Congress Ponders Cybersecurity Power Grab

from the no-cybersecurity-licenses-please dept

There was a lot of attention paid last week to a new "cybersecurity" bill that would drastically expand the government's power over the Internet. The two provisions that have probably attracted the most attention are the parts that would allow the president to "declare a cybersecurity emergency" and then seize control of "any compromised Federal government or United States critical infrastructure information system or network." Perhaps even more troubling, the EFF notes a section that states that the government "shall have access to all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access." Read literally, this language would seem to give the government the power to override the privacy protections in such laws as the Electronic Communications Privacy Act and the Foreign Intelligence Surveillance Act. Thankfully, Congress can't override the Fourth Amendment by statute, but this language poses a real threat to Fourth Amendment rights.

One clause that I haven't seen get the attention it deserves is the provision that would require a federal license, based on criteria determined by the Secretary of Commerce, to provide cybersecurity services to any federal agency or any "information system or network" the president chooses to designate as "critical infrastructure." It's hard to overstate how bad an idea this is. Cybersecurity is a complex and fast-moving field. There's no reason to think the Department of Commerce has any special expertise in certifying security professionals. Indeed, security experts tend to be a contrarian bunch, and it seems likely that some of the best cybersecurity professionals will refuse to participate. Therefore, it's a monumentally bad idea to ban the government from soliciting security advice from people who haven't jumped through the requisite government hoops. Even worse, the proposal leaves the definition of "critical infrastructure" to the president's discretion, potentially allowing him to designate virtually any privately-owned network or server as "critical infrastructure," thereby limiting the freedom of private firms to choose cybersecurity providers.

When thinking about cyber-security, it's important to keep in mind that an open network like the Internet is never going to be perfectly secure. Providers of genuinely critical infrastructure like power grids and financial networks should avoid connecting it to the Internet at all. Moreover, the most significant security threats on the Internet, including botnets and viruses, are already illegal under federal law. If Congress is going to pass cybersecurity legislation this session (and it probably shouldn't) it should focus on providing federal law enforcement officials with the resources to enforce the cyber-security laws we already have (and getting the government's own house in order), not give the government sweeping and totally unnecessary new powers that are likely to be abused.



Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Zaven (profile), Apr 20th, 2009 @ 10:34am

    Regulating the Regulators

    Um... Can I now reference a comment I made on a previous article. We should strongly consider forcing politicians to be certified by some kind of test before letting them legislate on any tech related things. If we did that, then no one would be dumb enough to propose such stupid new laws.

    Things like computers and computer security evolve way too fast for the government to actually attempt to force people to be "Government Certified Security Consultants". When you say "There's no reason to think the Department of Commerce has any special expertise in certifying security professionals." This is true on so many levels. In fact the government employed "tech know-it-alls" are usually the least knowledgeable. If they were any good, they'd likely be in the private sector making 10 times as much at their job.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Ryan, Apr 20th, 2009 @ 11:01am

      Re: Regulating the Regulators

      And who gets to write the certification test? More opportunity for political influence and under-the-table corruption to unduly influence the system.

      The much better idea is to get the government the hell out of the way. And the only way to do that is to stop electing big-government politicians into office. But the electorate is too ignorant, focused on getting theirs, and tied up in partisan groupthink to do that.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Zaven (profile), Apr 20th, 2009 @ 7:05pm

        Re: Re: Regulating the Regulators

        Getting government out of the way was kinda my point. If a group of undergraduates from any CS or IS department wrote 20 questions. Let's say the average college student could get a 80% (I'd like to think most college students are a bit tech savvy but the point is to give a general idea of the difficulty of the questions). I'd be willing to bet the average score for the same test given to our congress would be less than 50%.

        I'm aware that this could never ACTUALLY happen but it's just the idea. I'm basically saying that we need an official way to get every politician that comes up with an idea like this to say STFU.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    lulz, Apr 20th, 2009 @ 10:39am

    Well..

    see ya' later, glimmer of net neutrality. We'll miss you.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Apr 20th, 2009 @ 10:52am

    Didn't they watch this season of 24? The CPI device will kill us all!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    rick forno, Apr 20th, 2009 @ 11:17am

    certifications for cybersecurity

    (Shameless self-promotion)

    I railed against this security certification requirement in a recent podcast interview @ Risky Business last week.

    http://risky.biz/netcasts/risky-business/risky-business-103-certified-or-certifiable

    I'v e also written much about the wisdom (er lack of it) about certifications in general. But yet we see this lunacy continuing....

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Coyote, Apr 20th, 2009 @ 12:51pm

    You're not all that illiterate, are you?

    ...seize control of "any compromised Federal government or United States critical infrastructure information system or network."

    So, the government has the right to pull the plug on their own networks if compromised? Sounds fair to me. There's even a link to an article talking about how the Internet should never be considered capable of supporting critical infrastructure. So what's with the OMG THER GOEZ NET NOOOTRALITEE, POLEEZ STAET comments?

    So what if botnets and viruses are illegal? Never stopped them before. A lot of private networks don't connect to the Internet.. but that still hasn't kept the malware off completely. Remember worms on ATMs? Yep.

    As for a license, why not? Many professionals and tradespersons have to be licensed, especially when they contract government work. I'm sorry, but I've seen too many self-professed IT experts make a real mess of things by convincing people they knew what they were doing. Some kind of regulation might be in order.

    On that note, what kind of "expert" is the author, other than a marketer for this so called "Insight Community".. if you have to link spam your company twice in the same byline, give it up.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Apr 20th, 2009 @ 1:44pm

      As a security professional, I have to say that a lot of the folks who take the CISSP and other cert exams tend to think that they're much better equipped than they are. The biggest of several problems with this method of certification is that it overemphasizes theoretical knowledge and underemphasizes both experience and practical skill. The key qualification of both myself and a number of other security professionals isn't book learning, but the fact that we've been delving into computers and computer security since we were old enough to read.

      @ Coyote: The ability to seize control of "any compromised Federal government or United States critical infrastructure information system or network" is, in my experience, the probable intended interpretation of the bill's language. While I have no problem with the government removing its own systems, this bill makes it likely that, even if it is not the intended purpose, it will eventually be used in this way to override the objections of a private individual or company without recourse. The wording even allows them to infect a company with a targeted virus, then use that as an excuse to seize their entire network. Finally, the Techdirt Insight Community isn't Timothy Lee's company - it is Mike Masnick's. If you think he's overdoing the advertising on Techdirt, you should tell him.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      irv, Apr 21st, 2009 @ 8:37am

      Re: You're not all that illiterate, are you?

      You missed the bit where the president or his designate gets to decide what constitutes "critical infrastructure."

      In other words - no checks and/or balances. The president can pull the plug on anything he pleases just by saying it's really important.

      If you're okay with that too, that probably means you trust Obama to make the right decisions on that. But Obama won't be in office forever. Would you be just as trusting of Sarah Palin (to name just one possible candidate from the other side).

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Dave (profile), Apr 21st, 2009 @ 8:51am

      Re: You're not all that illiterate, are you?

      Lol. I've come to the conclusion that people who beg for regulations are pussies with a capital P. You guys are the worst kinds of pussies too. Politicians are known to be sleazy and crooks but you put them in charge of regulations?? Is it too much responsibility for you to solve these problems through contractual arrangements and not through depending on government regulation?

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Coyote, Apr 20th, 2009 @ 2:15pm

    AC: take your meds.

    Anon Coward - good points, except for "infect a company with a targeted virus, then use that as an excuse to seize their entire network"

    If the government wanted to sieze a private company, they'd do something a lot more solid, like manufacture SEC allegations or other criminal indictments.

    They could. But they don't.

    Paranoia != security. In fact, paranoia typically weakens security.

    when I see a byline like "xxxxx is an expert at the Insight Community. To get insight and analysis from xxxxx and other experts on challenges your company faces, click here."...I don't care who's the pimp and who's the hooker. Especially when I go there and it seems to be a Spamarketing and data mining operation.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    jg, Apr 20th, 2009 @ 8:03pm

    Insecurity

    Just another example of the idiots in the US attempting to expand their control over the people who make their paychecks happen. The government has too much power already and they need to be put in their place.
    For fuck sake, not to long ago was the story of DHS (dept homeland insecurity) who got their computers hacked to the tune of $12K US TAXPAYER DOLLARS of free phone calls to countries like jordan and afghanistan. Why because the fucking retfucktards who administered it never changed the default passwords.
    The day the Gov takes over my pc's connection is the day I call my ISP and cancel my acct. PERIOD. Fuck Them & their laws!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Dan, Apr 20th, 2009 @ 10:34pm

    Who said?

    What makes you think that the Gov. wouldn't usurp 4th amendment rights? Take a look at the current FISA and Patriot act, what happened to equal protection under the law? That was the 13, 14,15th amendments, now the ACLU is suing to overturn telco immunity. Exactly when has a little thing like the law ever stopped a politician from depriving the peons of their rights?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    known coward, Apr 21st, 2009 @ 11:48am

    you have no 4th amendment rights

    look at what the did to a 13 year old girl

    "The Supreme Court seemed worried Tuesday about tying the hands of school officials looking for drugs and weapons on campus as they wrestled with the appropriateness of a strip-search of a 13-year-old girl accused of having prescription-strength ibuprofen."

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This