“A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.”
My question is, “for what other purposes”?
Official Summary - 4/1/2009–Introduced.
Cybersecurity Act of 2009 - Directs the President to establish or designate a Cybersecurity Advisory Panel to advise the President.
So, Melissa Hathaway, [soon to be] cybersecurity czar may actually get a permanent post after all… Woo Hoo! I know I’m just thrilled. Aren’t you?
I agree with Michael Masnick over at techdirt.com, that the LAST thing we would want during a ‘Cybersecurity Emergency’ would be the Government to take over private networks.
“… a draft of the latest cybersecurity bill, that still includes bizarre and totally unnecessary language that would allow the President to declare a cybersecurity emergency and then be able to take control over private computer networks. First, the idea of the whole “cybersecurity emergency” that would require such a thing still remains a science fiction idea. Yes, there can be cybersecurity attacks and they can cause all sorts of problems, but these are problems that generally are not life-threatening or that can’t be handled reasonably.
But the bigger issue is why the government should be taking control over private networks. This is the same gov’t that doesn’t let people in the State Department use Firefox and which thinks that RealPlayer is the state of the art in online video streaming. Even if there were a ‘cybersecurity emergency,’ I would think the last people I’d want to take charge would be the federal government.”
Jon Henke over at digitalsociety.com posted an interesting article that caught my eye. Of particular interest is the quote from the “Congressional staffer (who works on this issue and wishes to remain anonymous).” Thought I’d share it here.
Recently, there was some debate over whether the Cybersecurity Act of 2009 (S. 773) would, as Mike Masnick feared and Declan McCullagh wrote, “permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency”. Wired’s Nicholas Thompson responded, arguing that the text of the bill did not justify those allegations.
Notice all the hedging. He “may”, “may”, “if he finds it necessary”, “in coordination.” And then they payoff? He can “direct the national response”!
That’s not giving him any powers that he doesn’t already have, and there’s no justification in that language for the hysteria. It is also much more in sync with what Obama himself has said. He has been very clear that he doesn’t want to snoop on private networks, much less take them over.
However, a Congressional staffer (who works on this issue and wishes to remain anonymous) has told me that the hedge language cited by Wired does not necessarily support Thompson’s conclusions.
Just because it no longer explicitly says the President “may…order the limitation or shutdown of Internet traffic” doesn’t necessarily mean it doesn’t still give him that authority.
What is a “cybersecurity emergency”, and what does such a declaration mean?
What does “direct[ing] the national response to the cyber threat” mean?
“Critical information systems and networks” is defined as “information systems and networks…designated by the President as critical information systems and networks”. Thus, the President can exercise his vague “cybersecurity emergency” authority on any system or network he deems “critical”.
“[I]n coordination with relevant industry sectors” is a throwaway provision. If the President declares an emergency and the White House simply calls up AT&T or Level 3 or Cox Cable to inform them that the government is shutting down their networks, that would probably satisfy the “coordination” clause.
There’s no review or redress process given for the exercising of this emergency authority.
Vaguer language doesn’t necessarily mean less power or authority. Just cause it sounds more innocuous doesn’t mean that it is.
References | Resources | Related Material
- Track S.773 - Cybersecurity Act of 2009 on Open Congress
- Text of S.773 - Cybersecurity Act of 2009 on Open Congress
- Track S. 773: Cybersecurity Act of 2009 on govtrack
- The Library of Congress - THOMAS appears to have an issue and provides TWO entries with different content for S.773
- The Compleat List of Obama Czars
- Obama’s Cyber Security Czar Good Pick for IT
- Cybersecurity Act of 2009: Who Controls the Internet?
- Wouldn’t The Last Thing We Want During A ‘Cybersecurity Emergency’ Be For The Gov’t To Take Over Private Networks?
- Bill would give president emergency control of Internet
- Umm… Actually Obama Doesn’t Want to Take Over the Internet
- Bill gives Obama ‘kill switch’ on web
- Obama Cybersecurity Report Addresses Critical Infrastructure and Privacy Issues