William Jackson | Senate's cybersecurity bill goes too far
- By William Jackson
- Apr 17, 2009
The Senate should take a close look at a comprehensive and far-reaching cybersecurity bill that attempts to assign responsibilities for better protecting the nation’s critical information infrastructure.
Based on a working draft of the legislation, there are some good ideas in the Cybersecurity Act of 2009, introduced by John “Jay” Rockefeller IV (D-W.Va.), chairman of the Senate Commerce, Science and Transportation Committee, and Olympia Snowe (R-Maine). But there also are some quixotic elements and a few provisions so far-reaching that they could effectively turn the Internet within the United States into a state-controlled medium.
The most troubling provisions would let the president order the disconnection of any federal information system or privately owned critical infrastructure component for undefined reasons of national security.
The bill, S.773, was introduced April 1 and referred to Rockefeller’s committee. It probably should remain there until the 60-day review of the nation’s cybersecurity policies ordered by President Obama has been digested.
According to the bill’s preamble, “America’s failure to protect cyberspace is one of the most urgent national security problems facing the country.” It goes on to warn of the risk not only to national security but also to the economy.
Its good ideas include the creation of a presidential cybersecurity advisory panel, the development of a comprehensive national cybersecurity strategy, and the establishment of measurable and auditable standards for government and contractor information technology systems. The National Science Foundation would support security research and development, and the Commerce Department would be the clearinghouse for threat and vulnerability information.
Perhaps the most unrealistic provision of the bill is its call for Commerce, in consultation with the Office of Management and Budget, to develop a plan for providing comprehensive, real-time cybersecurity status and vulnerability information on all federal systems it manages within 90 days of the bill’s enactment and implement that plan within a year. This is a fine goal. But 90 days? Implemented in one year? Not likely.
At first blush, the provision allowing the president to disconnect networks for national security might not sound unreasonable. But it is far too vague and goes too far. The Internet is so interconnected that almost any network could be defined as critical infrastructure, and the “interest of national security” has been abused so routinely that this provision poses the risk of almost anyone who offends the administration being taken off-line. This provision could, for example, have been used in 1971 to stop the New York Times and Washington Post from publishing the Pentagon Papers, had they attempted to put them online rather than print them. With no judicial review, the law would let a president order the publications' Web servers offline with the argument that it was not censoring a publication, but protecting the national security by removing infrastructure that had become critical.
If such authority is needed, the bill should carefully spell out in a constitutionally appropriate way the circumstances under which it could be used and the recourse and other safeguards against abuse.