Published: August 29, 2009
Updated 5 hours ago
A bill being composed by aides of Sen. Jay Rockefeller (D-W.Va) is causing concern among technology advocates for strikingly broad language in describing how the White House should direct private sector networks in the event of a cybersecurity emergency.
Effectively, it’s critics state, the bill would give the White House control over the American Internet in the event of a major electronic attack on the nation’s infrastructure or other emergency circumstance as declared by the President.
But, does it? The answer to that is as ambiguous as the bill’s language, though the Senate Commerce Committee insists that it does not.
Concern over the bill mainly stems from passages on pages 25 and 26 (PDF link) of the 55-page draft bill. In S.773, it states:
in the event of an immediate threat to strategic national interests involving compromised Federal Government or United States critical infrastructure information system or network—
(A) may declare a cybersecurity emergency; and
(B) may, if the President finds it necessary for the national defense and security, and in coordination with relevant industry sectors, direct the national response to the cyber threat and the timely restoration of the affected critical infrastructure information system or network;
(3) shall, in coordination with various critical infrastructure industry sectors, develop detailed cyber emergency response and restoration plans for each critical infrastructure industry sector;
C-Net writer Declan McCullagh reports: “I think the redraft, while improved, remains troubling due to its vagueness,” said Larry Clinton, president of the Internet Security Alliance, which counts representatives of Verizon, Verisign, Nortel, and Carnegie Mellon University on its board. “It is unclear what authority Sen. Rockefeller thinks is necessary over the private sector. Unless this is clarified, we cannot properly analyze, let alone support the bill.”
An original version of the bill, presented in April, was alleged to yield power to the White House direct a shutdown of “critical” networks, similar to controls given with regards to air traffic. However, it did not specify what constitutes a cybersecurity emergency. The most recent draft still lacks this language.
“This is the same gov’t that doesn’t let people in the State Department use Firefox and which thinks that RealPlayer is the state of the art in online video streaming,” opined Michael Masnick at TechDirt. “Even if there were a ‘cybersecurity emergency,’ I would think the last people I’d want to take charge would be the federal government.”
“The Rockefeller proposal plays out against a broader concern in Washington, D.C., about the government’s role in cybersecurity,” noted C-Net. “In May, President Obama acknowledged that the government is ‘not as prepared’ as it should be to respond to disruptions and announced that a new cybersecurity coordinator position would be created inside the White House staff. Three months later, that post remains empty, one top cybersecurity aide has quit, and some wags have begun to wonder why a government that receives failing marks on cybersecurity should be trusted to instruct the private sector what to do.”
At ThreatsWatch, a national security thinktank, Michael Tanji concludes: “The way to deal with a cyber security emergency on a national level is not consolidation, but distribution. That’s kind of the reason the ‘Net was invented in the first place: to make sure if one node in a network was taken out, information could flow to its intended destination regardless. Centralized management provides the illusion of control, but it doesn’t make things more secure; it just makes things more brittle. When such systems do break - and they will - the damage will be more severe and it will take longer to recover.”
Jamie Smith, the Senate Commerce Committee’s communications director, writes to The Atlantic’s Marc Ambinder that neither version of the cybersecurity bill would have allowed either a “shutdown” or a “takeover” of the Internet.
“This particular legislative language is based on longstanding statutory authorities for wartime use of communications networks,” she said. “To be very clear, the Rockefeller-Snowe bill will not empower a ‘government shut down or takeover of the internet’ and any suggestion otherwise is misleading and false. The purpose of this language is to clarify how the President directs the public-private response to a crisis, secure our economy and safeguard our financial networks, protect the American people, their privacy and civil liberties, and coordinate the government’s response.”
Ambinder concludes: “Where I might add a note of caution — America’s cyber infrastructure is already being monitored on a very high level by the Department of Defense and the National Security Agency, which, by law, cannot (yet) delve into the type of deep packet inspection that would allow it to capture malignant worms and viruses before they spread. The NSA — that NSA. One reason why Sens. Rockefeller and Snowe are so eager to give the White House, the Department of Homeland Security, and the Commerce Department more statutory authority is because they do not want the NSA to become the protector by default. As controversial as cyber monitoring is, as much as it violates our sense of what the Internet is, and as much as it rightly provokes debate about government intrusion, Congress wants these decisions to be transparent and the decision-makers held accountable.”
No comments:
Post a Comment