The Cybersecurity ActApril 28, 2009 - by Donny Shaw
“America’s vulnerability to massive cyber crime, global cyber espionage, and cyber attacks has emerged as one of the most urgent national security problems facing our country today,” says Sen. Olympia Snowe [R, ME]. "If we fail to take swift action, we, regrettably, risk a cyber-Katrina.”
To deal with the issue, she has teamed up with Sen. Jay Rockefeller [D, WV] (pictured) and introduced into Congress the Cybersecurity Act of 2009. Since it’s introduction on April 1st, it has moved up the OpenCongress most-viewed bills list into the top five, and here’s why: it would give the President unilateral authority to shut down the internet.
SEC. 18. CYBERSECURITY RESPONSIBILITIES AND AUTHORITY.
The President -
(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;
(6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security;
SEC. 14. PUBLIC-PRIVATE CLEARINGHOUSE.
(b) FUNCTIONS- The Secretary of Commerce –
(1) shall have access to all relevant data concerning [Federal Government and private sector owned critical infrastructure information systems and] networks without regard to any provision of law, regulation, rule, or policy restricting such access;
As Jennifer Granick of the Electronic Frontier Foundation points out, the language in the second excerpt would give the Commerce Department “absolute, non-emergency access to ‘all relevant data’ without any privacy safeguards like standards or judicial review.”
Of course, the scope of these new powers ultimately comes down to how the phrase “Federal Government and private sector owned critical infrastructure information systems,” which is mentioned repeatedly in the bill, is defined. Taking a Look at the bill’s “Definitions” section we learn that it is left wide open to be defined however the President chooses to define it:
(3) FEDERAL GOVERNMENT AND UNITED STATES CRITICAL INFRASTRUCTURE INFORMATION SYSTEMS AND NETWORKS- The term ‘Federal Government and United States critical infrastructure information systems and networks’ includes -
(A) Federal Government information systems and networks; and
(B) State, local, and nongovernmental information systems and networks in the United States designated by the President as critical infrastructure information systems and networks.
Some obvious information systems that would be considered critical are banks, credit card companies, utilities, airlines, trains, hospitals, etc. But, as Center for Democracy and Technology general counsel Greg Nojeim says, it’s possible that less obvious systems, like email, might also be included. “I’d be very surprised if it doesn’t include communications systems, which are certainly critical infrastructure,” Nojeim told eWeek.
That said – and this is also something Nojeim mentions – the bill has several less controversial parts. For example, its companion measure, S. 778, would establish an executive Office of National Cybersecurity Advisor, or “cyberczar” and take the job of securing cyberspace away from the Department of Homeland Security and put it under the purview of the White House. This was the subject of a Senate Homeland Security Committee hearing that took place yesterday. It also contains scholarships for students to study cybersecurity issues, a cybersecurity awareness campaign, a mandate for the creation of cybersecurity metrics, and much more.
I think many tech savvy types would agree that cybersecurity is crucial, that the government needs to improve in this area, and that private sector systems must be involved and protected. But the proper solution would probably be focused more on finding specific critical lapses and developing solutions, and less on broad powers for the federal government to shut things down.