Cybersecurity Laws Would Do More Harm Than Good

Trailrunner7 writes with one perspective on the inability of the Congress to pass 'cybersecurity' legislation before recessing. From the article: "They've taken innumerable swings at it, and struck out every time, ... and, for once, we all should be thankful for our lawmakers' inability to act. ... What it's not good at is understanding the Internet or acting swiftly and decisively. The current cybersecurity legislation mess is the perfect combination of those two factors. Corporations and government agencies in the U.S. have been getting their heads handed to them by attackers from around the world for several years now. Long-term, persistent campaigns have been targeting defense contractors, energy and utility companies, manufacturing firms, and government agencies with an alarming rate of success. But Congress, or at least some members of it, don't seem to understand that. Sen. Joseph Lieberman sent a letter Monday to President Obama, comparing the threat to U.S. networks from foreign attackers to the threat from terrorists before 9/11. He then urged the president to use his executive authority to somehow influence the situation. Let's be clear: If the companies that own and operate critical infrastructure — not to mention defense contractors — don't understand the nature of the threat they're facing at this point, no amount of incentives will change that. Neither Congress nor the President can fix this problem with the kinds of solutions they're considering." Reader CurseYouKhan links to a different perspective: "Chabinsky is the latest of several former Federal security types to issue warnings on the topic. Earlier this year, Shawn Henry, who recently retired as the Bureau’s top cyber-sleuth, also called for a more offense-minded approach. Ex-CIA director Michael Hayden thinks the private sector may not wait for the government to act. He expects to see the emergence of a 'digital Blackwater,' or the emergence of firms that could be hired to go all mercenary on online intruders."

What should that look like?

[Opportunist]

Yes, we must do SOMETHING! Dunno what, but SOMETHING! And don't anyone think of the children?

Seriously, though. What kind of "action" does the honorable senator expect from Obama? I dunno, it seems Obama isn't just seen as some kind of magic worker by some voters (akin to "we gotta get economy back on track, Obama, go an fix!"), it seems the honorable senator seems to have fallen for the same spell. Great wizard Obama, swing your magic wand and DO SOMETHING!

There is no legal solution for it, though. First of all, you can't just outlaw hacking. That's already the case, you know? What do you want? More severe punishment? Doesn't faze the guy in Iran, China or $whatever-stan who wants to blow up your power plant. The only thing that might accomplish is to quench "hacktivism" akin to Anonymous with the drawback that everyone who actually knows a thing or two about hacking will keep their mouth shut instead of actually informing the relevant authorities.

Require companies to tighten their security? Then we are where we are already: Where security is a topic for risk management, not for IT. How much does it cost to implement security? How much is the fine? How likely is it going to happen? Now you can either lower the fine to a ridiculous amount where no halfway large company takes it serious or jack it up to a level where doing online business becomes Russian roulette for smaller companies.

Because, and here's the actual problem, there is no such thing as perfect security. If everything else fails, your admin might double cross you.

Still, the ONLY place where you can put the lever is the target of attacks, not the source, since the source, as has been stated above, is often outside of your jurisdiction. But is putting the burden on the victim really the way to go? I kinda doubt it.

Bottom line, as long as people and companies have no interest in security, no law you could draft will change their attitude towards it.