Congress Ponders Cybersecurity Power Grab

from the no-cybersecurity-licenses-please dept

There was a lot of attention paid last week to a new "cybersecurity" bill that would drastically expand the government's power over the Internet. The two provisions that have probably attracted the most attention are the parts that would allow the president to "declare a cybersecurity emergency" and then seize control of "any compromised Federal government or United States critical infrastructure information system or network." Perhaps even more troubling, the EFF notes a section that states that the government "shall have access to all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access." Read literally, this language would seem to give the government the power to override the privacy protections in such laws as the Electronic Communications Privacy Act and the Foreign Intelligence Surveillance Act. Thankfully, Congress can't override the Fourth Amendment by statute, but this language poses a real threat to Fourth Amendment rights.

One clause that I haven't seen get the attention it deserves is the provision that would require a federal license, based on criteria determined by the Secretary of Commerce, to provide cybersecurity services to any federal agency or any "information system or network" the president chooses to designate as "critical infrastructure." It's hard to overstate how bad an idea this is. Cybersecurity is a complex and fast-moving field. There's no reason to think the Department of Commerce has any special expertise in certifying security professionals. Indeed, security experts tend to be a contrarian bunch, and it seems likely that some of the best cybersecurity professionals will refuse to participate. Therefore, it's a monumentally bad idea to ban the government from soliciting security advice from people who haven't jumped through the requisite government hoops. Even worse, the proposal leaves the definition of "critical infrastructure" to the president's discretion, potentially allowing him to designate virtually any privately-owned network or server as "critical infrastructure," thereby limiting the freedom of private firms to choose cybersecurity providers.

When thinking about cyber-security, it's important to keep in mind that an open network like the Internet is never going to be perfectly secure. Providers of genuinely critical infrastructure like power grids and financial networks should avoid connecting it to the Internet at all. Moreover, the most significant security threats on the Internet, including botnets and viruses, are already illegal under federal law. If Congress is going to pass cybersecurity legislation this session (and it probably shouldn't) it should focus on providing federal law enforcement officials with the resources to enforce the cyber-security laws we already have (and getting the government's own house in order), not give the government sweeping and totally unnecessary new powers that are likely to be abused.

Timothy Lee is an expert at the Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

14 Comments | Leave a Comment..

Verizon Wireless: Open In Name Only?

from the this-is-not-the-'open'-you-were-thinking-of dept

Verizon Wireless got plenty of attention a few months back for announcing that it would be opening its network. This was a bit of a surprise, as Verizon Wireless has been among the most closed when it came to allowing anyone to do anything on its network. Of course, there were few details in the announcement. Now, the company has revealed a bit more about its "open" plans and they're incredibly underwhelming. In fact, you can almost pinpoint the problems based on the the key points Verizon Wireless chose to highlight.

First off, in order to get on the network you'll first have to get your device "certified" by Verizon Wireless. While the company insists that "the certification process won't be lengthy, costly or complicated," most people seem to think that it may be all three. It's going to take 4 to 8 weeks to get your device approved, and the expectation is that access will involve per-byte fees. It also means that if you want to use Verizon's new "open" network you have to spend all the time and effort to build a device, and then wait, hope and pray that Verizon "certifies it." Or, you can just ignore Verizon's network altogether and build a GSM-based device and pop in a SIM card and you're ready to go. So, Verizon's "open" network seems a lot more closed, annoying and expensive than the GSM networks that are more widely available.

14 Comments | Leave a Comment..