Are we legislating blaming the victim?

Ladies and gentlemen, I present to you HR5983, Homeland Security Network Defense and Accountability Act of 2008. From the bill, describing a proposed requirement of the DHS IG in its report to congress:

"describing the effectiveness of the testing protocols developed under subsection (c) in reducing successful exploitations of the Department’s information infrastructure."

I really fear this is another case of blaming the victim. Can more be done to raise the bar for attackers? Of course. I'll be the first to throw stones at DHS for having very, very shoddy security and doing zilch to help out the rest of us. But it occurs to me that asking DHS officials to prevent compromises is in some ways akin to giving women a bottle of mace and asking them to stop getting assaulted. The anecdote is harsh, but it drives home my point. We'd never do the latter, so why is the former an approach for which we expect results?

The real problem is the high ROI for attackers and insurmountable odds facing computer network defenders. There isn't, nor has there been, any real political consequence attached to getting "caught." Until decision makers in the executive branch show a willingness to address this gap, we will only see limited improvements no matter how strongly worded a bill is. And, to that end, it is our job as experts in the field to communicate this problem to the public, with the hope that it will flow up in the democratic way the US's founding fathers intended.

No comments: