Politicians embrace 'cybersecurity' month, but why?

The U.S. House of Representatives on Tuesday took the bold step of enhancing America's cybersecurity by approving a resolution in support of "National Cyber Security Awareness Month."

The resolution, which passed by voice vote, claims the month "will provide an opportunity to educate the people of the United States about computer security: Now, therefore, be it resolved, that the House of Representatives supports the goals and ideals of National Cyber Security Awareness Month."

Politicians immediately sent out press releases touting the importance of the vote. "National Cyber Security Awareness Month is a chance not only to raise awareness about computer vulnerabilities and threats, but also to inform people about programs that exist throughout the U.S. to educate students, parents, business people, local law enforcement and government employees about cyber security and to attract students into careers in information technology," said Rep. Bob Inglis, a South Carolina Republican.

(They neglected, though, to mention that the vote took place precisely six weeks too late: Cyber Security Awareness Month was in October.)

Cyber Security Awareness Month was invented by an industry trade association called the National Cyber Security Alliance. It features "public relations activities, educational programs, events and initiatives throughout October that targets Home Users, Small Businesses, Education audiences (K-12 and higher education), and Child Safety online."

The vote announcing official support for Cyber Security Awareness Month, incidentally, was hardly the only high-profile task facing the House Republican leadership during the last days of their tenure. They also convened a vote on a not-very-controversial resolution recognizing "the important contributions" of the "Christmas tree industry to the United States economy."

What might have been a better use of their time? How about these suggestions:

•  Instead of merely awarding Ds and Fs to federal agencies for lackluster cybersecurity performance, put some teeth behind the ratings. Agencies that don't get at least a gentlemen's C would face budget cuts--a bureaucrat's worst nightmare and a strong incentive for better performance.

•  A presidential executive order continues to restrict the unregulated export of encryption products. (Overseas shipments are far easier than they were in the 1990s, but the rules still exist.) Encryption provides necessary security for electronic communications, and nowadays there's no reason for a complex web of export restrictions. Any executive order can be overridden by an act of Congress.

•  The Republican-controlled Federal Communications Commission is forcing broadband providers to build in backdoors for government surveillance. But network backdoors intended to be used by police and intelligence agencies can be exploited by malicious hackers, which is why technologists including Vint Cerf, Steven Bellovin and Matt Blaze have warned of the security risks. Any FCC ruling--including this one--can be reviewed and overturned by Congress.

•  The Bush administration has been lobbying Congress for data retention laws, which would force Internet companies to keep track of what their customers are doing. Some politicians have already embraced the idea. But a warehouse of users' activities would be a tempting target not just for hackers, but also divorce lawyers and employers hoping to prove what someone did or didn't do online.

•  Investigate what took place under the National Security Agency's broad surveillance scheme. While an AT&T whistleblower alleges widescale illegal spying, AT&T and President Bush have acknowledged no wrongdoing. (A lawsuit brought by the Electronic Frontier Foundation is pending, with a hearing set for Friday in San Francisco.) Oversight hearings can answer a key question: Were any laws broken?