Over the last several months, several cybersecurity bills have been proposed by various Congressional committees. One of the leading bills, the Cyber Intelligence Sharing and Protection Act (CISPA), has been proposed by Congressmen Mike Rogers (R-Mich.) and Rep. Dutch Ruppersberger (D-Md.). Many of the major civil liberties groups like EFF and ACLU have legitimately criticized the substance of the bill, which would give companies a free pass to share their customers' private information with the government.
I'm not going to get into the weeds and criticize specific portions of this bill. Instead, I want to make a broader point - Congress knows absolutely nothing about cybersecurity, and quite simply, until it knows more, and starts leading by example, it has no business forcing its wishes on the rest of us.
Congressmen Rogers and Ruppersberger are, respectively, the chairman and ranking member of the House Intelligence Committee. Although it is no secret that most members of Congress do not have technologists on staff providing them with policy advice, we can at least hope that the two most senior members of the Intelligence Committee have in-house technical advisors with specific expertise in the area of information security. After all, without such subject area expertise, it boggles the mind as to how they can at least evaluate and then put their names on the cybersecurity legislation that was almost certainly ghostwritten by other parts of the government - specifically, the National Security Agency.
So, given that these two gentlemen feel comfortable forcing their own view of cybersecurity on the rest of the public, I thought it would be useful to look at whether or not they practice what they preach. Specifically, how is their own information security. While I am not (for legal reasons) going to perform any kind of thorough audit of the two members' websites or email systems, even the most cursory evaluation is pretty informative.
HTTPS and Congressional websites
HTTPS encryption is the most basic form of security that websites should use - providing not only confidentiality, but also authentication and integrity, so that visitors to a site can be sure they are indeed communicating with the site they believe they are visiting. All big banks and financial organizations use HTTPS by default, Google has used it for Gmail since January 2010, and even the CIA and NSA websites use HTTPS by default (even though there is absolutely nothing classified on either of the two spy agency public sites). Some in Congress have even lectured companies about their lack of default HTTPS encryption - one year ago, Senator Schumer wrote to several major firms including Yahoo and Amazon, telling them that "providers of major websites have a responsibility to protect individuals who use their sites and submit private information. It’s my hope that the major sites will immediately put in place secure HTTPS web addresses.”
It is now 2012. HTTPS is no longer an obscure feature used by a few websites. It is an information security best practice and increasingly becoming the default across the industry. It is therefore alarming that not only do Congressional websites not offer HTTPS by default, but most members' websites don't support HTTPS at all.
For example, the webserver running Congressman Mike Rogers's website seems to support HTTPS, however, attempting to visit https://mikerogers.house.gov/ (or https://www.mikerogers.house.gov/) will result in a certificate error.
This is perhaps a bit better than Congressman Roger's campaign website, which does not appear to be running a HTTPS webserver at all. Attempting to visit https://www.mikerogersforcongress.com/ results in a connection error.
When I manually tried to visit the HTTPS URL for Congressman Ruppersberger's website last night, it instead redirected me to the Congressional Caucus on Intellectual Property Promotion. Soon after I called the Congressman's office this morning to question his team's cybersecurity skills, the site stopped redirecting visitors, and now instead displays a misconfiguration error.
Congressman Dutch's campaign webserver appears to support HTTPS, but returns a certificate error.
Congressional websites could do HTTPS
While most Congressional websites return HTTPS certificate errors, the problems largely seem to be configuration issues. The webserver that runs all of the house.gov websites is listening on port 443 and it looks like Akamai has issued a wildcart *.house.gov certificate that can be used to secure any Congressional website. As an example, Nancy Pelosi's website supports HTTPS without any certificate errors (although it looks like there is some non-HTTPS encrypted content delivered from that page too.) This means that the Congressional IT staff can enable HTTPS encryption for Rogers, Ruppersberger and every other member without having to buy any new HTTPS certificates or setting up new webservers. The software is already all there - and the fact that these sites do not work over HTTPS connections already suggests that no one in the members' offices have asked for it. After all, if Nancy Pelosi's site can offer a secure experience, other members of Congress should be able to get similar protections too.
During the SOPA debate several months ago, a few members seemed to take pride in acknowledging their total ignorance regarding technology, proclaiming that they were not nerds, didn't understand the Internet, but even so still thought that SOPA was a good bill. Those members were justifiably ridiculed for ignoring technical experts while voting for legislation that would significantly and negatively impact the Internet.
Here, we have members who've not even bothered to ask the Congressional IT staff to make sure that their website support HTTPS, let alone use it by default, who are now telling the rest of the country that we should trust their judgement on the complex topic of cybersecurity.
Until the respective Congressional committees that deal with technology issues actually hire subject matter experts, any legislation they propose will lack legitimacy and, most likely, will probably be ineffective. Likewise, if Congress thinks that cybersecurity is a priority, perhaps it should lead by example.