Privacy Remains an Issue in Latest Draft of Cybersecurity Bill

Published November 1, 2009

A bill introduced in Congress this spring granting the president broad powers over the Internet in the event of a “cyber emergency” rang alarm bells among civil libertarians. Months of behind-the-scenes revisions to the Cybersecurity Act of 2009 have done little to allay fears Congress will give the executive branch too much power and control.

S 773, authored by Sen. Jay Rockefeller (D-WV), jumped back into the headlines in September when The Drudge Report featured an update of the legislation at the top of its widely read and highly influential Web page.

Crisis Undefined

The bill allows the president to “declare a cybersecurity emergency” but does not clearly define what would constitute a sufficient crisis. The president would be permitted to hit what critics call the “kill switch”—shutting down or taking control of private-sector networks to respond to a cyber threat.

The bill also establishes a certification program for “cybersecurity professionals” directed by the federal government, and a requirement that as-yet-undefined private-sector networks must be managed by those certified professionals.

No Improvement

James Carafano, a senior research fellow for defense and homeland security issues at the Washington, DC-based Heritage Foundation, said Rockefeller made no substantive changes in the bill’s grant of broad emergency powers to the president.

“That [power] was in the original bill language. And in the latest draft, it’s no longer there in the same way, but has just been made more murky,” Carafano said. He says it doesn’t make sense to give the president emergency Internet powers in the event of a cyber attack.

“The president has broad, sweeping emergency powers anyway,” Carafano said. “It’s not really clear what he would do [with these new powers].”

Richard Esguerra, an activist and writer for the San Francisco-based Electronic Frontier Foundation, mocked the idea of a president having the expertise to protect the nation from a cyber attack.

“There are places where they are getting a little bit Hollywood,” Esguerra said.

Too Much Power

Jim Dempsey, vice president for public policy at the Washington, DC-based Center for Democracy and Technology, says the revised bill still hands too much power over to the government.

“This particular bill has taken an overly regulatory approach, particularly to the private sector,” Dempsey said. “In our view, the most important place to start [to improve the bill] is to recognize the distinction between what should be the power of the government—and the steps the government should take to secure its own systems, networks, and computers—versus what should be the government’s role in securing privately owned and operated infrastructures.

“[Rockefeller] did not adequately distinguish between those two very different sets of authorities and two very different problems,” Dempsey added.

Certifying Cyber Pros

Carafano doubts the federal government is competent enough to be in charge of directing the nation’s cybersecurity. The private sector already has proven it does a good job, he noted.

“The service providers and large data users like Google have a large proprietary interest in keeping the Internet up and running,” Carafano said. “They are very good at what they do, and know their cyber terrain better than the government does. So it’s not exactly clear what the president could tell them to do that they wouldn’t have already done on their own.”

Esguerra thinks it unlikely government is the best place for fostering innovation in a realm as complex and diverse as the Internet.

“Those provisions are sort of in the right place, meaning the government is saying computer security is important,” Esguerra said. “We think there are a lot of people out there doing good work on it at the academic level, and so we want to help encourage that.”

More to Come

Even if the Rockefeller bill fails to gain traction—it had but three co-sponsors at press time—it will probably be followed by others later this year or in the near future, Dempsey says.

“This is only one of what will ultimately be a number of proposals focusing on cybersecurity from a number of different directions,” Dempsey said.

Loren Heal ([email protected]) writes from Neoga, Illinois.

For more information …

Cybersecurity Act of 2009, revised draft: