Congress Ponders Cybersecurity Power Grab
from the no-cybersecurity-licenses-please dept
There was a lot of attention paid last week to a new "cybersecurity" bill that would drastically expand the government's power over the Internet. The two provisions that have probably attracted the most attention are the parts that would allow the president to "declare a cybersecurity emergency" and then seize control of "any compromised Federal government or United States critical infrastructure information system or network." Perhaps even more troubling, the EFF notes a section that states that the government "shall have access to all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access." Read literally, this language would seem to give the government the power to override the privacy protections in such laws as the Electronic Communications Privacy Act and the Foreign Intelligence Surveillance Act. Thankfully, Congress can't override the Fourth Amendment by statute, but this language poses a real threat to Fourth Amendment rights.One clause that I haven't seen get the attention it deserves is the provision that would require a federal license, based on criteria determined by the Secretary of Commerce, to provide cybersecurity services to any federal agency or any "information system or network" the president chooses to designate as "critical infrastructure." It's hard to overstate how bad an idea this is. Cybersecurity is a complex and fast-moving field. There's no reason to think the Department of Commerce has any special expertise in certifying security professionals. Indeed, security experts tend to be a contrarian bunch, and it seems likely that some of the best cybersecurity professionals will refuse to participate. Therefore, it's a monumentally bad idea to ban the government from soliciting security advice from people who haven't jumped through the requisite government hoops. Even worse, the proposal leaves the definition of "critical infrastructure" to the president's discretion, potentially allowing him to designate virtually any privately-owned network or server as "critical infrastructure," thereby limiting the freedom of private firms to choose cybersecurity providers.
When thinking about cyber-security, it's important to keep in mind that an open network like the Internet is never going to be perfectly secure. Providers of genuinely critical infrastructure like power grids and financial networks should avoid connecting it to the Internet at all. Moreover, the most significant security threats on the Internet, including botnets and viruses, are already illegal under federal law. If Congress is going to pass cybersecurity legislation this session (and it probably shouldn't) it should focus on providing federal law enforcement officials with the resources to enforce the cyber-security laws we already have (and getting the government's own house in order), not give the government sweeping and totally unnecessary new powers that are likely to be abused.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: certification, congress, critical infrastructure, cybersecurity, fourth amendment
Reader Comments
Subscribe: RSS
View by: Time | Thread
Regulating the Regulators
Things like computers and computer security evolve way too fast for the government to actually attempt to force people to be "Government Certified Security Consultants". When you say "There's no reason to think the Department of Commerce has any special expertise in certifying security professionals." This is true on so many levels. In fact the government employed "tech know-it-alls" are usually the least knowledgeable. If they were any good, they'd likely be in the private sector making 10 times as much at their job.
[ link to this | view in thread ]
Well..
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Regulating the Regulators
The much better idea is to get the government the hell out of the way. And the only way to do that is to stop electing big-government politicians into office. But the electorate is too ignorant, focused on getting theirs, and tied up in partisan groupthink to do that.
[ link to this | view in thread ]
certifications for cybersecurity
I railed against this security certification requirement in a recent podcast interview @ Risky Business last week.
http://risky.biz/netcasts/risky-business/risky-business-103-certified-or-certifiable
I'v e also written much about the wisdom (er lack of it) about certifications in general. But yet we see this lunacy continuing....
[ link to this | view in thread ]
You're not all that illiterate, are you?
So, the government has the right to pull the plug on their own networks if compromised? Sounds fair to me. There's even a link to an article talking about how the Internet should never be considered capable of supporting critical infrastructure. So what's with the OMG THER GOEZ NET NOOOTRALITEE, POLEEZ STAET comments?
So what if botnets and viruses are illegal? Never stopped them before. A lot of private networks don't connect to the Internet.. but that still hasn't kept the malware off completely. Remember worms on ATMs? Yep.
As for a license, why not? Many professionals and tradespersons have to be licensed, especially when they contract government work. I'm sorry, but I've seen too many self-professed IT experts make a real mess of things by convincing people they knew what they were doing. Some kind of regulation might be in order.
On that note, what kind of "expert" is the author, other than a marketer for this so called "Insight Community".. if you have to link spam your company twice in the same byline, give it up.
[ link to this | view in thread ]
@ Coyote: The ability to seize control of "any compromised Federal government or United States critical infrastructure information system or network" is, in my experience, the probable intended interpretation of the bill's language. While I have no problem with the government removing its own systems, this bill makes it likely that, even if it is not the intended purpose, it will eventually be used in this way to override the objections of a private individual or company without recourse. The wording even allows them to infect a company with a targeted virus, then use that as an excuse to seize their entire network. Finally, the Techdirt Insight Community isn't Timothy Lee's company - it is Mike Masnick's. If you think he's overdoing the advertising on Techdirt, you should tell him.
[ link to this | view in thread ]
AC: take your meds.
If the government wanted to sieze a private company, they'd do something a lot more solid, like manufacture SEC allegations or other criminal indictments.
They could. But they don't.
Paranoia != security. In fact, paranoia typically weakens security.
when I see a byline like "xxxxx is an expert at the Insight Community. To get insight and analysis from xxxxx and other experts on challenges your company faces, click here."...I don't care who's the pimp and who's the hooker. Especially when I go there and it seems to be a Spamarketing and data mining operation.
[ link to this | view in thread ]
Re: Re: Regulating the Regulators
I'm aware that this could never ACTUALLY happen but it's just the idea. I'm basically saying that we need an official way to get every politician that comes up with an idea like this to say STFU.
[ link to this | view in thread ]
Insecurity
For fuck sake, not to long ago was the story of DHS (dept homeland insecurity) who got their computers hacked to the tune of $12K US TAXPAYER DOLLARS of free phone calls to countries like jordan and afghanistan. Why because the fucking retfucktards who administered it never changed the default passwords.
The day the Gov takes over my pc's connection is the day I call my ISP and cancel my acct. PERIOD. Fuck Them & their laws!
[ link to this | view in thread ]
Who said?
[ link to this | view in thread ]
Re: You're not all that illiterate, are you?
In other words - no checks and/or balances. The president can pull the plug on anything he pleases just by saying it's really important.
If you're okay with that too, that probably means you trust Obama to make the right decisions on that. But Obama won't be in office forever. Would you be just as trusting of Sarah Palin (to name just one possible candidate from the other side).
[ link to this | view in thread ]
Re: You're not all that illiterate, are you?
[ link to this | view in thread ]
you have no 4th amendment rights
"The Supreme Court seemed worried Tuesday about tying the hands of school officials looking for drugs and weapons on campus as they wrestled with the appropriateness of a strip-search of a 13-year-old girl accused of having prescription-strength ibuprofen."
[ link to this | view in thread ]