Further analysis of the proposed Cybersecurity Act of 2009 raises more questions than it answers. Many parts of the cyber-security bill represent good ideas, some set up security patronage work and some create vast new systems of rules for how security professionals can do their jobs.
Not long after I wrote my column on the
proposed cyber-security bills in the Senate,
the actual text of the legislation became
available. As I wrote at the time, my analysis was based on various other
materials about the bill made public by the Commerce Committee and sponsoring senators.
Now the text is available in many places, including OpenCongress
S.778 is short and to the point: the national cybersecurity
advisor is an assistant to the president, subject to confirmation by the
Senate, has specific duties with respect to advising the president and approval
of cyber-security budget items, and has security clearance in relevant matters.
S.773 is where the meat is. It starts out with a collection of provocative
quotes from reports and consultants on how vulnerable we are, which is
undoubtedly true, although there is the usual hysteria in there with references
to 9/11 and a "cyber-Katrina," whatever that is.
The main thing I looked for at first was some guidance about what networks
and systems would be subject to oversight by this act. The press materials only
referred to government networks and "critical infrastructure" with
some examples, but no real definition. No doubt by sheer coincidence, a story
in the Wall Street Journal last week asserted (with anonymous quotes but no
actual facts) that the
U.S. power grid had been hacked by "foreign spies."
The security of such systems, and generally of "SCADA"
if they are privately held, is certainly a national security matter. Concern
over this problem is hardly new,
nor are vague, unsubstantiated and
impossible-to-investigate rumors about it.
What else might qualify for control by the federal government under this
bill? Here is the language:
State, local, and nongovernmental information systems and
networks in the United States
designated by the President as critical infrastructure information systems and
So we won't know what it is until the president says. He can
designate bank networks, perhaps critical common carriers, or whatever else he
thinks is critical. Then, in the event of "cyber-attack," he can order
those shut off or disconnected. I think Congress owes it to us to put a more
solid definition in the bill so that it can be discussed in hearings, on the record,
rather than letting the president decide unilaterally.