cybersecurity

The feds suck at everything: cybersecurity edition

I’ve got two new posts at Medium today detailing just how bad the G men fail at information security. They both analyze the President’s recent “cybersecurity modernization proposal” that he revealed last week and is expected to expand upon during tonight’s State of the Union address. (More like State of the Disunion address, amirite guys?)

The proposal is as bad as you’ve no doubt come to expect.

One large part of the initiative would enact the spirit of the wildly-unpopular CISPA legislation through a watered-down executive proposal. Our worldly planners in Washington propose to strengthen the nation’s cybersecurity by coercing private organizations to fork over even more private data about our online activities to the Department of Homeland Security (DHS).

There’s just one big problem, apart from the normal civil liberties concerns–the federal government’s IT systems have suffered from a staggering increase in data breaches and cybersecurity failures despite years of internal information-sharing and billions in cybersecurity investments.

Here’s a chart, based on new research by me and Eli Dourado at the Mercatus Center.

1-MxFTScl6Fqnuf1Pg8AIrgQ

From the article:

While cybersecurity vulnerabilities and data breaches remain a considerable problem in the private sector as well as the public sector, policies that failed to protect the federal government’s own information security are unlikely to magically work when applied to private industry. The federal government’s own poor track record of increasing data breaches and exposures of personally identifiable information render its systems a dubious safehouse for the huge amounts of sensitive data affected by the proposed legislation.

The second piece looks at the portion of the proposal that would criminalize a broad expanse of innocuous online activities under the guise of “fighting cybercrime.”

President Obama proposes to expand federal law enforcement authority to reclassify cybercrime under federal “racketeering” laws, which drastically reduce the burden of proof needed to charge an individual with a crime, while expanding the already-controversial and aggressively-applied Computer Fraud Abuse Act (CFAA) to include the mere sharing of unauthorized information–like emailing a password or retweeting a link.

I write:

If the new White House proposal is applied as haphazardly and aggressively as the CFAA has been in the past, there is a real fear that whitehat hackers’ normal activities—like emailing each other information about password leaks and security vulnerabilities—could be trumped up into criminal convictions for no reason but the zeal of a new foolhardy War on Whatever.

The gradual development of this Cyber Police State would have chilling effects on online collaboration and innovation—and the rest of us would get left in the digital dust.

And that’s bad, mm’kay.

Check them both out.

Advertisements