A Response to Huffington Post Blogger on Cybersecurity Act of 2012

While many were relieved that the Cybersecurity Act of 2012 was defeated in the senate, one Huffington Post blogger seemed so upset, that he practically insinuated that politicians were not smarter than a fifth grader for not passing an “obvious” bill. We dissect and respond to these comments.

Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes

When the Cybersecurity Act of 2012 first made an appearance in the senate, there were many amendments added to it that would have removed some of the provisions that represent some of the scariest parts of the legislation. One example of these provisions were the possibility to allow information taken from the surveillance activities and send send it to other branches of government for the fighting of possible future crimes not related to cybersecurity.

After making a bizarre turn into the abortion debate the bill ultimately died in the senate after it failed to achieve cloture. While the Obama Administration and several supporters were furious over the development, many civil rights organizations such as the Electronic Frontier Foundation were claiming victory over the development.

That leads us to this strange blog posting published on the Huffington Post where Dave Eitel seemed quite unhappy about the bill dying in the Senate.

After saying that there’s a version of “Are You Smarter Than a Fifth Grader” going on in the senate with this bill, he goes on to say that passing the bill was “obvious” and that apparently it wasn’t so obvious to pass the bill on Capitol Hill.

He went on to make a series of points on why the legislation was “important”. One point was this:

Why is this important? If you like having electricity, safe nuclear power plants, clean water, wastewater treatment, working railways and ‘sound’ financial networks, then protecting them from increasingly sophisticated and dangerous cyber attacks is kind of important.

In other words, if you like electricity and clean water, then this bill is important. The problem here is that this point does nothing to point out why there is such a connection. I would argue that if you want any critical infrastructure to be protected from a cyber attack, there’s a very simple solution – don’t connect critical infrastructure to the Internet.

Another reason this bill was important, according to the author, is this:

Hacking power plants isn’t a theoretical problem. According to public reports, the United States demonstrated the ability to cause physical damage with its Stuxnet worm against Iran. Hacks against SCADA-based systems, which is what power plants or any other industrial facility run on, have been demonstrated at a number of recent hacker cons — including last year’s Black Hat, where Dillon Beresford demonstrated a homemade hack that took advantage of flaws in Siemens software.

I’m a little bit puzzled as to why we are comparing the United States infrastructure to Iranian infrastructure. Moreover, it’s even more puzzling as to why use Stuxnet as an example. It’s a case of, “We attacked this other country and looked what happened, we don’t want that to happen to us!” My question is, why not use an example of a cyberattack in the US instead? Wouldn’t an example at home be better to make the point? The other points Aitel made weren’t all that convincing to me either.

The author went on to say how we live in a new dangerous world and how the Internet is now a dangerous place. He even said that foreign nations could launch a “kinetic” cyberattack while failing to explain what a “kinetic” cyberattack even was.

One thing Aitel did do was address the criticisms of the CSA. This part was actually something I looked forward to. What are the counterarguments for the provisions that fought future crime not related to cybersecurity? What counterarguments are there for the blocking of all proxy services like Tor and VPN? What counterarguments are there for the monitoring of all citizens activity all the while trampling on privacy rights? What counterarguments are there for not simply asking companies to not connect critical infrastructure to the Internet? What’s the counterarguments for restricting Freedom of Information Act requests? Finally, some potential intelligent debate on the matter! OK, with a few practice boxing swings, I pushed on to see how the author addressed the bills criticisms (which he says fall into these two concerns):

1. It Creates an Unfair Cost for Businesses – Business advocates argue that the cost of compliance will be onerous for private businesses. Here’s the problem with this logic: the government isn’t inventing the threat of cyber attack. It’s real, it’s out there and it’s already happening. Private companies will have to adopt these defensive solutions any way to protect their own operations and profits — and, believe me, the downtime, damage and litigation costs resulting from a sophisticated cyber attack far outweigh the expense of securing your networks to begin with. Overlooked in this debate about cost is the fact that the CSA bill offers liability protection which will actually reduce costs.

2. The Private Sector Can Do It On Its Own – It’s a commonly heard argument that private industry knows best and government regulation just gets in the way. On some issues that might make sense, but not when it comes to defending against hostile nation-states. No company is able to shoulder the burden of anticipating a sophisticated global cyberattack from countries ranging from China to Iran. Just ask Google, which suffered under the “Aurora” attacks and pulled out of China as a result. The only alternative to government regulations would be an industry standard — such as PCI compliance, which is the credit card industry’s cybersecurity policy. But industry solutions end up as ‘bare minimums’ instead of aggressive and comprehensive solutions. After all, how well has PCI compliance protected our credit cards?

So… uh… no comment on the actual concerns that were raised? This is, kind of, disappointing. I thought Aitel was going to address the main concerns I’ve seen with respect to the bill, not just pick out two minor arguments against the bill and claim those were the main ones. At this point, I’m wondering which debates Aitel has been hearing about the cybersecurity bill because obviously they aren’t the same debates I’ve been seeing. On a side note, didn’t Google pull out of China because of concerns surrounding government censorship?

So, the main point Aitel has been making was that there’s really big scary things out there and that any bill that says it would stop those threats is good no matter what the bills actually say – it’s just obvious. I’m somewhat impressed with how weak and unconvincing the argument is. There were so many ways Aitel could have made his points even better (such as naming an actual cyberattack on US infrastructure – which there are examples of), but the end result would have been the same on my end. Even if Aitel bothered to find actual examples of cyberattacks being made on America, my argument would have been, “Name three cyberattacks made on critical infrastructure in America that wouldn’t have been thwarted by simply not having that infrastructure connected to the Internet or WiFi.”

I think it’s sad that, in order to engage in a somewhat reasonable debate with a supporter of this bill, I have to first help strengthen the opposing sides arguments before going back to my side and knocking the opposing sides arguments back down. I prefer an actual intellectual challenge. For someone running around making vague references to the TV show “Are You Smarter Than a Fifth Grader” and suggesting that the passage of the bill is “obvious”, I’m not seeing any strong arguments coming from Aitel on this matter. Maybe him or someone else will come up with better arguments, but engaging in a nice intellectual debate? Apparently not happening today.

Drew Wilson on Twitter: @icecube85 and Google+.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: