On October 17th, the New York Times "Room for Debate" section ran a piece\u00a0by Senator Joe Lieberman with the title "The Threat Is Real and Must Be Stopped" in which Lieberman argued the dire need for passage of his cyber security legislation . In this\u00a0commentary, Sen. Lieberman makes assertions about the national security\u00a0issues surrounding the existential threats to the nation stemming from\u00a0computer hacking and how "easy" it is. While I can agree with some of his commentary \u2013 such as the need to ensure the security of the nation\u2019s\u00a0critical infrastructure \u2013 I disagree greatly on his assessment of the gravity of the situation. Why? Because I have actually\u00a0been working in the computer and information security industries since the late 90s and have firsthand experience with the systems and networks\u00a0that he\u2019s going on about. There are far too many unknowns at this time to be making such prognostications as \u201cthere will be a cyber 9\/11\u201d unless we pass his bill.\tEven within the information security community, there is disagreement on the issue of just how hard or easy it would be to pull off a credible, existential threat type of attack on our critical infrastructure. The complexities of the systems involved, as well as\u00a0their connectivity, have never really been fully investigated. They should be thoroughly assessed before we start to worry about legislation to\u00a0mandate \u201ccheck box security\u201d to protect it. To Senator Lieberman: the problems, sir, are far too complex for any\u00a0bill such as Sarbanes-Oxley or yours to tackle. In fact, past experience has shown that regulations such as SOX and HIPAA are by themselves essentially useless in actually protecting networks, systems, and data.\u00a0The best of intentions often still yield poor results when one\u00a0fails to understand the problems and threats at hand. I would suggest that the Senate\u00a0undertake an investigation of every critical infrastructure network\u00a0before they begin to mandate how they should be secured as due diligence. Without really understanding the problems, you will be just adding useless oversight to private corporations to whom security spending is already anathema.\tBut so far, Senator Lieberman, I have only seen gross generalities out of you and your peers in government about how dire things are and how scared we all should be. Especially to those of us in the security community, your hue and cry ultimately lacks any hard evidence that the issue is so real and your warning so prescient that action must be taken post haste. Nor do you seem to understand the technical, legal and political issues at hand well enough to draft legislation that would be helpful to those of us who secure the nation's infrastructure. As best I can tell, you want to have blanket rules mandating that companies protect their assets \u2013 but at what cost? Under whose control and oversight? Would you suggest\u00a0 that the federal government take charge of penetration testing and auditing of those companies with critical infrastructure assets? If so, let me direct you to an aphorism you may have heard: "Physician, heal thyself." My peers and I would love to see government entities take their own networks to task before regulating private companies\u2019 security standards and oversight. Currently many government networks in the U.S. and abroad are a security shambles and can be attacked very easily, while private companies are often much more difficult to attack. This is businesses tend to take information security much more seriously than the .gov space does. So sir, please clean your own house before you demand the right to send officials to check on mine\tSenator, in the end I frankly believe your heart is in the right place. Others may see your machinations as more of an attempt to keep yourself relevant in the Senate and the news cycles. Either way, your actions such as the opinion piece in the N.Y. Times only serves to whip up FUD (Fear, Uncertainty, and Doubt) within the general populace by using scary language and innuendo about how the scary hackers out there are going to turn off their lights and water. An example of this is the following quote from your piece:\tNational security experts from Republican and Democratic administrations --\u00a0privy to our best intelligence and analysis\u00a0--\u00a0all agree this threat is real.\u00a0So, I am mystified by claims that it is not. Free, downloadable hacking tools, like the nefariously named Metasploit and Shodan, are becoming more powerful and easier to use every year. A researcher who used one of those tools found over 10,000 industrial control systems connected directly to the internet. Many of the systems, which run critical networks like hospitals and power plants, had little to no security.\tThe language here is\u00a0disingenuous, simplistic, and grossly melodramatic. While you claim that there is credible intelligence to support these threats, you cite none. (The over-classification issue today is in fact quite out of hand, but that is for another article.) The second issue you fail to address is the likelihood of an attack actually happening and being successful. It's another case of "Trust us, we're the government," and for myself and my peers in the security industry, it smacks of knee-jerk reactions at best and power-grabbing at worst. Do you begin to understand the\u00a0intricacies of the issue here, or are you working with received ideas from government security \u201cexperts\u201d who have failed to secure their own assets? Are you now yourself a security expert? If so, then I understand your confusion as to some of us call your comments into question. But until you demonstrate any insight whatsoever into this problem, I will continue to call you on your credibility on this matter.\tI would also like to take you to task over the comments above about the "nefarious" software you lament,\u00a0 and share some facts about Internet addressable ICS\/SCADA systems. While the names of the software may be foreign and scary to you, their \u201cscariness\u201d has nothing to do with their branding. Perhaps it's their function that should scare you, and that is what you need to impart instead of taking artistic license with your diatribe. Both software packages are freely available on the Internet and have been for years now. To date, there has been no massive attack on our infrastructure because of them or any other software, nor have you cited so much as an attempt to do so. So again, your hyperbole is wonderfully scary, but the facts continue to escape you. While you mention that there are 10,000 Internet addressable ICS\/SCADA systems online, you fail to mention any information as to how many are in fact vulnerable to attack. Do you even know? This is an important statistic you fail to give the reader, and it seems perhaps you have no clue as to its significance. As an old co-worker at IBM used to say to me, "A fool with a tool is still a fool" and it's quite true. Sir, you are a fool with a tool and you lack the understanding to even use the tool.\tIn closing, Senator, let me give you some constructive criticism. If you want to help us all and protect our infrastructure, stop being Chicken Little and start being an\u00a0advocate\u00a0for the truth of the matters concerning computer security. Stop the\u00a0jingoism and begin drafting plans to have studies performed on the whole of the infrastructure to understand just how vulnerable it is and what can be done to protect it. As far as I\u2019m aware, there has never been a proper threat\u00a0assessment\u00a0carried out on the entirety of the systems you are worried about.\u00a0As Marcus Aurelius said,\u00a0"Of each particular thing, ask what is it in itself? What is its nature?" \u00a0Let\u2019s first define the problem and then seek to fix it. By imposing laws such as SOX willy-nilly, you may intend to protect the systems; instead, you may be placing undue burdens on corporations, as well as ineffectively attempting to secure the nation\u2019s infrastructure.\tUntil such time as you and your ilk really understand the problems and allow for further study, none of us will be any more secure than we are today \u2013 even with your new and wonderful legislation in place, in the unlikely event it ever makes it through a vote.