Congress Talks About ‘Cybersecurity’ More Than Ever, But Still Doesn’t Get It

Despite the unprecedented attention given to cybersecurity, Congress still doesn't get it.

|
Nov 9 2015, 5:30pm

Image: Mark Fischer/Flickr

Information security, more commonly referred to as cybersecurity, is more mainstream than ever. Headline-grabbing hacks like Sony Pictures, Ashley Madison, Hacking Team, and the so-called Fappening (the leak of naked pictures of celebrities caused by a flaw in iCloud), have everyone worried about hacking—including the US Congress.

In October, the world "cyber," particularly associated with security, appeared in the Congressional record 715 times, according to data collected by the Sunlight Foundation. That's an all-time high, and shatters the previous record of 396 mentions of "cyber" in August 2012.

But despite all this attention and all these words, the truth is that Congress doesn't get cybersecurity at all. The recent uptick in mentions is partly because Congress was working on passing the infamous Cybersecurity Information Sharing Act, or CISA, and this bill is the perfect example of why Washington still doesn't understand what it really takes to make networks and systems more secure.

Many experts, digital rights advocates, and few members of Congress see CISA as more of a flawed privacy-killer than a real solution to cybersecurity issues. And you don't need to trust them. Just look at the last several high-profile hacks for proof.

CISA is all about promoting and making sharing information about cyberattacks easier, it's not securing networks. But, according to experts, none of the recent major government hacks would have been prevented by sharing information. America doesn't need a "cyber sharing" bill, it needs a "cyber patching" bill.

America doesn't need a "cyber sharing" bill, it needs a "cyber patching" bill.

When hackers breached the US Office of Personnel Management, stealing the highly sensitive records of more than 30 million government workers (including those with security clearances and undercover jobs overseas), they took advantage of OPM's ridiculously crappy and outdated systems.

In other words, you can share as much information as you want on hackers and cyberattacks, but if your systems and networks are out of date, they are vulnerable. As long as the US government doesn't take care of its own cyberinfrastructure, hackers gonna hack.

The problem is that Congress doesn't understand how to improve cybersecurity because its members have no idea what information security is really about. And that shouldn't come as a surprise when they have insecure websites themselves, and rarely use computers and emails.

Even staffers have poor knowledge of the topic (only one senate staffer uses email encryption PGP) and make basic security mistakes such as sharing passwords via email, and have little security training, as a POLITICO investigation revealed.

Despite the fact that they're talking about cybersecurity more than ever, Congress still doesn't really know what cybersecurity is.