[Infowarrior] - Cybersecurity bill goes too far

Sun Apr 19 04:27:50 UTC 2009

William Jackson | Senate's cybersecurity bill goes too far
	• By William Jackson
	•  Apr 17, 2009
http://gcn.com/articles/2009/04/20/cybereye-security-bill.aspx
The Senate should take a close look at a comprehensive and far- 
reaching cybersecurity bill that attempts to assign responsibilities  
for better protecting the nation’s critical information infrastructure.

Based on a working draft of the legislation, there are some good ideas  
in the Cybersecurity Act of 2009, introduced by John “Jay”   
Rockefeller IV (D-W.Va.), chairman of the Senate Commerce, Science and  
Transportation Committee, and Olympia Snowe (R-Maine). But there also  
are some quixotic elements and a few provisions so far-reaching that  
they could effectively turn the Internet within the United States into  
a state-controlled medium.

The most troubling provisions would let the president order the  
disconnection of any federal information system or privately owned  
critical infrastructure component for undefined reasons of national  
security.

The bill, S.773, was introduced April 1 and referred to Rockefeller’s  
committee. It probably should remain there until the 60-day review of  
the nation’s cybersecurity policies ordered by President Obama has  
been digested.

According to the bill’s preamble, “America’s failure to protect  
cyberspace is one of the most urgent national security problems facing  
the country.” It goes on to warn of the risk not only to national  
security but also to the economy.

Its good ideas include the creation of a presidential cybersecurity  
advisory panel, the development of a comprehensive national  
cybersecurity strategy, and the establishment of measurable and  
auditable standards for government and contractor information  
technology systems. The National Science Foundation would support  
security research and development, and the Commerce Department would  
be the clearinghouse for threat and vulnerability information.

Perhaps the most unrealistic provision of the bill is its call for  
Commerce, in consultation with the Office of Management and Budget, to  
develop a plan for providing comprehensive, real-time cybersecurity  
status and vulnerability information on all federal systems it manages  
within 90 days of the bill’s enactment and implement that plan within  
a year. This is a fine goal. But 90 days? Implemented in one year? Not  
likely.

At first blush, the provision allowing the president to disconnect  
networks for national security might not sound unreasonable. But it is  
far too vague and goes too far. The Internet is so interconnected that  
almost any network could be defined as critical infrastructure, and  
the “interest of national security” has been abused so routinely that  
this provision poses the risk of almost anyone who offends the  
administration being taken off-line. This provision could, for  
example, have been used in 1971 to stop the New York Times and  
Washington Post from publishing the Pentagon Papers, had they  
attempted to put them online rather than print them. With no judicial  
review, the law would let a president order the publications' Web  
servers offline with the argument that it was not censoring a  
publication, but protecting the national security by removing  
infrastructure that had become critical.

If such authority is needed, the bill should carefully spell out in a  
constitutionally appropriate way the circumstances under which it  
could be used and the recourse and other safeguards against abuse.