For the past year or so, I've been wondering what Congress is trying to prove with its Cybersecurity Act of 2012. It adds a layer of complexity to what is already multifaceted and does not address any sort of international hacking, which poses a major threat.

I finally realized this law is something like in that it's a fix for a problem that was never a problem. Sarbanes-Oxley essentially added paperwork overhead to already burdened American companies. It did nothing about the numerous and ridiculous Ponzi schemes that have been uncovered since the housing crisis. Nothing. It did nothing to stop MF Global from stealing $1.5 billion. It merely gives a lot of consultants something to do in their spare time.

Cybersecurity is all about compliance. You create an intricate system based on a huge document and now you need to hire experts who have actually read these laws. Make these experts compliance officers and they now have to work with a compliance agency to comply with whatever is in the law. It stinks.

Here's a summary from CNET:

The Cybersecurity Act of 2012 calls for the Department of Homeland Security (DHS) to assess risks and vulnerabilities of computer systems running at critical infrastructure sites such as power companies and electricity and water utilities and to work with the operators to develop security standards that they would be required to meet.

The DHS would determine which companies fit the definition of critical infrastructure as defined by systems "whose disruption from a cyber attack would cause mass death, evacuation, or major damage to the economy, national security, or daily life."

Compliance inspections will be needed. Now, what companies are we talking about? Pretty much any large networked company can fall under the auspices of this law. IBM, Microsoft, Amazon, Intel, Comcast, come to mind, plus thousands more. Once these infrastructure companies are named, they have to write report after report on how they intend to fix their problems. How we determine the problems requires compliance reports based on certain standards that need to be developed by some government agencyover coffee I, suspectwith the help of industry.

Whatever the case, it will be a nightmare. Companies will be fined left and right for failure to conform and those fines will begin to add up. All companies that upgrade their systems will fail to maintain compliance.

This fiasco does nothing to protect companies from an Internet-based foreign attack. In fact, it leaves them more vulnerable because proprietary systems will be investigated and revealed so they can meet standards.

The is no doubt in my mind that this is going to further hurt the US economy in much the same way as Sarbanes-Oxley has. There will be zero benefit to anyone except the newly-formed compliance specialist consulting groups. I may form one myself. It seems to be where all the action is headed.