Six Lines

The Cybersecurity Act

Posted by Aaron Massey on 25 Mar 2010.

Brian Krebs, a former reporter for the Washington Post, has a new post on his excellent and relatively new blog detailing some recent news in cybersecurity policy. In it, he discusses the proposed Cybersecurity Act from Senators Jay Rockefeller (D-West Virginia) and Olympia Snowe (R-Maine). Part of the Cybersecurity Act would require the development of a certification or licensing scheme for computer security professionals. From the post:

In a letter sent to the lawmakers this week, the U.S. Association for Computing Machinery and the Computing Research Association said the bill the measure emphasizes training in narrow techniques rather than an education in holistic systems design.

[…snip…]

Gene Spafford, a professor of computer science at Purdue University and one of the signatories to the letter, said the certification requirements as spelled out in the bill would have far-reaching implications for the way colleges and universities teach security across the country.

“Microsoft has invested more than a billion dollars in producing much better security, look at how often they find flaws in their stuff. Google is know for hiring the brightest people and being very concerned about security, and look at what happened in China,” Spafford told Krebs on Security. “So, setting a regime to require that everybody be certified in something we don’t know how to do and is changing almost monthly is a dangerous approach. It’s not only costly, but it’s dangerous in the sense that you will have groups setting certification standards based on what they teach, not on what is likely good practice.”

Spafford said the requirements would undoubtedly be a boon to companies that offer training courses, but that his organization has seen no evidence that a group of people with any particular certification produce better computer code.

Hard to argue with that. Computer security education, training, techniques, metrics, and measurement are still active areas of research. Even if they weren’t, there are problems with certification because it dampens innovation for further improvement by declaring the current state of the practice “good enough.”