DHS cybersecurity official leaves more questions than answers

During lunch at ISSA-LA's Security Summit IV event here at the Universal City Hilton, we heard a talk from Bruce W. McConnell, senior counselor for cybersecurity at the U.S. Department of Homeland Security. And while I can't speak for the other attendees, I walked away with more questions than answers.

I'm particularly puzzled by what he said -- and didn't say -- about cybersecurity legislation pending in Congress.

He spoke of the Obama Administration working with Congress on cybersecurity legislation. He joked about Congress' perceived inability to push through a federal cybersecurity law to supplant all those state data security laws we've been living with in recent years. He admitted that one of the challenges is for the public and private sectors to clarify the role government must play in this dangerous new world. Then he said things that puzzled me further.

One item was a suggestion that government isn't out to invade citizens' privacy and how, after all, wiretapping is illegal. Then he noted the challenges of the U.S. reaching a better consensus with Europe on how best to proceed.

"Europe is very concerned about data privacy," he said. "Europe wants more power for individuals to control their own privacy."

He said that like it's a bad thing.

Perhaps I'm being too hard on the man. He is, after all, doing his job -- to communicate where the government stands. And, to his credit, he admitted that the right balance between privacy and security is still in flux. "The challenge is threading the needle between privacy and security" is how he put it.

But I have heard many valid concerns about the latest attempt at legislating cybersecurity -- the Cyber Intelligence Sharing and Protection Act ( CISPA). A lot of smart people in the security community worry the bill as currently written will allow the government to overreach and dip deep into our privacy in the name of information sharing and attack prevention, as was the case with the PATRIOT ACT following 9-11.

McConnell didn't address those concerns. As the Q&A portion of the program commenced, I resolved to ask about CISPA after a few more people got to ask questions. But the clock ran out before I got my chance.

That's OK, though. I doubt he would have answered the question anyway.

That's the problem with government today. There's a growing sense that citizens' questions need not be answered directly; that the average citizen is too far removed to know what they're asking about. There's also the sense that rubbing away our privacy is an acceptable action in the pursuit of security.

In that environment, we have to keep the pointed questions coming and pile on until the government feels too much pressure to avoid the straight answers any longer.

I do have hope. The people did succeed in derailing SOPA-PIPA, after all.

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline