More bad ideas in cybersecurity

Former FBI agent turned civil liberties defender Michael German asks the question:

Why Doesn’t the Intelligence Community Care Whether Its Surveillance Programs Work?

Terrific analysis of the piece can be found in Why Don’t Surveillance State Defenders Seem To Care That The Programs They Love Don’t Work? by Mike Masnick over on techdirt.

From the Michael German’s lead:

The House and Senate Intelligence Committee just passed a cybersecurity bill that critics argue isn’t likely to improve cybersecurity. In fact, because it undermines the privacy of electronic communications by encouraging companies to broadly share private data with the government and each other, it may actually damage cybersecurity.

For anyone who follows intelligence policy, this shouldn’t be a surprise. The intelligence community all too often launches grand new programs without conducting the appropriate research and evaluations to determine whether they will work, or simply create new harms.

This is a detailed article that provides a lot of food for thought, and well worth the read for anyone who has even a passing concern about the potential for harm not only to personal privacy, but also personal and global commerce and finance that these programs raise.

Mike Masnick’s analysis is particularly interesting. After going through some previously articulated theories for a lack of cost-benefit analysis on the part of the national security establishment, he raises one of his own that lines up with something I’ve been saying for a long time:

[M]ost of the people in the surveillance state know pretty damn well that these programs are useless. But they don’t want to be the one left holding the bag when the music stops on the next big attack, and the press and politicians are pointing to them and asking why they didn’t do “X” to prevent whatever horrible thing just happened.
* * *
In other words, many of those involved are doing a cost-benefit analysis, not for the safety of the country or national security but for their own reputations. And that’s how bad policy gets made.

In response, an Anonymous Coward in the comments made what I thought was an excellent point:

Challenge the “Why didn’t you X?” defense by changing its terms “This attack happened because you were not ready. You were not ready because you squandered resources on programs you knew didn’t work. Why didn’t you focus the agency on programs that serve its chartered purposes, rather than squandering all these resources on programs that you knew didn’t work?”

Unfortunately, every time that strategy is suggested (and it has, repeatedly, over at least the last decade-and-a-half), no one in a position of responsibility has had the courage to follow it.

This entry was posted in Editorial, Security on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).