Sen. Jay Rockefeller's revised Cybersecurity Act of 2009 is creating as much
controversy as his original effort in April did. Both
versions give the president unprecedented authority to shut down private
Internet networks in the case of a cyber-security emergency.
The original draft bill gave the president the broad authority to designate
various private networks as a "critical infrastructure system or
network" and, with no other review, "may declare a cyber-security
emergency and order the limitation or shutdown of Internet traffic to and
from" the designated the private sector system or network.
To read more about the original version of the Cybersecurity Act of 2009, click here.
In the revised version that language was dropped, but the vague substitute
wording still allows the president to declare a cyber-security emergency and
gives the White House broad authority over "non-governmental"
networks in times of national emergency (as declared by the president).
"The current language is so unclear that we can't be confident that the
changes have actually been made," Larry Clinton, president of the Internet
Security Alliance, told Fox News. "In the original bill they empowered the
president to essentially turn off the Internet in the case of a
'cyber-emergency,' which they didn't define."
The bill also grants the federal government the authority issue to
cyber-security mandates for designated private networks and systems, including
standardized security software and testing, and licensing and certification of
cyber-security professionals.
"Requiring firms to get government approval for new software would hamper
innovation and would have a negative effect on security," Greg Nojeim,
staff general counsel for the Center for Democracy & Technology, told eWEEK
in April. "If everyone builds to the same standard and the bad guys know
those standards it makes it easier for the bad guys."
The legislation also calls for a public-private clearinghouse for cyber-threats
and vulnerability information under the authority of the Department of
Commerce. The Secretary of Commerce would have the authority to access
"all relevant data concerning such networks without regard to any
provision of law, regulation, rule or policy restricting such access."
In another section of the bill, though, the president is required to report to
Congress on the feasibility of an identity management and authentication
program "with appropriate civil liberties and privacy protections."
Nojeim complained the bill is "not only vague but also broad. Its very
broad language is intended to confer broad powers." He also speculated
that the bill's vague language and authority may prove to be powerful incentive
for the private sector to improve its cyber-security measures.
"The bill will encourage private sector solutions to make the more
troubling sections of the bill unnecessary," Nojeim said.
 |
IT Security & Network Security News & Reviews News & Reviews 
