Congress Can't Even Get Its Own Cybersecurity Right, So Why Should We Let It Define Everyone Else's?

Congress claims to be really, really serious about passing cybersecurity bills this session -- even though each of the proposals it seems to put forth don't seem to have anything to do with cybersecurity, but plenty to do with increasing surveillance capabilities. We're still waiting for someone (anyone!) to explain what kind of cyberattack the latest bills would have stopped? Looking at the details, as has been the case for years, it really looks like these bills are about increasing the budget for various government agencies while simultaneously increasing surveillance capabilities.

And, as Trevor Timm points out, how could you possibly trust Congress on cybersecurity when those writing the bills don't seem to understand the basics themselves:

Just look at Congress’ own cybersecurity practices. None of the members of the Senate’s Intelligence Committee - the most influential cybersecurity oversight body in Congress - have websites that use HTTPS encryption, which is increasingly becoming the standard for websites who want to provide basic security protections for the people who visit them (Google and others have had it for years).

It’s such a vital tool that the executive branch recently promised to move all its websites over to HTTPS within two years - many of its agencies, though not all, have already made the switch. But there’s not even a hint that Congress is attempting to do the same. (The website of the Senate Intelligence Committee, which is in charge of cybersecurity oversight on the Senate side, also looks like it was designed in 1996.)

Elsewhere in the article, Timm notes that almost no one in Congress uses encrypted emails or encrypted phone systems, and that pretty much all of Congress is easy prey for foreign intelligence agencies looking to snoop on it.

Perhaps Congress should get its own house in order before telling the rest of the country how to improve its cybersecurity?

And the key decision makers appear to be even worse than the rank and file:

Consider the qualifications of the members who are in charge of cybersecurity oversight and who are leading the push for these invasive new laws. The man in charge of the subcommittee on cybersecurity and the NSA in the House, Representative Lynn Westmoreland, has a background in construction and is best known for trying to pass a Ten Commandments law (while only being able to name three of them). His actual expertise in cybersecurity is anyone’s guess, besides having an NSA facility in his district.

It gets worse. The Congressman who oversees the appropriation of billions of dollars in cybersecurity funding for the Department of Homeland Security, Representative John Carter, said this about cybersecurity and encryption recently: “I don’t know anything about this stuff”. Yes, that is an exact quote.

We wrote about that comment by John Carter, in which he followed it up by proving that he was absolutely clueless about encryption. And yet he's looked at to help decide how these things are regulated.

Timm also reminds us how Congress used to have an Office of Technology Assessment, a non-partisan organization that advised Congress on technology issues from 1972 until 1995. That's when Newt Gingrich defunded it. An effort last year by Rush Holt to bring it back was overwhelmingly rejected, suggesting that Congress wants to remain ignorant, even as it has to make laws on this stuff.

At least it appears that more Congressional reps are finally figuring out how to use HTTPS -- with 214 members now at least supporting HTTPS, if only 76 default to it. That's not everything they need to know about cybersecurity, but it at least starts the conversation. Though it seems notable that no Senate site does. It really seems that if Congress wants to write laws about cybersecurity, it should first be required to get its own online security straight first.

Permalink | Comments | Email This Story