Sen. Jay Rockefeller’s revised Cybersecurity Act of 2009 is creating as much controversy as his original effort in April did. Both versions give the president unprecedented authority to shut down private Internet networks in the case of a cyber-security emergency.
The original draft bill gave the president the broad authority to designate various private networks as a “critical infrastructure system or network” and, with no other review, “may declare a cyber-security emergency and order the limitation or shutdown of Internet traffic to and from” the designated the private sector system or network.
In the revised version that language was dropped, but the vague substitute wording still allows the president to declare a cyber-security emergency and gives the White House broad authority over “non-governmental” networks in times of national emergency (as declared by the president).
“The current language is so unclear that we can’t be confident that the changes have actually been made,” Larry Clinton, president of the Internet Security Alliance, told Fox News. “In the original bill they empowered the president to essentially turn off the Internet in the case of a ‘cyber-emergency,’ which they didn’t define.”
The bill also grants the federal government the authority issue to cyber-security mandates for designated private networks and systems, including standardized security software and testing, and licensing and certification of cyber-security professionals.
“Requiring firms to get government approval for new software would hamper innovation and would have a negative effect on security,” Greg Nojeim, staff general counsel for the Center for Democracy & Technology, told eWEEK in April. “If everyone builds to the same standard and the bad guys know those standards it makes it easier for the bad guys.”
The legislation also calls for a public-private clearinghouse for cyber-threats and vulnerability information under the authority of the Department of Commerce. The Secretary of Commerce would have the authority to access “all relevant data concerning such networks without regard to any provision of law, regulation, rule or policy restricting such access.”
In another section of the bill, though, the president is required to report to Congress on the feasibility of an identity management and authentication program “with appropriate civil liberties and privacy protections.”
Nojeim complained the bill is “not only vague but also broad. Its very broad language is intended to confer broad powers.” He also speculated that the bill’s vague language and authority may prove to be powerful incentive for the private sector to improve its cyber-security measures.
“The bill will encourage private sector solutions to make the more troubling sections of the bill unnecessary,” Nojeim said.