The New Rockefeller-Snowe Cyber Bill
As a number of high profile cybersecurity incidents have made headlines in the past year, cybersecurity has increasingly been at the forefront of policy objectives. Much of the country’s infrastructure in need of protection is owned privately, so it has become increasingly clear that only through public and private cooperation can U.S. critical infrastructure be kept safe. The need for a public-private partnership is reflected in the Senate Commerce Committee’s recently approved Cybersecurity Act of 2009.
The bill was first introduced in April of 2009, at which point is had provisions which worried some about the interference of the U.S. President into the functioning of the internet. The specific portion that raised these concerns stated: "The President – may declare a cybersecuirty emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network." This blog concluded in discussing this bill several months ago: "without a revision of language this bill will continue to sit in the Senate Commerce, Science, and Technology Committee." Indeed, before the bill was approved, it was amended to remove the parts including the most significant expansion of the President's power into cyberspace.
The removal of this phrasing raises several interesting questions about the extent to which the President is allowed to control privately owned networks for the sake of national security. Should the President be able to shut down communications networks for the sake of national security? If private infrastructure operators refused, what course of action could be taken? Given the importance of privately-held infrastructure to security, it seems as if there should probably be someone, somewhere, with the power to take action in the event of cyber catastrophe.
Although the President's powers were altered in the newest iteration of the bill, the majority of the bill remains unchanged since April. It focuses largely on the creation of standards, education, and the consolidation of responsibility for cybersecurity. Some commentators have expressed concern over the potential privacy implications of allowing government greater access to anything it deemed 'critical-infrastructure,' especially without a clear mandate for what can be considered critical-infrastucture. Some question how effective this bill can be in fixing the most pervasive problems, things like the use of 'password' as a password.
In fact, the bill would call on NIST to create and evaluate standards, certifications, and best practices for cybersecurity. Of course, the problem with best practices is people have to use them. Most have been told the importance of a secure password and software updates, but 'password' is still out there, and millions of machines have yet to see XP's Service Pack 3.
Although the bill may still require significant changes, the goal of improving cybersecurity through education and the creation of more centralized cybersecurity authority is to be applauded. Without a unified framework upon which to build our cybersecurity initiatives, there is little hope of defending against current threats, much less the unforeseeable threats of tomorrow.
Intern, CSIS Technology and Public Policy Program