In SANS NewsBites yesterday, I suggested that readers get involved in cyber security policy, especially as it applies to the Wassenaar agreement. I've written on this specific topic previously. However, one reader sent a question asking how to get involved at a more general level. I figure that if one person took the time to actually send an email, then there are probably many more out there with the same questions who just don't take the time to ask. So here goes...
For Wassenaar specific issues here are some suggestions:
- Take the time to talk to friends, family, and community leaders in your sphere of influence about the proposed agreement. Many times all they hear is a sound bite. Something like "new regulations seek to limit the damage done by hackers!" To most, this seems reasonable. But it's not the whole truth. Educate those in your circle and turn them into ambassadors.
- Take a few minutes to call your elected representatives. Don't email. Talk to a staffer and ask for the representative's position on Wassenaar. This is not a common talking point, so they are unlikely to have a position at all. This is your opportunity to educate. Believe it or not, most representatives I spoke with at both the state and national level had no idea what the Wassenaar agreement was. The one that did, had no idea that it had anything to do with cyber. While I know state legislators don't directly influence national policy, they often have more influence than you might think.
- During the initial round of talks, the government (specifically BIS) requested comments on the draft rules. Boy did they get comments. Lots of them. Many well formed arguments from hundreds (or thousands) of professionals and many industry groups. Keep your ear to the grindstone for opportunities like this to get involved. If you think you have nothing to contribute, you are mistaken. Even if you make the same argument someone else did (and even if you do so less eloquently) your voice still strengthens our collective position.
In general, I recommend that every infosec professional is associated with (or follows news from) at least one industry group/club/etc that lets them know when important issues like these are taking shape. Obviously, keeping up with SANS NewsBites is a step in the right direction there. Another such group I strongly recommend is the I Am The Cavalry movement.
Ultimately, it's our job to keep our leaders informed. Scratch that, it's our duty. Legislators don't pretend to understand medicine on their own, they seek advice from doctors and other medical professionals. Cyber security is moving at such a rapid pace that many lawmakers mistakenly believe they know what is best without consulting experts in the field. Perhaps this is because the technology somehow feels more accessible than medicine. Whatever the case, if we don't help lawmakers craft good legislation, we have nobody but ourselves to blame when they do it poorly.