Cool as McCumber

It's another sultry summer of discontent. Earlier this year, the governor of North Carolina sent state tax auditors flying off to Seattle to pressure into giving up the names, addresses and purchases made by North Carolina state residents. It appears the governor feels the key to getting the state back in fiscal black requires clamping down on those scofflaws who order books and kitchen utensils through a Website. The taxing authorities have also put a handy reference on the state tax forms suggesting what you might owe on these "use" taxes based solely on your family income. How convenient. How do they expect me to prove that I didn't buy that much stuff online? Will there be a new tax form to list purchases I didn't make?

On the other side of the country, just last week, a crack health inspector in Multnomah County (Oregon) shut down Julie Murphy's business for not paying a $120 county fee for a temporary restaurant license. He said his actions were necessary to protect the public's health. Julie Murphy is seven years old, and was selling lemonade for fifty cents a glass at a neighborhood event.

Every time there's a call to protect you and me, underneath is an associated tax and a bureaucracy to collect and spend it. I have a daughter who works as a hair stylist. She had to take a state test and demonstrate competence to a state inspector for a license to cut and style hair - for a nice stiff fee. Of course, I'm grateful the state is protecting me from unlicensed barbers and stylists, but what can I do when I get a bad haircut? Can I demand the state inspector step down if I can prove he licensed some untalented hack?

In this type of government system, there's never a good feedback loop. Screw ups, incompetence and fraud are rampant when there's no punishment or incentive to change the bad behavior. In the private sector, these bad behaviors ultimately impact the bottom line; hence, they tend to be curtailed pretty quickly once they are uncovered. Without a profit motive and the resulting constraints, government entities can enjoy nearly unlimited powers in even the most minor affairs of individuals. The penchant for the government to find a safety or security reason to assess new taxes and vow to control the uncontrollable is always a reason to be suspicious.

The trend has now found its way to cyber security. The Feds have already floated a trial balloon about their need to "control" the Internet in the event of a national emergency. They haven't defined what type of emergency would require federal control of an entire information medium, but they have concluded that government control is the answer. They just don't know what question to ask. What they do know is that the ever-expanding Department of Homeland Security would be able to handle the emergency, once they figure out what such an emergency might look like.

The absurdity of these claims is apparently lost on most Americans. I would expect any self-serving bureaucrat or politician who proposed such nonsense to be laughed out of town. Sadly, for those of us in Washington D.C., they are still in town - and proposing even more government schemes to protect all of us.

Just last week, I saw a news item in the DC technology media that another member of the entrenched bureaucracy is saying the Feds need to "set standards" for cyber security professionals. If you are not accustomed to DC double talk, let me explain that one to you. By setting "standards," the DC elite want to control who gets to compete for big federal contracts based on some check-box "standard" they claim will ensure only the right people get these contracts - meaning the normal Beltway Bandits. It raises the barrier to entry for smaller companies and start-ups, and guarantees contracts to the regular stable of big-name contractors who routinely hire these bureaucrats once they retire on their government pension.

There have been many significant government data breaches in the last two years, yet they want to tell the rest of us how we should be doing it better. I can picture this scenario just a little over a hundred years ago:

"Welcome to the Army's Aeronautical Division. My assistant said you wanted to discuss some ideas and models you have that may be of interest to the U.S. military. Please be aware we are a two-man office, since we only manage about a dozen hot air balloons around the country."

"We understand, but we think you want to see what we have accomplished."

"What are your qualifications - do you meet our standards for aeronauts?"

"We own a bicycle shop."

"I'm sorry. I need to ask you to leave. We only spend time on serious aeronautical projects, and don't have time to waste with a couple of Midwestern bicycle repairmen. What did you say your names were, again?"

"Orville and Wilbur, Major. Orville and Wilbur Wright."

John McCumber is a security and risk professional, and is the author of "Assessing and Managing Security Risk in IT Systems: A Structured Methodology," from Auerbach Publications. If you have a comment or question for him, please e-mail John at: