From former Senator Ted Stevens announcing that “the Internet is a series of tubes,” to the recent revocation of network neutrality to this current idiotic “bipartisan” idea (Senators Cory Gardner (R-CO) and Chris Coons (D-DE) announced the Cyber Deterrence and Response Act (S.3378) on August 23rd.) our elected officials prove over and over why lawyers in general and legislators specifically suck at tech.
It appears that these two gentlemen attended a couple of scary cybersecurity state-of-readiness meetings on Capitol Hill and became agitated enough to “take action.” Of course if you are a legislator, “take action” means “write another stupid law.” The basic premise of this proposed legislation is to compel the President to levy sanctions against overseas cyber-actors who attack US infrastructure or steal digital secrets (there’s an oxymoron!), intellectual property, or other information. Here are my main problems with this bill:
- This bill is totally unnecessary. As far as I can tell, the President is already doing this, specifically against members of the Chinese military cyber-army, and the Iranian Electronic Army, and most recently, against a North Korean programmer. Secretly, who knows who has been sanctioned and how? I can guarantee you, with the billions we are spending to fund the DHS, NSA, and the US Cyber Command, the US is not standing by and just taking it. We are dishing it out too.
- The bill seeks to require sanctions against bad actors. Again, aren’t we doing that? For example, how about Roman Seleznev, son of a member of the Russian Federal Assembly, and the Russian cyber criminal arrested in the Maldives and sentenced to 27 years in prison for running one of the largest stolen credit card rings on the Dark Web. Some of the sanctions recommended in this act include, requiring the President to label any foreign individual or agency that knowingly participates in an attack as a ‘critical cyber threat actor’, and publish their identity in the Federal Register. Ouch – that stings! Not the Federal Register! Or, the President could terminate security assistance, rescind US loans, investments and business purchases, stop the export of technology goods, and even revoke visas. I thought that was already happening. Again, I don’t understand why we need this bill.
- What about US? On the playground, back when bullying was cool, the guy that threw the first punch generally was credited with “starting” the fight. Don’t these two brightly glowing bulbs of legislative brilliance know that the United States is the king, or even the emperor of cyber-espionage and cyber-warfare. Don’t they think that the US has the ability to turn off the lights in any country we want too, including the lights of our allies. Have they forgotten about the Angela Merkel NSA flap of 2013? My point is that the US is probably the most active cyber-actor in the world, especially if you include our henchmen in Israel. Anyone remember Stuxnet, Flame, and Duku? Who started that fight? (It was US.) These were state sponsored cyber-attacks by the US and Israel against the Iranian nuclear infrastructure. When we start putting names in the Federal Register, maybe we should proudly place our own name at the top!
My point is that these sorts of state sponsored cyber-war and cyber-espionage activities are happening all the time and are being undertaken by governments large and small and directed against both ally and enemy. What do the Senators really propose to accomplish here? Create a list of names of the “bad guys.” Wow! Take away the toys we are giving away to nations that spy on us? You mean like Israel and the NATO allies? That’s right, our allies spy on us too. This bill is just adding frosting to a cake made of frosting. I don’t think they have really thought this through, at least not while a cyber-security expert was in the room. This bill is pointless, useless, and deserves to be put to death.
More Information:
- Cyber Deterrence and Response Act (S.3378) – a blessedly short document at this point, go ahead and give it a look.
- Sophos Naked Security
- Russian Bot-Herder and Spammer Pinched By FBI
- Russian POS Hacker Arrested in the Maldives is Son of Russian Parliament Member
- A History of Cyber Warfare – Part 2
.
SEP
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com