Government Regulation of Cybersecurity: Partnership–or Power Grab–in the Making?Apr 7th, 2009 | By Mike Dailey | Category: Latest Articles, Network and Data Security
A cybersecurity bill introduced in the U.S. Senate on April 1st, 2009 would give the United States federal government extraordinary power over private sector Internet services, applications and software. This proposed legislation is a direct result of a review ordered by the Obama administration into government policies and processes for defending against Internet-born attack.
The focus of the bill, according to a summary released by the sponsoring senators, is on establishing a new partnership between the public and private sectors in a joint effort to bolster Internet security.
This comprehensive legislation addresses our country’s unacceptable vulnerability to massive cyber crime, global cyber espionage, and cyber attacks that could cripple our critical infrastructure.
We presently have systems to protect our nation’s secrets and our government networks against cyber espionage, and it is imperative that those cyber defenses keep up with our enemies’ cyber capabilities. However, another great vulnerability our country faces is the threat to our private sector critical infrastructure-banking, utilities, air/rail/auto traffic control, telecommunications-from disruptive cyber attacks that could literally shut down our way of life.
This proposed legislation will bring new high-level governmental attention to develop a fully integrated, thoroughly coordinated, public-private partnership to our cyber security efforts in the 21st century.
The bill, entitled Cybersecurity Act of 2009, calls for the creation of a Cybersecurity Advisory Panel composed of outside experts from industry, academia, and nonprofit groups that would advise the president on cybersecurity policy and direction. The bill would give the President the authority to shut down Internet traffic in emergencies or disconnect any critical infrastructure system or network in the interests of national security. The bill would also grant the Commerce Department the ability to override all privacy laws to gain access to any information about Internet usage.
(a) DESIGNATION.-The Department of Commerce shall serve as the clearinghouse of cybersecurity threat and vulnerability information to Federal government and private sector owned critical infrastructure information systems and networks.
(b) FUNCTIONS.-The Secretary of Commerce-(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access;
The bill also provides federal authority to license and certify information technology professionals dealing with cybersecurity, and makes it a federal crime to perform any duty currently related to cybersecurity without the federal license.
SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS.
(a) IN GENERAL.-Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals
(b) MANDATORY LICENSING.-Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.
Further, the bill establishes a timetable for a federal review and report of existing electronic privacy and security legislation.
(a) IN GENERAL.-Within 1 year after the date of enactment of this Act, the President, or the President’s designee, through an appropriate entity, shall complete a comprehensive review of the Federal statutory and legal framework applicable to cyber-related activities in the United States, including-
(1) the Privacy Protection Act of 1980 (42 U.S.C. 2000aa);
(2) the Electronic Communications Privacy Act of 1986 (18 U.S.C. 2510 note);
(3) the Computer Security Act of 1987 (15 U.S.C. 271 et seq; 40 U.S.C. 759);
(4) the Federal Information Security Management Act of 2002 (44 U.S.C. 3531 et seq.);
(5) the E-Government Act of 2002 (44 U.S.C. 9501 et seq.);
(6) the Defense Production Act of 1950 (50 U.S.C. App. 2061 et seq.);
(7) any other Federal law bearing upon cyber related activities; and
(7) any applicable Executive Order or agency rule, regulation, guideline.
The bill, introduced by Sens. John Rockefeller and Olympia Snowe, would also give the federal government unprecedented and sweeping control over computer software, Internet services, and online privacy all in the interests of national security. Center for Democracy & Technology (CDT) President and CEO Leslie Harris said, “The cybersecurity threat is real, but such a drastic federal intervention in private communications technology and networks could harm both security and privacy.”
While this new initiative holds promise, the question remains as to whether or not more government regulation and oversight will produce a more secure Internet. Some critics are concerned with the establishment of more government to handle cybersecurity initiatives, when the responsibility appears to fall under the role of the National Security Adviser. Others are concerned with the scope of powers granted to the federal government if the bill is signed in to law as written. The presidential powers granted as part of the proposed legislation would be ”a sweeping federal takeover of cybersecurity ” responsibilities, said Ms. Harris.