[Infowarrior] - Emergency Presidential control of Internet?

Richard Forno rforno at infowarrior.org
Fri Aug 28 12:22:58 UTC 2009 

August 28, 2009 12:34 AM PDT
Bill would give president emergency control of Internet
by Declan McCullagh
http://news.cnet.com/8301-13578_3-10320096-38.html?part=rss&subj=news&tag=2547-1_3-0-20
Internet companies and civil liberties groups were alarmed this spring  
when a U.S. Senate bill proposed handing the White House the power to  
disconnect private-sector computers from the Internet.

They're not much happier about a revised version that aides to Sen.  
Jay Rockefeller, a West Virginia Democrat, have spent months drafting  
behind closed doors. CNET News has obtained a copy of the 55-page  
draft (excerpt), which still appears to permit the president to seize  
temporary control of private-sector networks during a so-called  
cybersecurity emergency.

The new version would allow the president to "declare a cybersecurity  
emergency" relating to "non-governmental" computer networks and do  
what's necessary to respond to the threat. Other sections of the  
proposal include a federal certification program for "cybersecurity  
professionals," and a requirement that certain computer systems and  
networks in the private sector be managed by people who have been  
awarded that license.

"I think the redraft, while improved, remains troubling due to its  
vagueness," said Larry Clinton, president of the Internet Security  
Alliance, which counts representatives of Verizon, Verisign, Nortel,  
and Carnegie Mellon University on its board. "It is unclear what  
authority Sen. Rockefeller thinks is necessary over the private  
sector. Unless this is clarified, we cannot properly analyze, let  
alone support the bill."

Representatives of other large Internet and telecommunications  
companies expressed concerns about the bill in a teleconference with  
Rockefeller's aides this week, but were not immediately available for  
interviews on Thursday.

A spokesman for Rockefeller also declined to comment on the record  
Thursday, saying that many people were unavailable because of the  
summer recess. A Senate source familiar with the bill compared the  
president's power to take control of portions of the Internet to what  
President Bush did when grounding all aircraft on Sept. 11, 2001. The  
source said that one primary concern was the electrical grid, and what  
would happen if it were attacked from a broadband connection.

When Rockefeller, the chairman of the Senate Commerce committee, and  
Olympia Snowe (R-Maine) introduced the original bill in April, they  
claimed it was vital to protect national cybersecurity. "We must  
protect our critical infrastructure at all costs--from our water to  
our electricity, to banking, traffic lights and electronic health  
records," Rockefeller said.

The Rockefeller proposal plays out against a broader concern in  
Washington, D.C., about the government's role in cybersecurity. In  
May, President Obama acknowledged that the government is "not as  
prepared" as it should be to respond to disruptions and announced that  
a new cybersecurity coordinator position would be created inside the  
White House staff. Three months later, that post remains empty, one  
top cybersecurity aide has quit, and some wags have begun to wonder  
why a government that receives failing marks on cybersecurity should  
be trusted to instruct the private sector what to do.

Rockefeller's revised legislation seeks to reshuffle the way the  
federal government addresses the topic. It requires a "cybersecurity  
workforce plan" from every federal agency, a "dashboard" pilot  
project, measurements of hiring effectiveness, and the implementation  
of a "comprehensive national cybersecurity strategy" in six months-- 
even though its mandatory legal review will take a year to complete.

The privacy implications of sweeping changes implemented before the  
legal review is finished worry Lee Tien, a senior staff attorney with  
the Electronic Frontier Foundation in San Francisco. "As soon as  
you're saying that the federal government is going to be exercising  
this kind of power over private networks, it's going to be a really  
big issue," he says.

Probably the most controversial language begins in Section 201, which  
permits the president to "direct the national response to the cyber  
threat" if necessary for "the national defense and security." The  
White House is supposed to engage in "periodic mapping" of private  
networks deemed to be critical, and those companies "shall share"  
requested information with the federal government. ("Cyber" is defined  
as anything having to do with the Internet, telecommunications,  
computers, or computer networks.)

"The language has changed but it doesn't contain any real additional  
limits," EFF's Tien says. "It simply switches the more direct and  
obvious language they had originally to the more ambiguous  
(version)...The designation of what is a critical infrastructure  
system or network as far as I can tell has no specific process.  
There's no provision for any administrative process or review. That's  
where the problems seem to start. And then you have the amorphous  
powers that go along with it."

Translation: If your company is deemed "critical," a new set of  
regulations kick in involving who you can hire, what information you  
must disclose, and when the government would exercise control over  
your computers or network.

The Internet Security Alliance's Clinton adds that his group is  
"supportive of increased federal involvement to enhance cyber  
security, but we believe that the wrong approach, as embodied in this  
bill as introduced, will be counterproductive both from an national  
economic and national secuity perspective."

More information about the Infowarrior mailing list