Wednesday, April 15, 2009
Federal Authority Over the Internet? The Cybersecurity Act of 2009
There's a new bill working its way through Congress that is cause for some alarm: the Cybersecurity Act of 2009 (PDF summary here), introduced by Senators Jay Rockefeller (D-WV) and Olympia Snowe (R-ME). The bill as it exists now risks giving the federal government unprecedented power over the Internet without necessarily improving security in the ways that matter most. It should be opposed or radically amended.
Essentially, the Act would federalize critical infrastructure security. Since many of our critical infrastructure systems (banks, telecommunications, energy) are in the hands of the private sector, the bill would create a major shift of power away from users and companies to the federal government. This is a potentially dangerous approach that favors the dramatic over the sober response.
One proposed provision gives the President unfettered authority to shut down Internet traffic in an emergency and disconnect critical infrastructure systems on national security grounds goes too far. Certainly there are times when a network owner must block harmful traffic, but the bill gives no guidance on when or how the President could responsibly pull the kill switch on privately-owned and operated networks....
...In other words, the bill would give the Commerce Department absolute, non-emergency access to “all relevant data” without any privacy safeguards like standards or judicial review. The broad scope of this provision could eviscerate statutory protections for private information, such as the Electronic Communications Privacy Act, the Privacy Protection Act, or financial privacy regulations. Even worse, it isn’t clear whether this provision would require systems to be designed to enable access, essentially a back door for the Secretary of Commerce that would also establish a primrose path for any bad guy to merrily skip down as well. If the drafters meant to create a clearinghouse for system vulnerability information along the lines of a US/CERT mailing list, that could be useful, but that’s not what the bill’s current language does....