By Declan McCullagh
November 14, 2006
The U.S. House of Representatives on Tuesday took the bold step of
enhancing America's cybersecurity by approving a resolution in support
of "National Cyber Security Awareness Month."
The resolution , which passed by voice vote, claims the month "will
provide an opportunity to educate the people of the United States about
computer security: Now, therefore, be it resolved, that the House of
Representatives supports the goals and ideals of National Cyber Security
Politicians immediately sent out press releases touting the importance
of the vote. "National Cyber Security Awareness Month is a chance not
only to raise awareness about computer vulnerabilities and threats, but
also to inform people about programs that exist throughout the U.S. to
educate students, parents, business people, local law enforcement and
government employees about cyber security and to attract students into
careers in information technology," said Rep. Bob Inglis, a South
(They neglected, though, to mention that the vote took place precisely
six weeks too late: Cyber Security Awareness Month was in October.)
Cyber Security Awareness Month was invented by an industry trade
association called the National Cyber Security Alliance. It features
"public relations activities, educational programs, events and
initiatives throughout October that targets Home Users, Small
Businesses, Education audiences (K-12 and higher education), and Child
The vote announcing official support for Cyber Security Awareness Month,
incidentally, was hardly the only high-profile task facing the House
Republican leadership during the last days of their tenure. They also
convened a vote on a not-very-controversial resolution recognizing "the
important contributions" of the "Christmas tree industry to the United
What might have been a better use of their time? How about these
* Instead of merely awarding Ds and Fs to federal agencies for
lackluster cybersecurity performance, put some teeth behind the
ratings. Agencies that don't get at least a gentlemen's C would face
budget cuts--a bureaucrat's worst nightmare and a strong incentive for
* A presidential executive order continues to restrict the unregulated
export of encryption products. (Overseas shipments are far easier than
they were in the 1990s, but the rules still exist.) Encryption
provides necessary security for electronic communications, and
nowadays there's no reason for a complex web of export restrictions.
Any executive order can be overridden by an act of Congress.
* The Republican-controlled Federal Communications Commission is forcing
broadband providers to build in backdoors for government surveillance.
But network backdoors intended to be used by police and intelligence
agencies can be exploited by malicious hackers, which is why
technologists including Vint Cerf, Steven Bellovin and Matt Blaze have
warned of the security risks. Any FCC ruling--including this one--can
be reviewed and overturned by Congress.
* The Bush administration has been lobbying Congress for data retention
laws, which would force Internet companies to keep track of what their
customers are doing. Some politicians have already embraced the idea.
But a warehouse of users' activities would be a tempting target not
just for hackers, but also divorce lawyers and employers hoping to
prove what someone did or didn't do online.
* Investigate what took place under the National Security Agency's broad
surveillance scheme. While an AT&T whistleblower alleges widescale
illegal spying, AT&T and President Bush have acknowledged no
wrongdoing. (A lawsuit brought by the Electronic Frontier Foundation
is pending, with a hearing set for Friday in San Francisco.) Oversight
hearings can answer a key question: Were any laws broken?
Subscribe to InfoSec News