Earlier this month, Senators John Rockefeller (D, West Virgina) and Olympia Snowe (R, Maine) introduced S.773, the Cybersecurity Act of 2009. It's actually a companion bill to one they proposed a few days earlier to create a cabinet level Cybersecurity Czar. It's S.773, however, that contains all of the meat in the Senate's attempt to legislate better cybersecurity. We've seen half-hearted attempts to do this in the past, but as Chairman of Senate Committee that overseas Commerce, Science and Transportation, Senator Rockefeller's bill will be seriously considered and Senator Snowe's presence on the co-sponsor list indicates that it will also have at least some bipartisan support.
At 53 pages with 23 different sections, you can't fault the sponsors for not crafting a bill that's not comprehensive. Most of the bill's provisions fall into the category of motherhood and apple pie and many are lifted directly from the CSIS report entitled Securing Cyberspace for the 44th Presidency. There has clearly been much deep thought and analysis put into this effort and I'd encourage anyone with even a passing interest in the topic to spend a few minutes reviewing the language of the bill itself rather than relying on the press coverage, which is necessarily somewhat superficial given the complexity of the topic.
It is Section 18 of the bill that will draw the most attention. This is the provision that would empower the (yet to be appointed) Cybersecurity Czar to shut down any portion of the public or private Internet that's deemed to be creating a national security risk due to cyberattack. This provision has already drawn sharp criticism from the private sector. The issue the Senate is addressing is real. Currently no one is empowered to disconnect a portion of the 'net that is under attack and might cause other portions to fail and I think that "no one" is probably not a better answer than a knowledgeable and well informed public official.
I understand the Senate's desire to grant a known entitity the power to quarantine a portion of the nation's information infrastructure that's under attack, but I'm really struggling with how this would work in practice. Setting aside the issue of whether or not a public official would have enough accurate data in time to act, it would appear that the assumptions underlying this provision are flawed. The authors of Section 18 seem to believe that there are large chunks of Internet traffic that run on physically private networks that connect to the public Internet at limited number of points. This is, of course, not the way the overwhelming majority of 'net traffic travels. In the limited number of cases where data is secured in transit, it's nearly always on Virtual Private Networks (VPN) that use exactly the same transmission lines, routers, and wireless connections as all other Internet traffic.
So, assuming the national Cybersecurity Czar determined that the nation's financial system or power grid were under focused attack, just what would he or she order shut down in order to quarantine that piece of the nation's information infrastructure? If you have a different perspective on the deployability of this provision, please leave a comment below.
The real issues with this bill, however, revolve around the topics on which it is silent. Most importantly, there is no attempt to harmonize the 44 state breach laws now in effect. The primary reason this is an issue is that the bill does not do a very comprehensive job of defining just what constitutes a reportable threat or material breach. Without some harmonization of terminology and required remediation, S.773 places the private sector in the untenable position of having to guess what must be disclosed and to whom on a daily basis.
This lack of definition would also appear to put the Commerce Department in the position of being able to demand whatever operational detail they want from any private sector instition at any point in time in the interests of national security. The primary tenet on which the founding fathers crafted the Constitution was to limit the power of the federal government. As we've learned in the last several years, it's generally a bad idea to grant any government agency unlimited powers even in the interests of national security.
For the record, I strongly support the creation of a national cybersecurity bill. It is my hope, however, that Congress will carefully consider the consequences and operational issues raised by S.773. As a nation we clearly need such a statute and I believe the language in this bill is an excellent start, but there is still much work to do to make it the right bill.