The original item is HERE.
This week, the House is voting on several cybersecurity bills.
Most important is the controversial CISPA (Cyber Intelligence Sharing and Protection Act). On the surface, it looks pretty good, as it sets down standards for government and industry to share data on cyber threats. But there are issues with privacy data being shared by industry (especially social networks) with the government.
There are a couple intending to encourage research. Not sure how or why this is something Congress needs to do.
Another bill focuses on updating the cybersecurity framework that federal systems use. Without knowing more, its hard to know if this is good or bad.
The thing with many of these bills is who is coming up with them, and are they being put together by qualified people.
I read an article related to this at the Wall Street Journal that kind of illustrates this problem. Article is HERE.
Tied to the matter of CISPA is the question of should company follow minimum standards. For this article, they asked 3 cybersecurity experts:
- A former White House cybersecurity aide.
- A Vice President of something called the Business Roundtable
- A legislative counsel with the ACLU.
Do any of these people have any technical cybersecurity background? Written any technical articles? Have they got a CISSP? Or at least a Security+?
They sound like "policy wonks" (a term I hate), not technology experts, and as far as I'm concerned, this disqualifies them from calling themselves (or being called) "cybersecurity experts". I'd like to see these people deal with a security incident or the aftermath. These sort of people should NOT be advising the government (or any companies) on policy decisions in the area of cybersecurity. They haven't earned the right. Go speak with someone associated with one of the several cybersecurity groups like SANS, ISSA, ISC(2) or the like.
If you agree or disagree, please comment.