Just what we need: Federal control over private network infosec
Apparently the Senate is considering a bill that would grant a new Cybersecurity czar sweeping new powers over private computer networks, including NIST guidelines and audit protocols for cybersecurity, and a certification regime for security professionals. This will not end well.
If you don’t believe me, try to get work done in a federal bureaucracy, and see how many times the infosec people thwart your every effort to get things done. These guys aren’t accountable for your ability to do your job or collaborate or access information. If there’s a security breech, however, it’s their ass. So, why would they ever say anything but ‘no’? In my experience, they seldom do.
To offer but one example, I once worked on a team building a simple web service for use by a government agency with offices all over the world. The purpose of this web service was to provide remote access to a central database. The database was NOT classified, and the web service was accessible only on the agency’s own worldwide network, and was in no way available over the public Internet. However, the security folks would not approve the application. Instead, they would issue a temporary waiver to allow it to operate while they thought about it a little longer. For over a year this server was running under a series of temporary waivers. For all I know, it still is.
Mark my words: if legislation like this gets passed, actual security won’t improve too terribly much, but government meddling in private information security will rise dramatically, and the result will be bullshit, crippling, bureaucratic risk aversion on an epic scale. Yay.
I also notice this:
Addressing what intelligence officials describe as a gaping vulnerability, the legislation also calls for the appointment of a White House cybersecurity “czar” with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway, the officials said.
Well, now THAT is reassuring. There’s not enough government control of the Internet as it is; now we need another ‘czar’ with a kill switch, to be flipped whenever there’s a politically convenient infosec scare. Yay.