Hello, Congress? CISA has nothing to do with data protection

Congress is making all the wrong moves by holding hearings on the dangers of encryption and trying yet again to push through CISA

Hello, Congress? CISA has nothing to do with data protection
Can Stock Photo

More info sharing, less encryption -- that seems to be the prevailing prescription among politicians for improving cyber security, as recent events underscore yet again that many elected officials understand little or nothing about technology. Their zeal for pushing wrong-headed solutions puts us all at greater risk.

The disconnect between problem and solution is especially obvious in the case of the recent OPM (Office of Personnel Management) hack. After 1.1 million fingerprints and personal data for 21.5 million people were stolen, Congress' response was to try to attach an amendment to a defense bill that would expand the exchange of data between the government and the private sector.  As Senate Majority Leader Mitch McConnell (R-Ky.) intoned, referring to initial revelations about the theft at the OPM, "There are now 4 million extra reasons for Congress to act quickly."

Would you feel safer knowing that the same government that fails to institute even basic security procedures like two-factor authentication and encryption of social security numbers wants to hoover up all your communications and personal data? As security expert Jonathan Zdziarski tweeted at the time, if you have two-step authentication enabled on Twitter, "then your tweets are safer than the government's data on 4 million federal employees and contractors."

Reason prevailed, and last month's maneuver was blocked, but now Senate Majority Whip John Cornyn (R-Texas) is determined to forge ahead before the August break with CISA (Cybersecurity Information Sharing Act). "These cyber security issues are enormously significant," McConnell told "Fox News Sunday" over the weekend.

Got that right -- the problem is CISA, as InfoWorld's David Linthicum has said, "does not do what it claims (protect us from cyber attacks) but instead makes it easier for the government to spy on us electronically."

Security experts sent the Senate Committee on Intelligence a letter that exposes the "info-sharing" bill as both unnecessary and dangerous, and Wired magazine gave the bill "An F for Security But an A+ for Spying."

But it seems Congress is not to be denied. This is the same group whose members "most of whom can't secure their own websites, and some of whom don't even use email," says The Guardian's Trevor Timm. While the executive branch recently promised to move all its websites over to HTTPS within two years, "there's not even a hint that Congress is attempting to do the same," Timm writes.

Perhaps they've been listening to too many rants by FBI Director James Comey, whose fearmongering on the subject of encryption is whipping many in Congress into a frenzy. Never mind that security experts -- people who actually know something about encryption -- have hit back repeatedly. Their arguments are likely to fall on fallow ground, given the lack of technical know-how in Congress.

"I think people would be shocked to know how little people [in Congress] know about these things," a former longtime Senate staffer told Politico, noting that Congressional offices have access to a lot of constituents' personal information. Politico quoted several staffers saying Congress does little to protect itself from cyber attacks, despite being a juicy target for foreign intelligence agencies. "Few could remember any kind of IT security training, and if they did, it wasn't taken seriously."

The Congressman who oversees appropriation for the Department of Homeland Security, Rep. John Carter (R-Texas), speaking last week at a hearing on cyber security, prefaced his screed about the dangers posed by encryption by saying, "I don't know anything about this stuff."  (Don't believe me? Watch the video.) 

This same bunch of people demanded (and got) the head of OPM chief Katherine Archuleta. But perhaps those in glass houses (of Congress) shouldn't throw stones.

Granted, OPM showed a shockingly lax approach to cyber security and had been warned about the risks of its outdated technology as early as 2007. But "some of the security issues at OPM fall on Congress' shoulders," ArsTechnica writes. "Until recently, federal agents carried out background investigations for OPM. Then Congress cut the budget for investigations, and they were outsourced to USIS, which ... was essentially a company made up of 'some OPM people who quit the agency and started up USIS on a shoestring.'"

OPM is hardly the only one with security problems. The list of issues seems endless: An audit early last month criticized lax security at the Internal Revenue Service, the Nuclear Regulatory Commission, the Energy Department, the Securities and Exchange Commission, and the Department of Homeland Security. The DHS intrusion detection system, called EINSTEIN, failed to detect the OPM breaches until after millions of records had been copied and removed. IRS systems still allow users to set their passwords to "password." And the Navy is spending $30 million to stay on Windows XP

But too many politicians remained faithfully obsessed with ending encryption and expanding surveillance capabilities.

Congress used to have the Office of Technology Assessment, which provided nonpartisan advice on technical matters, but Newt Gingrich killed it when he became Speaker of the House in the mid-1990s. The move was criticized at the time by many, including Republican representative Amo Houghton, who saw the closure as an example of politics overriding science. "We are cutting off one of the most important arms of Congress when we cut off unbiased knowledge about science and technology," Houghton said.

That knowledge is sorely missed. But so is a willingness on the part of Congress to listen to experts in the field.

Oh, and if Congress really wants to address the OPM hack? It might start by passing the Data Security and Breach Notification Act of 2015, which was introduced in January. It's been two months since the breach, and government officials said this week that none of those affected has been officially notified.

Copyright © 2015 IDG Communications, Inc.