The Cybersecurity Act of 2009, S. 773, introduced by Senators Rockefeller (D-WV) and Snowe (R-ME), has kicked off what promises to be an intense debate over the federal government’s cybersecurity policy. There’s broad consensus about the goal – better security for both governmental and private sector critical infrastructure information systems – but not much agreement about how to achieve it.
The Rockefeller/Snowe bill includes some especially troubling provisions. For starters, it would give the President the authority to limit or shut down Internet traffic to federal government and private critical infrastructure systems. It would give the Secretary of Commerce the power to override any law, regulation, or policy – including privacy laws and laws protecting trade secrets – to obtain access to information held by private parties that might be relevant to cybersecurity threats and vulnerabilities. Broadly read, the provision would authorize the Secretary of Commerce to override the Wiretap Act and the Electronic Communications Privacy Act to gain access to communications content. Finally, it includes provisions that would allow the government to dictate software design standards for the private sector.
CDT has prepared a detailed analysis of the Rockefeller-Snowe bill here.
Fortunately, the Rockefeller/Snowe bill isn’t the only game in town.
Senator Carper’s (D-DE) U.S. Information and Communications Enhancement (ICE) Act (S. 921) takes an entirely different, and much more appropriate, approach.Â It focuses primarily on strengthening the security of governmental information systems by amending the Federal Information Security Management Act. In contrast, many provisions of the Rockefeller-Snowe bill would apply the same measures and authorities without distinction to both private and public systems.
Also taking a more cautious approach is Senator Lieberman’s (I-CT) S. 946, which focuses on securing the electric power grid against cyber attack. While it is true that "bits are bits," the sectoral approach to cybersecurity recognizes that measures appropriate for securing systems that are used to control the electric power grid might be inappropriate for securing elements of the communications infrastructure. This sectoral approach says, basically, "Let’s identify the ways in which the electric power grid is vulnerable and develop solutions for those vulnerabilities."
To the credit of Senators Rockefeller and Snowe, they have actively solicited comments and suggestions for improving their legislation. CDT has met with staff for both Senators and has shared its views and concerns as well as ideas for alternative approaches.
Soon, the report of the team President Obama appointed to review cybersecurity policy government-wide will be made public.Â Melissa Hathaway and her team gave the report to the President on April 17. This report will sketch out at a high level the Administration’s views about how cybersecurity should be addressed.Â It will no doubt spur additional legislation and further advance the debate.
Almost every week, a new major cybersecurity breach is reported in the media. The test for Congress and the Administration will be to address the security issues that permit these incidents to occur without doing unnecessary damage to the openness and innovation that has made the Internet so successful.
For more information, see my May 1 testimony before a House subcommittee here.