Blog - Articles Tagged 'Security'

“America’s vulnerability to massive cyber crime, global cyber espionage, and cyber attacks has emerged as one of the most urgent national security problems facing our country today,” says Sen. Olympia Snowe [R, ME]. "If we fail to take swift action, we, regrettably, risk a cyber-Katrina.”

To deal with the issue, she has teamed up with Sen. Jay Rockefeller [D, WV] (pictured) and introduced into Congress the Cybersecurity Act of 2009. Since it’s introduction on April 1st, it has moved up the OpenCongress most-viewed bills list into the top five, and here’s why: it would give the President unilateral authority to shut down the internet.

No joke. I know this sounds a little paranoid, so here are a couple of key excerpts directly from the bill’s text (link and link):

SEC. 18. CYBERSECURITY RESPONSIBILITIES AND AUTHORITY.

The President -

[…]

(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;

[…]

(6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security;

SEC. 14. PUBLIC-PRIVATE CLEARINGHOUSE.

[…]

(b) FUNCTIONS- The Secretary of Commerce –

(1) shall have access to all relevant data concerning [Federal Government and private sector owned critical infrastructure information systems and] networks without regard to any provision of law, regulation, rule, or policy restricting such access;

As Jennifer Granick of the Electronic Frontier Foundation points out, the language in the second excerpt would give the Commerce Department “absolute, non-emergency access to ‘all relevant data’ without any privacy safeguards like standards or judicial review.”

Of course, the scope of these new powers ultimately comes down to how the phrase “Federal Government and private sector owned critical infrastructure information systems,” which is mentioned repeatedly in the bill, is defined. Taking a Look at the bill’s “Definitions” section we learn that it is left wide open to be defined however the President chooses to define it:

(3) FEDERAL GOVERNMENT AND UNITED STATES CRITICAL INFRASTRUCTURE INFORMATION SYSTEMS AND NETWORKS- The term ‘Federal Government and United States critical infrastructure information systems and networks’ includes -

(A) Federal Government information systems and networks; and

(B) State, local, and nongovernmental information systems and networks in the United States designated by the President as critical infrastructure information systems and networks.

Some obvious information systems that would be considered critical are banks, credit card companies, utilities, airlines, trains, hospitals, etc. But, as Center for Democracy and Technology general counsel Greg Nojeim says, it’s possible that less obvious systems, like email, might also be included. “I’d be very surprised if it doesn’t include communications systems, which are certainly critical infrastructure,” Nojeim told eWeek.

That said – and this is also something Nojeim mentions – the bill has several less controversial parts. For example, its companion measure, S. 778, would establish an executive Office of National Cybersecurity Advisor, or “cyberczar” and take the job of securing cyberspace away from the Department of Homeland Security and put it under the purview of the White House. This was the subject of a Senate Homeland Security Committee hearing that took place yesterday. It also contains scholarships for students to study cybersecurity issues, a cybersecurity awareness campaign, a mandate for the creation of cybersecurity metrics, and much more.

I think many tech savvy types would agree that cybersecurity is crucial, that the government needs to improve in this area, and that private sector systems must be involved and protected. But the proper solution would probably be focused more on finding specific critical lapses and developing solutions, and less on broad powers for the federal government to shut things down.

There’s been more talk than usual in Congress recently about the issue of cyber security. I think we’re all convinced that it’s a serious issue and that there needs to be some kind of unified effort to address it. But it’s been difficult for any of us outside the realms of information security and technology to know what to do — or even to begin talking and thinking about what to do.

Most people seem to agree that the bill introduced into Congress, the Cybersecurity Act of 2009, does not take the right approach. It seems to threaten privacy and to call for system-wide standards in a way that would make the hacking game even easier for those with malicious intent.

Marc Ambinder has a piece on the issue today stemming from an email discussion with Rob Beckstrom, a former chief U.S. cyber security official who resigned recently because he felt the National Security Agency was trying to take over his operation and that their attitude towards the issue was counterproductive. It’s helpful, I think, for starting to find ways to think and talk about this.

“’Who’s in charge’ has been a topic of political debate in DC since Dick Clarke first raised the cybersecurity issue in the late 1990’s,” he said via e-mail. “No matter how and where the boxes are drawn, let’s get to work on re-architecting and evolving the Internet for the benefit of all.”

Though Beckstrom didn’t quite say this, I think he is worried that if the NSA – by mission a parochial, defensive intelligence organization – comes to dominate the thinking on cyber security, it will fail to cooperate meaningfully with international institutions.

“International collaboration is the key to developing, standardizing and implementing these critical new upgrades. America cannot do it alone. No amount of re-organizing the boxes in Washington is going to solve the cybersecurity problem. We need to make the internet itself more secure, and we need to invest in program areas that work.”

And Beckstrom wants these upgrades to be largely open source, available to the public community of programmers and thinkers. It’s safe to say that any cyber security program defined as a counter-intelligence / counter-terrorism / counter-espionage effort would be wrapped up in all sorts of classified ropes.

How does cyber security intersect with politics? The money spent on lobbying, for one thing. But publicly, it hasn’t really, yet, outside of the trade journals and some blogs. It’s important for people who care about the future of the Internet to brief themselves about the scope of these issues and the debates now; the Obama administration might act quickly, and its decisions – and where it and Congress decide to put the money – will resonate in ways we haven’t conceived of.