CYBEREYE—Commentary

William Jackson | Senate's cybersecurity bill goes too far

The Senate should take a close look at a comprehensive and far-reaching cybersecurity bill that attempts to assign responsibilities for better protecting the nation’s critical information infrastructure.

Based on a working draft of the legislation, there are some good ideas in the Cybersecurity Act of 2009, introduced by John “Jay”  Rockefeller IV (D-W.Va.), chairman of the Senate Commerce, Science and Transportation Committee, and Olympia Snowe (R-Maine). But there also are some quixotic elements and a few provisions so far-reaching that they could effectively turn the Internet within the United States into a state-controlled medium.

The most troubling provisions would let the president order the disconnection of any federal information system or privately owned critical infrastructure component for undefined reasons of national security.

The bill, S.773, was introduced April 1 and referred to Rockefeller’s committee. It probably should remain there until the 60-day review of the nation’s cybersecurity policies ordered by President Obama has been digested.

According to the bill’s preamble, “America’s failure to protect cyberspace is one of the most urgent national security problems facing the country.” It goes on to warn of the risk not only to national security but also to the economy.

Its good ideas include the creation of a presidential cybersecurity advisory panel, the development of a comprehensive national cybersecurity strategy, and the establishment of measurable and auditable standards for government and contractor information technology systems. The National Science Foundation would support security research and development, and the Commerce Department would be the clearinghouse for threat and vulnerability information.

Perhaps the most unrealistic provision of the bill is its call for Commerce, in consultation with the Office of Management and Budget, to develop a plan for providing comprehensive, real-time cybersecurity status and vulnerability information on all federal systems it manages within 90 days of the bill’s enactment and implement that plan within a year. This is a fine goal. But 90 days? Implemented in one year? Not likely.

At first blush, the provision allowing the president to disconnect networks for national security might not sound unreasonable. But it is far too vague and goes too far. The Internet is so interconnected that almost any network could be defined as critical infrastructure, and the “interest of national security” has been abused so routinely that this provision poses the risk of almost anyone who offends the administration being taken off-line. This provision could, for example, have been used in 1971 to stop the New York Times and Washington Post from publishing the Pentagon Papers, had they attempted to put them online rather than print them. With no judicial review, the law would let a president order the publications' Web servers offline with the argument that it was not censoring a publication, but protecting the national security by removing infrastructure that had become critical.

If such authority is needed, the bill should carefully spell out in a constitutionally appropriate way the circumstances under which it could be used and the recourse and other safeguards against abuse.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Thu, Apr 23, 2009

This is just another attack on the First Amendment.

Mon, Apr 20, 2009 Student of Man

Dean, I respectfully disagree. This bill is stating just that. It is vaguely defining privately held organizations that provide infrastructure services and could be used to classify electric grids, pipelines, ISPs, backbone providers, or anything else that suddenly becomes "infrastructure" dependent upon the situation. This is a thinly veiled attempt to invoke government control of the private sector under the auspices of national security. I thought America had enough of that under the last administration...

Mon, Apr 20, 2009

With more and more government agencies moving to the Internet as a means of transport so they can realize real cost savings over leased lines, this bill would undoubtedly mean higher costs at a time when the government cannot afford it. Commerce and National Science? What have they done in the last century that would make them more viable than say NIST, or NSA?

Mon, Apr 20, 2009 Dean Bushmiller

The cybersecurity act of 2009 could be a good thing. Saying that the president is going to "turn off the Internet" is wrong. He can't. No amount of law could do that. The sky is not falling, it can't fall, the president can't make it fall. Through this bill, the president would delegate this authority to certified, trained, authorized people. Like it or not, security professionals in the government need the freedom and the responsibility to protect their part of the Internet, sometimes by shutting out the bad guys. If you know anything about the Internet, all the president or anyone could do is stop communication on their part (the government's part) of the network. It is not like they could reach into a business and cut them off form the Internet . They don't have the capability to shut us down; this bill would not give them the power to do that. Can anything do that? No. Dean Bushmiller has been a certified security professional and educator for 10 years. He is the president of expandingsecurity.com due to 3000 char restriction for the full comment email me directly

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above