Just remember this, kids: Did any of you imagine TSA would lead to crotches being grabbed in the name of "national security"? There will come a day when all computing purchases will be "routinely" reported to DHS. And every member of IT staff will need a Fed license.
> Did any of you imagine TSA would lead to crotches being grabbed in the name of "national security"?
In general, yes. Not that specifically, but it was pretty clear from the start that it would be invasive and ineffective (because it's always been about theater rather than results).
> There will come a day when all computing purchases will be "routinely" reported to DHS.
That's completely unrelated to the bill at hand here, and the DHS will not be involved. (It will be the IRS, and it won't be at all specific to computing.)
> And every member of IT staff will need a Fed license.
IT is too ill-defined and general for that to happen, but I could see some positions on some specific kinds of projects requiring licensing just like Plumbers, Electricians, real Engineers, Lawyers, etc have.
Instead of resting on "government is bad, m'kay", how about taking a crack at suggesting something to improve the bill? That's something people can actually debate productively.
Bills are not written by people on discussion boards. They are written by lobbyists, and then adopted by legislators who rarely even read the bills on which they vote.
Then perhaps you might like to campaign and vote against legislators you believe are representing your opinion so poorly? With primary elections it's far from impossible to get rid of bad candidates.
Cynicism is a free pass for bad legislators to continue operating badly. Reasoned, constructive, informed opposition is needed to get the desired outcomes.
* List specific industries that they plan to regulate.
* Gather reports on what, specifically, is needed in those industries (before going off to mandate it).
* Those reports, of course, should indicate performance metrics (as well as how to measure them) and dictate what levels of service the companies must provide and must NOT mandate specific means of achieving those mandates.
That's just for starters.
I'm sure I could think up more. The point is to avoid a "we have to do something!" mentality and think things through and figure out what good can and should be done before deciding that we need to hire a bunch of people who will soon work on justifying their existence and expanding their organizational mission.
The government already has some (somewhat toothless) regulation over grid operators (NERC and FERC).
The problem becomes, what if we're taken by surprise by some piece of infrastructure that nobody expected was critical, but that clearly is? How likely is that to happen? It's virtually guaranteed.
> The problem becomes, what if we're taken by surprise by some piece of infrastructure that nobody expected was critical, but that clearly is? How likely is that to happen? It's virtually guaranteed.
Well, such an event will either be an emergency or it will not be an emergency.
If it's an emergency, it's going to be far too late to bolt on some kind of half-ass emergency security and there's really nothing we can do anyhow. The notion that we could have some kind of oversight is, after all, not at all dependent on whether or not there's a list of industries in the bill. The same thing can (and will) happen if the agency makes up its own list with no public discussion at all. On that note, I'd like to quote something aristus wrote just over a week ago that's apropos: "Policies implemented under the gun have two unfortunate properties: they are wasteful and hard to change after the fact."
And there's nothing stopping them from consulting with that industry on proper security measures. If they're under attack by terrorists and they need help, well, who is going to refuse expert help? (This assumes the government hires real experts and not some congressman's golfing buddy... being able to refuse that "help" is a design feature.)
That leaves us considering the non-emergency case. If that happens, they can go back and amend the law after giving the problem consideration. The advantage this has over the new agency updating its internal list is that it has to go through public discussion. They can't just pass the buck off to an unelected agency with no accountability.
If the question is how can we prevent the attacks we will fail to prevent, we won't. After all, we will fail to prevent them.
The problem becomes what can we do to ensure every piece of infrastructure can be put back on-line in reasonable time. There is a lot of people dedicated to that task, even if, when asked whether their little feud is a piece of critical infrastructure, they may scratch their heads and say "what?".
There absolutely is a problem: nothing the FedGov can do proactively can secure the power grid. I speak from direct personal experience when I say that specific target is a problem.
I think the bill should specifically define the levels of security needed for various types of infrastructure, and avoid allowing a government department to be able to change it.
All this comment says is "Phillip Rhodes doesn't think we should regulate cybersecurity for private networks". That's kind of not super interesting. Try giving your opinion some teeth.
