by Greg Fulton
A recently proposed but little-noticed Senate bill would allow the federal government to shut down the Internet in times of declared emergency, and enables unprecedented federal oversight of private network administration.
The bill’s draft states that “the president may order a cybersecurity emergency and order the limitation or shutdown of Internet traffic” and would give the government ongoing access to “all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access.”
Authored by Democratic Sen. Jay Rockefeller of West Virginia and Republican Olympia Snowe of Maine, the Cybersecurity Act of 2009 seeks to create a Cybersecurity Czar to centralize power now held by the Pentagon, National Security Agency, Department of Commerce and the Department of Homeland Security.
While the White House has not officially endorsed the draft, it did have a hand in its language, according to The Washington Post.
Proponents of the measure stress the need to centralize cybersecurity of the private sector. “People say this is a military or intelligence concern,” says Rockefeller, “but it is a lot more than that. It suddenly gets into the realm of traffic lights and rail networks and water and electricity.”
Snowe added, “America’s vulnerability to massive cyber-crime, global cyber-espionage and cyber-attacks has emerged as one of the most urgent national security problems facing our country today. Importantly, this legislation loosely parallels the recommendations in the CSIS [Center for Strategic and International Studies] blue-ribbon panel report to President Obama and has been embraced by a number of industry and government thought leaders.”
Critics decry the broad language, and are watchful for amendments to the bill seeking to refine the provisions. According to opencongress.com, no amendments to the draft have been submitted.
Organizations like the Center for Democracy and Technology fear if passed in its current form, the proposal leaves too much discretion of just what defines critical infrastructure. The bill would also impose mandates for designated private networks and systems, including standardized security software, testing, licensing and certification of cyber-security professionals.
“I’d be very surprised if it doesn’t include communications systems, which are certainly critical infrastructure,” CDT General Counsel Greg Nojeim told eWEEK. “The president would decide not only what is critical infrastructure but also what is an emergency.”
Adds Jennifer Granick, civil liberties director of the Electronic Frontier Foundation, “Essentially, the Act would federalize critical infrastructure security. Since many systems (banks, telecommunications, energy)are in the hands of the private sector, the bill would create a major shift of power away from users and companies to the federal government.”