CNET News reported on August 28 that it had obtained a draft copy of a Senate bill (S. 773) that would “permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency.”
The bill is being prepared by aides to Senator Jay Rockefeller (D-W.Va.) as a revision of Senate legislation from this past spring that would have shifted cybersecurity responsibility from the Department of Homeland Security to the White House. The draft copy obtained by CNET appears to still contain similar provisions.
CNET says this new version “would allow the president to ‘declare a cybersecurity emergency’ relating to ‘non-governmental’ computer networks and do what’s necessary to respond to the threat. Other sections of the proposal include a federal certification program for ‘cybersecurity professionals,’ and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.”
The revised legislation “requires a ‘cybersecurity workforce plan’ from every federal agency, a ‘dashboard’ pilot project, measurements of hiring effectiveness, and the implementation of a ‘comprehensive national cybersecurity strategy’ in six months — even though its mandatory legal review will take a year to complete.”
Perhaps the most potentially troubling portion of the bill would permit the president to “direct the national response to the cyber threat” as needed for “national defense and security.” The White House would conduct “periodic mapping” of what it deems to be critical private computer networks, and the companies owning those networks “shall share” any information requested by the federal government.
“I think the redraft, while improved, remains troubling due to its vagueness,” stated Larry Clinton, president of the Internet Security Alliance. Representatives from Verizon, Verisign, Nortel, and Carnegie Mellon University sit on the Alliance’s board. “It is unclear what authority Sen. Rockefeller thinks is necessary over the private sector. Unless this is clarified, we cannot properly analyze, let alone support the bill.”
Lee Tien, a senior staff attorney with the Electronic Frontier Foundation, is concerned about the privacy implications of establishing such far-reaching changes in six months when the legal review won’t be completed for 12. Tien said, “As soon as you’re saying that the federal government is going to be exercising this kind of power over private networks, it’s going to be a really big issue.”
The Competitive Enterprise Institute’s Director of Technology Studies Wayne Crews warned about “the constant temptation by politicians in both parties to expand government authority over ‘critical’ private networks.” Crews noted how government can take advantage of the open-ended definition of “critical”: “From American telecommunications to the power grid, virtually anything networked to some other computer is potentially fair game to Obama to exercise ‘emergency powers.’ ”
“Policy makers should be suspicious of proposals to collectivize and centralize cybersecurity risk management, especially in frontier industries like information technology,” Crews advised. “When government asserts authority over security technologies, it hinders the evolution of more robust information security practices and creates barriers to non-political solutions — both mundane and catastrophic. The result is that we become less secure, not more secure.”
Crews urged the Obama administration to concentrate on “securing government networks and keeping government agencies on the cutting edge of communications technology,” rather than looking to expand its power over the private sector.
Perhaps this is a case where the government should take the beam out of its own eye instead of attempting to remove the mote in the eye of the private sector.