A new cyber security bill (PDF), based on a false premise, filled with impractical and draconian solutions to a problem that doesn't exist, is now poised to be voted on by our lawmakers before the end of this year. This new draft is a combination of two cyber security bills which were merged into one. These bills originally introduced, then tabled, by Senators Lieberman and Rockefeller, have now been married into one ugly union forever binding the public and private Internet to the government.
The "Protecting Cyberspace as a National Asset Act of 2010" is being sold as a solution to the problem of what to do in the event of a cyber attack that poses an “imminent threat” to the U.S. electrical grid or other critical infrastructure such as the water supply or financial network. Unfortunately for lawmakers, these critical networks are not, never have been, and never will be part of the public Internet-therefore their argument holds no water. The vast majority of security experts and those who actually understand the Internet and networks agree that the most critical networks are in no danger from outside threat. One would need physical access to these systems to do serious harm and this bill would do nothing to prevent that kind of attack. With the creation of new rules, regulations and even a fancy new government agency, the National Center for Cybersecuirty and Communications—NCCC, it is clear this is nothing more than another power grab from this Administration.
This bill would extend unprecedented power to the President and the newly created agency alone, with no oversight by Congress or any need for explanation to the American people. It would also allow the government to designate companies of their choosing as "critical" and those companies would then fall under the complete control of the Obama Administration. "Critical" companies, such as broadband providers or software firms,would be required to“immediately comply with any emergency measure or action developed” by the Department of Homeland Security. It would also require information sharing by these companies with the federal government. Finally, it grants the authority to monitor the “security status” of private sector websites, broadband providers and other internet components. Any business or industry that failed to comply, follow the government dictated standards, or immediately subjugate once a national emergency was declared would then be subject to seizure or shuttering.
This is a bad move for the freedom we currently experience on the Internet. It is unnecessary while also being far too ambiguous and expansive. The true security experts in our community are already developing plans and action items to protect our most critical network infrastructure, the government has no business meddling in this arena.
While there are quite a few technical problems with the legislation -- it is not remotely as easy to "shut down the Internet" as it assumes -- I'm afraid there are also some errors in your assumptions. System Control And Data Acquisition networks used to control critical infrastructure, as well as military and banking networks, indeed never should connect to the public Internet. "Should" and "connect", however are quite complex. Without very careful network engineering and operational controls, unintended or unauthorized connections do take place. It doesn't have to be a continuous connection, but simply a way to get a virus or other malware into the protected system -- which can happen from something as seemingly trivial as plugging an iPod or USB device into a computer port of the network. That device user may think she is simply charging the battery, but malware on the device can inject itself.
ReplyDelete