Critical infrastructure security has been dinged from every direction lately: attacks on the power grid; plans for the Joint Strike fighter jet stolen; hospitals hit by Conficker; testimony before Congress on the shoddy state of affairs and the need for attention and oversight.
Yet the one that has civil libertarians and folks on both sides of the aisle concerned the most is the Cybersecurity Act of 2009, a bill proposed by West Virginia Democrat Jay Rockefeller and Maine Republican Olympia Snowe. On its surface, the bill isn't a radical departure from what experts have been asking for all along. The senators want to establish a cybersecurity advisory panel that includes public and private industry representatives, create a national cybersecurity strategy, develop security standards for software used in federal systems, appropriate money for research and development and sponsor educational initiatives around cybersecurity.
All well and good until you get to sections 14 and 18 of Senate Bill 773.
Provisions in section 18 would give the president the authority to shut down a critical infrastructure network during a cybersecurity emergency that threatens national security. The bill does not define a critical infrastructure network nor does it limit the president's power to federal networks. Section 14, meanwhile, would establish the Dept. of Commerce as a clearinghouse of threat and vulnerability information for federally and privately-owned critical infrastructure systems and networks. This section says the Secretary of Commerce would "have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access." The secretary would also manage how information is shared between the government and public and private infrastructure operators.
While some might interpret this as a power grab on the part of the government, others are saying the bill isn't likely to fly as is and that it's merely a discussion starter.
"The main intent, I think, is to send a signal to the White House that Congress is serious about [cybersecurity]," says Jim Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS). Lewis points out that the Defense Information Systems Agency (DISA) has similar authority to unplug Dept. of Defense networks. Lewis adds that even if ultimately the president doesn't get the authority to unplug privately-owned networks, he should have it for .gov domains.
Others, however want to know why such a dramatic tack is being taken by Congress. The bill, as written, would essentially federalize cybersecurity and drag power away from private owners of utility and communications systems who may not be so anxious to let the government make the call about disconnecting them from the public grid.
"I think that anyone familiar with the bill automatically has serious problems with it," says Jennifer Granick, civil liberties director at the Electronic Frontier Foundation (EFF). "We are paying attention to it, and ISPs, critical infrastructure operators and civil libertarians are paying attention. Few things are that remarkable, but that's the way things work in Washington. This will likely be toned down or dropped. This has to be radically amended before it's widely adopted."
Granick says government could take less grandiose measures to address network and critical infrastructure security, such as using its considerable market power to push for more secure software out of the box, and promote security basics such as encryption and patching of systems.
"If the real purpose of this bill is to protect critical systems, then we want to legislate for common events," Granick says. "We need to protect against average threats, rather than legislating for the extraordinary."
Another provision in the bill calls for an identity management and authentication program for government and critical infrastructure information systems and networks. Is this a precursor to a national ID program, or a jab at online privacy?
"There's reason to fear that this type of study is just a precursor to proposals to limit online anonymity. But anonymity isn't inherently a security problem. What's "secure" depends on the goals of the system. Do you need authentication, accountability, confidentiality, data integrity?" Granick wrote in an EFF blog. "Each goal suggests a different security architecture, some totally compatible with anonymity, privacy and civil liberties. In other words, no one "identity management and authentication program" is appropriate for all internet uses."
Michael S. Mimoso is Editor of Information Security. Send comments on this article to firstname.lastname@example.org.
This was first published in May 2009