Senator Jay Rockefeller (D-WV) has released a revised version of his bill that would federalize the Internet (I covered this topic earlier here). The current draft would allow the president to “declare a cybersecurity emergency” on “non-governmental” computer networks and do what’s necessary to respond to the threat.
Section 3 (2) (B) Defines “Cyber” as any matter relating to, or involving the use of, computers or computer networks. Section 201 (2) (B), permits the president to “direct the national response to the cyber threat” if necessary for “the national defense and security.”
“I think the redraft, while improved, remains troubling due to its vagueness,” Larry Clinton told CNET “It is unclear what authority Sen. Rockefeller thinks is necessary over the private sector. Unless this is clarified, we cannot properly analyze, let alone support the bill,” said Clinton, president of the Internet Security Alliance, which counts representatives of Verizon, Verisign, Nortel, and Carnegie Mellon University on its board.
A Senate source familiar with the bill told CNET that the president’s power to take control of portions of the Internet is comparable to what President Bush did when grounding all aircraft on Sept. 11, 2001. The source said that one primary concern was the electrical grid, and what would happen if it were attacked from a broadband connection.
Section 201 (5) the bill requires the White House to engage in “periodic mapping” of private networks deemed to be critical, and those companies “shall share” requested information with the federal government. The privacy implications of sweeping changes implemented before the legal review is finished worry Lee Tien, a senior staff attorney with the Electronic Frontier Foundation in San Francisco told CNET. “As soon as you’re saying that the federal government is going to be exercising this kind of power over private networks, it’s going to be a really big issue,” he says.
“The language has changed but it doesn’t contain any real additional limits,” EFF’s Tien says. “It simply switches the more direct and obvious language they had originally to the more ambiguous (version)…The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There’s no provision for any administrative process or review. That’s where the problems seem to start. And then you have the amorphous powers that go along with it.”
Rb-
If your network is determined to be “critical” by the Feds, there is likely a new set of regulations coming from the same people who are giving themselves failing grades for their own cyber-security.
These new rules could impact staffing decisions, disclosure policies and open the door to a government can take over your IT systems. This bill requires watching by anybody that uses or manages computers, a private network, or the Internet. It is likely they will sweep it in as pork on another unrelated bill, to limit public discussion.
Contact your representatives in DC.
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.