Proposed legislation would put authority over the security of government and private networks in the hands of officials reporting to the President.
President Obama promised in his campaign to take cybersecurity seriously
and he appears to be following up on that promise. Legislation just introduced in the Senate, written with White House input according to the Washington Post
would federalize the business of computer security. It would give White
House officials the power to shut off private networks, decide what
products could be used for security and set rules for who could
practice computer security.
The legislation is actually in two bills, S.773 and S.778. The titles of the bills are:
S.773-A bill to ensure the continued free flow of
commerce within the United States and with its global trading partners
through secure cyber communications, to provide for the continued
development and exploitation of the Internet and intranet
communications for such purposes, to provide for the development of a
cadre of information technology specialists to improve and maintain
effective cybersecurity defenses against disruption, and for other
S.778-A bill to establish, within the Executive Office of the President, the Office of National Cybersecurity Advisor.
I couldn't find the actual text of the legislation yet, but there is a short PDF describing it in press release language
. Of course such documents are no substitute for examining the actual text.
The emphasis of the opening parts of the press release is on matters
about which there is little dispute: government and critical private
infrastructure networks need to be protected. It asserts that they are
vulnerable and that a new public-private partnership is necessary to
address the problem. The advisor created by S.778 would report directly
to the president and, according to the press release, would have
"...the authority to disconnect a Federal or critical infrastructure
network from the Internet if they are found to be at risk of cyber
What are the critical infrastructure networks? The examples provided
are "...banking, utilities, air/rail/auto traffic control,
telecommunications..." Let's think about this. I'm especially curious
as to how you take the telecommunications networks off of the Internet
when they are, in large part, what the Internet is comprised of. And if
my bank were taken offline I would think about going into my branch and
asking for all of my deposits in cash.
The bill would also require a formal national strategy to be
drafted. I guess it's better to have a strategy than not to have one,
but I'm leery about the true value to security, at least before the
long term. It would also require periodic reviews that would politicize
the security of private networks.
A public education campaign on cybersecurity would likely have as
much effect on the average person as most public education campaigns of
this sort, which is not a whole lot.
On the subject of civil rights and cybersecurity it has this cryptic
guidance: "The legislation would require the Advisor to review the
feasibility of an identity management and authentication program, to
include recommendations regarding civil liberties protections." I don't
like the sound of that. It sounds like "can we get away with requiring
everyone to have a unique digital ID?"
The bill creates a "public-private clearinghouse for cyber threat
and vulnerability information-sharing" which sounds like what US-CERT
does now. A Cybersecurity Advisory Panel would advice the Advisor and
But then it gets interesting again. "Establish enforceable
cybersecurity standards." It would require NIST (the National Institute
of Standards and Technology) "...to establish measureable [sic] and
auditable cybersecurity standards that would be applicable both to
government and the private sector." In other words, it would make
security rules that the private sector would have to obey. Would some
new security regulatory regime be created to enforce these rules? The
potential to force huge costs on industry is a real concern here;
expect the security software business to be largely enthusiastic. A
Secure Products and Services Acquisitions Board would certify products
that meet the standards for federal government purchase. How would they
do this? By testing? Such testing could be a massive new private sector
"Provide for licensing and certification of cybersecurity
professionals." What the hell is this? The bill would require "...a
professional licensing and certification program for cybersecurity
professionals similar to those required for other major professions."
So in order to do security functions you'll have to go to Security
School and pass your boards? I suppose if you do something unapproved,
like the wrong kind of research, your license can be revoked. I don't
like where this part is going.
I have to say the whole thing smells bad to me. I don't like the
chances of the government improving this situation by taking it over
generally, and I definitely don't like the idea of politicizing this
authority by putting it in the direct control of the President. If it
must be done it should be run through some cabinet agency, probably DHS
I guess I don't mind the standards and research ideas at all; the
government has done a lot of good work in that field over many years,
although very little of it was mandated. As I've written before
there are some problems that we face which need the weight of
government behind them. This is not the same as creating a new federal
bureaucracy setting rules over what computer security has to be and who
can do it.
A lot of important legislation has been jammed through Congress in
the last couple of months with little or nothing in the way of
hearings. S.773 and S.778 can't be allowed to go that route. Follow the
news on this and let your own representatives know what you think.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack