws (and not just in the US). This is not a big shocker to most people either. It is fairly common knowledge that our law makers get into office based on little more than a popularity contest that is held every few years. Once in office they are like the gullible kid in school that gets talked into things, by the “cool kids”, but in this case the cool kids are lobbyists and are not looking for a laugh they are looking to improve their control and profit.

This lack of understanding of the Internet (and other things) has led to our lawmakers hiring consultants to do their thinking. Normally getting a consultant is not a bad idea. I have worked as a consultant to corporations on Information Technology, Networking, Software Upgrades, and even Data Security. The problem with many government consultants is that they have agendas now. We have watched as a series of these consultants (which in some cases are not much more than lobbyists with a different title) have proposed measures to lawmakers that clearly show off their agenda, but more importantly they show off their own ignorance of the technology they are supposed to be experts at.

As we have seen with SOPA, PIPA, ACTA and the Cybersecurity Act of 2012 the people writing the laws cannot even define what the threat is. In SOPA, the threat was to Intellectual Property, but the items constituting the actual “threat” were so vague and undefined that the IP rights holders could accuse almost anyone of violation. The same thing is happening with the new Cybersecurity Act. They want to enact protective measures, but they do not even know what the threat is here is some wording of the actual bill;

The term “cybersecurity threat” means any action that may result in unauthorized access to, exfiltration of, manipulation of, or impairment to the integrity, confidentiality, or availability of an information system or information that is stored on, processed by, or transiting an information system.

Furthermore, either through a HUGE lack of any real knowledge of how the internet works or intentionally, the Cybersecurity Act of 2012 ads in something called a Cybersecurity Threat Indicator. These are so undefined that anything from using a Proxy to encrypting your communication with something like SIMP for Messenger (Windows Live) could be a Threat Indicator. To make matters worse under the current wording checking for malformed packets (or evidence of Deep Packet Inspection), running a Trace Route, Pinging a site or even checking the speed of your internet could potentially be considered a threat indicator.

All of these things are very concerning, but there is something even worse to this. We have always maintained that with almost any security law that is implemented there will be a corresponding surveillance law to go with it. The same is true here as the Cybersecurity Act of 2012 and even Secure IT from John McCain grants corporations the right to monitor any and all traffic that passes through their network (many have limited rights to this now, but have to get court permission). The allowance in the law grants them this without being bound by current wiretap restrictions. This opens the door to unrestricted surveillance of your activities on the Internet all in the interest of security.

Now if any of you think that your ISP, government or other “corporate entity”  (say Google or Apple, or Microsoft) would not happily use that surveillance to their advantage you have probably just gotten back from a very long trip to somewhere that there is no News or other means of communication. These types of bills allow for unlimited wiretapping by entities that are not the government, but would be required to turn over any and all information they gather. You can also bet that this surveillance will end up being used to protect intellectual property at some point. We talked about this very thing when SOPA and PIPA were cancelled. Although the outright bills supporting the entertainment industry are no longer present the sneaky ones that allow for back door controls and countermeasures are. In fact some of the same types of penalties are vaguely listed in Secure IT and the Cybersecurity Act of 2012.

So what is the solution? Well to be honest there is not an easy one out there, but there are steps that can be taken to help. One of the first is education; perhaps require than all lawmakers are educated on the technology and understand how the systems work. This would include judges, congress men and women etc. After all, to get a job in an IT department you have to interview, pass verbal and written technical tests and at times even undergo periodic training to make sure you understand the latest threats and technologies. Why not require our elected officials to do the same thing? They should be up on the latest threats, technology and even economic issues before being allowed to write laws that govern them.  I also think that with the pay, power and other benefits of their positions they should be required to show that they are working toward improving the country for the people they are supposed to represent. Attending refresher courses in technology, economics, political science, and other items would be a big help in this.

Until our lawmakers and interpreters are better educated on the way Information Technology, the Internet, Software and many other things work we will continue to see more and more ridiculous and dangerous laws popping up that attempt to restrict and control one thing or another… You know maybe history should be one of the courses as well, after all it seems like they continually forget that banning, controlling or restricting things only creates unrest and spawns crime. It NEVER prevents it.

Discuss this in our Forum

Read 7540 times Last modified on Wednesday, 21 March 2012 19:08

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.