Congress Jumps Into Cyber Security: Commentary

Anyone who has ever been attacked by a computer virus, or been showered with adware nuisances, had e-mail sent back or deleted by some ham-handed spam filter, or had a Web site hacked and defaced realizes the extent of cyber security problems and the many supposed solutions that have been advanced. Now, Congress is jumping into the fray, and two new Senate bills -- S. 773 and S. 778 -- would establish the position of National Cybersecurity Advisor and would institute some 50 pages of new Internet regulations and oversight in the name of protection of networks and critical infrastructure.

S. 773 the "Cybersecurity Act of 2009," has stirred controversy as it would give the Secretary of Commerce access to federal and private-sector "critical infrastructure information systems and networks" and "... all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access." A number of bloggers are attacking the bills on the assumption that it would strip privacy protections and open the floodgates to a new era of surveillance.

However, the most damning thing about the bill may be that it advances no new solutions. Steven Bellovin, Columbia University professor of computer science said in his blog that "the odds on anyone ... finding a magic solution to the computer security problems are exactly 0. Most of the problems we have are due to buggy code, and there's no single cause or solution to that. In fact, I seriously doubt if there is any true solution; buggy code is the oldest unsolved problem in computer science, and I expect it to remain that way."

While admitting that the bill has some "good parts," Bellovin goes on to say that the bill is poorly thought out, solves non-problems and assumes that "research results can be commanded into being by virtue of an act of Congress."