Dangerous Power Grab

Defense secretary Leon Panetta is agitating for national, “comprehensive” cyber security legislation again. (Panetta warns of ‘Shamoon’ virus)

I have spent my life inside the guts of computers.  From large mainframes to embedded processors, for the last 30+ years, I have worked on everything from application programs to operating systems.  Very little has stayed the same over those years, but one thing that never changes is that there are always  “security problems”, and people who want to impose some external “controls” on your computers to fix them.  As I outlined here (Cyber War – The Drumbeat Continues) this is neither necessary nor even helpful.  The proposed solutions to this “problem” would actually reduce our security, but would allow politicians to claim credit for saving us from impending disaster.

This article here outlines the latest cry from the US Defense department.

Computer security is important.  It is not that measures should not be urgently taken to secure critical infrastructure.  It is not that the issue should not be taken seriously.  The problem is that the federal government, for all its power and all its good intentions, cannot have productive role, and honor a Rule of Law.

The fact is that computer security is a cat-and-mouse game, where security rests entirely on the weakest link in the chain.  The responsibility in every organization is to be aware of security and procatice good security.  It’s about discipline, best practices and vigilance.  No amount of federal “regulation” or “oversight” will make it any better.  In fact, such federal involvement would be counterproductive.

This is a little like the federal government deciding that someone might rob banks, and therefore should take control of, and regulate bank security.  Why don’t we do that?  It’s because we know that bank security requires the same sort of vigilance and discipline.  It is different at every bank, and the “bad guys” are always trying to keep one step ahead.  Adding a federal overseer would do nothing but make the job harder.

Computer security is a little like that, but with computers the technological security landscape is transformed every 6 months.  Reaction times to threats has to be in minutes (sometimes seconds!), not weeks or even days.  Any federal standards would be obsolete long before they were published.  No federal bureaucracy, no matter how well intentioned, could possibly keep up.

Our constitution is wise.  The federal government has limited, enumerated powers.  There is no mention of computer security.  This is the job of The People.  Let’s keep it that way.

 

Comments are closed.