I'd like to comment on why I think rules like this are even in draft form. Yes, certainly they benefit spying organizations and there's probably some invisible heavy hand there. But the Patriot Act benefits them as well and that's falling apart in front of our eyes. So what's the real problem? I blame Hollywood.
Let's be honest, the infosec field is hard to understand. My mom has no idea what I do for a living and I haven't really tried to explain it to her. But I should. Because every few months, she calls me and asks some inane question about whether I can help her do something that she saw my apparent peers do on CSI or NCIS. And this has been going on since before CSI-Cyber or Scorpion were on TV.
My mom is at least one of the good guys. She's interested in stuff like "helping the police by enhancing that photo from the surveillance system at work" or "hack into Instagram to see who is really bullying your niece." My mom isn't dumb: she's a retired field grade Army Officer and an accomplished mental health nurse. She just doesn't understand what is and isn't possible in the world of cyber (ugh, I threw up in my mouth a little when I wrote 'cyber').
When hackers in Die Hard take down the national power grid using 0days and those in Swordfish can write bank firewall bypassing worms at will (apparently using some graphical coding language, the likes of which nobody has ever seen before) - what are average people to believe is or isn't possible? Even if these are viewed as just minor exaggerations, the implications are still pretty scary. Of course, if you are reading this blog, you probably already know things don't work that way. But wow do we suck at communicating it.
|From Swordfish - what the literal f$#k is this?!|
The average person is ignorant of detailed facts outside of their chosen profession. Politicians and bureaucrats, the ones interpreting and crafting rules around Wassenaar, doubly so. This congressman was worried Guam (yes, the island) might capsize if Marines were moved in a facilities consolidation. In case you are curious, this guy has been re-elected several times since. To my point, Rep Hank Johnson has zero chance of understanding the idiosyncrasies of Wassenaar, so just calling your elected official to complain is probably not an effective strategy (especially if you live in GA's 4th district).
I can't think of another professional field that would not stand up and fight back against Hollywood if their profession was mis-portrayed the way infosec is. Could Hollywood get away with a show that portrayed all cops as dirty? What about a show where all nurses were portrayed as drug addicts? Or a show that documented how all teachers inappropriately touch their students when nobody is watching? Nope, the professional groups wouldn't stand for it.
In infosec films, even the hero regularly breaks the law to get the job done. As a group, we need to do more to correct the common person's impressions of infosec. The "I Am The Cavalry" movement takes a lot of flack from people in the industry who think they aren't doing enough/doing it right/etc. But I will say that at least they are doing something. I don't have all the answers, but I believe the solution is three fold:
- Stop standing by while Hollywood butchers our profession. It's insulting. Instead of laughing
- Take some time to do grassroots education. I recently spoke to my daughter's 2nd grade class on career day. The teacher, who molds young minds, cut me off when describing a penetration test because she thought I was talking about breaking the law. After a quick side discussion, we were back in business, but this is the sort of grassroots education that needs to happen.
- Talk to your elected officials as well or support an industry group that does. They don't understand our issues any better than they understand the intricacies of open heart surgery. Explain it to them. They make the laws we'll all have to live with and garbage in/garbage out as the old saying goes.
I'd love to know what you think about this - how do we educate the public that what we do isn't horribly evil and in need of regulation?