CNET’s Declan McCullagh recently posted an article on aspects of the Cybersecurity Act of 2009 “Bill would give President emergency control of the Internet”
The new version would allow the president to “declare a cybersecurity emergency” relating to “non-governmental” computer networks and do what’s necessary to respond to the threat. Other sections of the proposal include a federal certification program for “cybersecurity professionals,” and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.
There has been a lot of discussion and debate about how the new administration would address cybersecurity. With a string of disillusioned Cyber Czars, advisers, and a dizzying array of federal agencies vying to lead the efforts President Obama has certainly been in the unenviable position of setting the future direction to secure critical infrastructure and to ensure our prosperity.
This is a massive logistical problem, growing even more so as technology advances and becomes adopted as part of our digital fabric. Unfortunately there will be mistakes, errors in judgment, and poorly written policies that may very well lead to significant self-inflicted damage. The concept that the President, under an emergency situation, can take control of aspects of the Internet is very troubling.
Conceptually, and given the events of 9/11, it would seem logical that under a massive sustained attack on our critical infrastructure and our digital assets – both public and private – that it would be warranted for the administration to do whatever would be required to regain control and eliminate the threat. The reality is that this is extremely difficult to do and more importantly enables a malicious actor to create a situation that forces the administration to respond and in doing so create more havoc than could have been created by the malicious actors on their own.
This is a recipe for disaster and provides a very real vector for attacking the entire United States in a way that would not normally be afforded to those who wish to do us harm.
The relevant section of the Bill is below…
SEC. 18. CYBERSECURITY RESPONSIBILITIES AND AUTHORITY.
(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;
(6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security;
According to McCullagh there has been some work on a revision…
They’re not much happier about a revised version that aides to Sen. Jay Rockefeller, a West Virginia Democrat, have spent months drafting behind closed doors. CNET News has obtained a copy of the 55-page draft of S.773 (excerpt), which still appears to permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency.
Excerpts of the revised bill can be found (here), they include the following:
SEC. 201. CYBERSECURITY RESPONSIBILITIES AND AUTHORITY.
(2) in the event of an immediate threat to strategic national interests involving compromised Federal Government or United States critical infrastructure information system or network—
(A) may declare a cybersecurity emergency; and
(B) may, if the President finds it necessary for the national defense and security, and in coordination with relevant industry sectors, direct the national response to the cyber threat and the timely restoration of the affected critical infrastructure information system or network;
We are entering an era that will be marked by unprecedented attacks on our critical infrastructure. I also believe that ultimately the US government needs to be accountable for ensuring that services are available and the US thrives, however the US is ill-prepared to deal with even minor malware outbreaks and unsophisticated network intrusions, let alone a highly coordinated attack that would actually justify such a response.