There’s a new bill working its way through Congress that is cause for some alarm: the Cybersecurity Act of 2009 , introduced by Senators Jay Rockefeller (D-WV) and Olympia Snowe (R-ME). The bill as it exists now risks giving the federal government unprecedented power over the Internet without necessarily improving security in the ways that matter most. It should be opposed or radically amended.
Essentially, the Act would federalize critical infrastructure security. Since many of our critical infrastructure systems (banks, telecommunications, energy) are in the hands of the private sector, the bill would create a major shift of power away from users and companies to the federal government. This is a potentially dangerous approach that favors the dramatic over the sober response.
One proposed provision gives the President unfettered authority to shut down Internet traffic in an emergency and disconnect critical infrastructure systems on national security grounds goes too far. Certainly there are times when a network owner must block harmful traffic, but the bill gives no guidance on when or how the President could responsibly pull the kill switch on privately-owned and operated networks.
Furthermore, the bill contains a particularly dangerous provision that could cripple privacy and security in one fell swoop:
The Secretary of Commerce— shall have access to all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access…
In other words, the bill would give the Commerce Department absolute, non-emergency access to “all relevant data” without any privacy safeguards like standards or judicial review. The broad scope of this provision could eviscerate statutory protections for private information, such as the Electronic Communications Privacy Act, the Privacy Protection Act, or financial privacy regulations. Even worse, it isn’t clear whether this provision would require systems to be designed to enable access, essentially a back door for the Secretary of Commerce that would also establish a primrose path for any bad guy to merrily skip down as well. If the drafters meant to create a clearinghouse for system vulnerability information along the lines of a US/CERT mailing list, that could be useful, but that’s not what the bill’s current language does.
A privacy threat still in the cocoon is the provision mandating a study of the feasibility of an identity management and authentication program with just a nod to “appropriate civil liberties and privacy protections.” There’s reason to fear that this type of study is just a precursor to proposals to limit online anonymity. But anonymity isn’t inherently a security problem. What’s “secure” depends on the goals of the system. Do you need authentication, accountability, confidentiality, data integrity? Each goal suggests a different security architecture, some totally compatible with anonymity, privacy and civil liberties. In other words, no one “identity management and authentication program” is appropriate for all internet uses.
McAuleys’ World: This proposed legislation is startling in its attempt to curtail freedom of speech over the Internet under the guise of “protecting” vital Government Networks.
As the article hints, the real need is for the Government to develop meaningful ways to “block” incoming threats to “vital Government Networks” – providing a means to defend the networks against attacks.
That is not what this legislation seeks – the legislation seeks the power to reach out and “switch off” private networks and communication – an act completely unrelated to the desired aims of the stated reasons for the legislation. Your security software, like my security software, identifies and blocks harmful communications, it does not reachout and “shutdown” the entire network where the offensive communication came from, disrupting communication between guilty and innocent parties alike..
It is simply unnecessary for the Government to reach out, in anytype of hypothetical situation, and shut down a network like WordPress, under any circumstance. Should the Government detect an organized attack against Government systems originating from a network, say, like WordPress, it would be sufficient to block the WordPress Servers access to any critical Government Network, there would be no need, however, to unplug millions of WordPress users from the Net and deny the Wordpress community access to the Net and constitutionally protected communication with other members of the WordPress or wider Net Community.
Contact Congress today and tell them enough of the Big Government nonsense.
The White House Spin Doctor’s are already claiming this legislation won’t do what it is intended to do – I’ll bet that, within weeks they will claim they haven’t read the legislation.
Read the legislation for yourself here: http://www.govtrack.us/congress/billtext.xpd?bill=s111-773
Relevant portions of the legislation include, Section 16, which states: ”
(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the President, or the President’s designee, through an appropriate entity, shall complete a comprehensive review of the Federal statutory and legal framework applicable to cyber-related activities in the United States, including– (1) the Privacy Protection Act of 1980 (42 U.S.C. 2000aa); (2) the Electronic Communications Privacy Act of 1986 (18 U.S.C. 2510 note); (3) the Computer Security Act of 1987 (15 U.S.C. 271 et seq.; 40U.S.C.759); (4) the Federal Information Security Management Act of 2002 (44 U.S.C. 3531 et seq.); 5) the E-Government Act of 2002 (44 U.S.C. 9501 et seq.); 6) the Defense Production Act of 1950 (50 U.S.C. App. 2061 et seq.); (7) any other Federal law bearing upon cyber-related activities; and (8) any applicable Executive Order or agency rule, regulation, guideline.
SEC. 17. AUTHENTICATION AND CIVIL LIBERTIES REPORT. Within 1 year after the date of enactment of this Act, the President, or the President’s designee, shall review, and report to Congress, on the feasibility of an identity management and authentication program, with the appropriate civil liberties and privacy protections, for government and critical infrastructure information systems and networks.
and these provisions of Section 18:
(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network; (Without a definition of what might constitute an emergency).
(6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security; (Without a definition of what constitutes a “critical infrastructure system”).
(8) may delegate original classification authority to the appropriate Federal official for the purposes of improving the Nation’s cybersecurity posture; (Exactly what “Official” does this refer to? Will the official be approved by Congress or will they be another “Czar” appointed at the pleasure of the President? Remember, if this Legislation passes as is, every subsequent Administration will inherit these powers. Read in conjunction with Section 3, it appears that Congress will have no meaningfulvoice in appoving the members of the Panel as appointment is at the sole discretion of the President. If you thnk not read this, Melissa Hathaway, Obama’s first choice for Cyber Czar, turned down the post. http://en.wikipedia.org/wiki/Melissa_Hathaway ).
(11) shall notify the Congress within 48 hours after providing a cyber-related certification of legality to a United States person. (What exactly does this mean and why is it burried in “Cyber Security” legislation?).
SEC. 23. DEFINITIONS.
(1) ADVISORY PANEL- The term ‘Advisory Panel’ means the Cybersecurity Advisory Panel established or designated under section 3.
(2) CYBER- The term ‘cyber’ means–
(3) FEDERAL GOVERNMENT AND UNITED STATES CRITICAL INFRASTRUCTURE INFORMATION SYSTEMS AND NETWORKS- The term ‘Federal Government and United States critical infrastructure information systems and networks’ includes– (A) Federal Government information systems and networks; and
(4) INTERNET- The term ‘Internet’ has the meaning given that term by section 4(4) of the High-Performance Computing Act of 1991 (15 U.S.C. 5503(4)). (If you can read this, the computer you are using is included).
(5) NETWORK- The term ‘network’ has the meaning given that term by section 4(5) of such Act (15 U.S.C. 5503(5)
EWEEK.COM describes the legislation this way: Cybersecurity Act of 2009 introduced in the Senate would allow the president to shut down private Internet networks. The legislation also calls for the government to have the authority to demand security data from private networks without regard to any provision of law, regulation, rule or policy restricting such access.
The headlines were all about creating a national cyber-security czar reporting directly to the president, but the Cybersecurity Act of 2009 introduced April 1 in the U.S. Senate would also give the president unprecedented authority over private-sector Internet services, applications and software.
According to the bill’s language, the president would have broad authority to designate various private networks as a “critical infrastructure system or network” and, with no other review, “may declare a cyber-security emergency and order the limitation or shutdown of Internet traffic to and from” the designated the private-sector system or network.
The 51-page bill does not define what private sector networks would be considered critical to the nation’s security, but the Center for Democracy and Technology fears it could include communications networks in addition to the more traditional security concerns over the financial and transportation networks and the electrical grid.
“I’d be very surprised if it doesn’t include communications systems, which are certainly critical infrastructure,” CDT General Counsel Greg Nojeim told eWEEK. “The president would decide not only what is critical infrastructure but also what is an emergency.” http://www.eweek.com/c/a/Security/Bill-Grants-President-Unprecedented-Cyber-Security-Powers-504520/
See the following Blogs on this topic:
A Cynics Take On Cyber Czars and 60 Day Reports, http://www.cerias.purdue.edu/site/blog/post/on_cyber_czars_and_60-day_reports/ , after this article was published the actual legislation was drafted that dramatically impacts “private communications”.
Cyber, Cyber, Cyber, Cyber, Oh stop already:http://blog.uncommonsensesecurity.com/2009/05/cyber-cyber-cyber-cyber-oh-stop-already.html and The Cyber Stupidty Act of 2009, http://www.sovasec.com/2009/05/14/s773-the-cyber-security-act-of-2009-part-1-2/ , which point how how the Legislation’s intended results will not be met, but how a new and expensive Government Bureaucracy will be formed, a Bureaucracy that will have the power to pull the plug on private internet communication in this Country.
“And remember, when people talk about spending “government money” on a problem, they are really talking about “tax money”; you know, money that was formerly yours.”
“The RawStory” described the legislation this way, “A recently proposed but little-noticed Senate bill would allow the federal government to shut down the Internet in times of declared emergency, and enables unprecedented federal oversight of private network administration.The bill’s draft states that “the president may order a cybersecurity emergency and order the limitation or shutdown of Internet traffic” and would give the government ongoing access to “all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access.”
Contact Congress Here: http://www.usa.gov/Contact/Elected.shtml