Superconductor

The Rockefeller-Snowe bill that's being considered by the Senate is supposed to "address our nation’s vulnerability to cyber crime, global cyber espionage, and cyber attacks that could potentially cripple the United States’ critical infrastructure." Some parts of what this bill tries to do make sense, while other parts don't. I'm particularly concerned about how the federal government wants to create national information security standards.

As I've mentioned before, complying with government standards is usually enough to avoid being considered negligent. This means that if the government creates this proposed national information security standard and businesses comply with it, there's a good chance that they wouldn't be considered negligent if their security is defeated by a hacker as long as they had implemented government-approved security. This could be a problem because "government-approved security" and "good security" don't necessarily mean the same thing.

The government is often fairly slow to react to new developments. Because of this, if they're creating and maintaining a national standard for information security, this standard probably wouldn't address the most recent threats. This means that it's easy to think of scenarios where security researchers would discover new attacks, but businesses would be free to ignore the threat posed by them until the government standard was updated to reflect the new threats. And businesses would be relatively free of liability if they did this.

It's also easy to believe that a government standard wouldn't allow the most recent advances in security technology to be used until they're considered "approved" in some way. This already happens now. Some security vendors are caught in a Catch-22 in which the government can't use their technology until it's approved for government use, while being widely used by the government is a requirement for the new technology getting this necessary approval. If this type of reasoning is applied to more than the government market, it's easy to see how the Rockefeller-Snowe bill could easily kill innovation in the information security industry.

Hackers, of course, wouldn't be constrained by the same government regulation that businesses would, so they would continue to create new and innovative types of attacks. In the long run, this would lead to a situation that benefits absolutely nobody. Except, perhaps, the hackers.

That's why I'm concerned about where the Rockefeller-Snowe bill may be taking us. At least one part seems to have a good chance of this being in the wrong direction.