Last night I was listening to the Herman Cain show in the car and someone came on to talk about S. 773, a bill intended to increase cyber-security. Today, I was linked by Aaron Gardner (h/t) to this Cnet article about the bill.
The article details the history of the bill, from its original form to its redraft, along with some of its more interesting features. Among these are:
- the president can declare a “cyber security emergency” relating to non-governmental computer networks,
- Federal certification for cyber security professionals,
- requirements that certain critical networks be managed by people with that license,
- implementation of a “comprehensive national cybersecurity strategy” within six months.
From the article:
A spokesman for Rockefeller also declined to comment on the record Thursday, saying that many people were unavailable because of the summer recess. A Senate source familiar with the bill compared the president’s power to take control of portions of the Internet to what President Bush did when grounding all aircraft on Sept. 11, 2001. The source said that one primary concern was the electrical grid, and what would happen if it were attacked from a broadband connection.
There is one critical difference between the airlines in 2001 and the nation’s computer network infrastructure today: In 2001, the Federal Government had already entrenched itself into airline security. It was already setting policy, procedures and regulations for that industry following the various hijackings in the 1960s and 1970s and the terrorist bombings of the 1970s and 1980s. The security procedures followed by the airlines and their private security firms were established by the Federal Government.
Additionally, how the passengers and crew should respond to such hijackings as occurred on September 11, 2001 was also established by the Federal Government and its “experts” on terrorism. Crews and passengers were instructed to put their heads down, sit tight and allow the negotiators to do their job. We all know what happened next: Thousands of people died when those aircraft were flown into the World Trade Center and the Pentagon. Indeed, the only hijacked aircraft that did not reach a target was the aircraft on which the passengers and crew did the opposite of past instructions: They turned upon their captors and tried to take back the plane, resulting in its crashing in a field in western Pennsylvania.
Even more important, and what few have talked about since, is that the weapons and other items apparently used by the hijackers, consisting of pocket knives and box cutters and (according to some reports) blocks of clay (to simulate plastic explosive), were all permitted on board passenger aircraft prior to that day. These items were not seen as a threat to airline security. Indeed, I can remember as a kid flying to Florida with my Cub Scout Pocket knife in my jeans pocket.
What does this mean for cyber security? It means centralization of the security infrastructure. Instead of a diverse group of programmers, engineers and specialists working to find and stop cyber attacks, as we have today, critical threats will be determined by the government. If the Sarbannes-Oxley legislation is any indication, private businesses will be forced to focus on areas that are deemed as important considerations based upon political perception instead of actual threats, putting less emphasis on or completely ignoring those actual threats while focusing on “action plans” and documentation of activities that have minimal or no impact on security.
The privacy implications of sweeping changes implemented before the legal review is finished worry Lee Tien, a senior staff attorney with the Electronic Frontier Foundation in San Francisco. “As soon as you’re saying that the federal government is going to be exercising this kind of power over private networks, it’s going to be a really big issue,” he says.
Probably the most controversial language begins in Section 201, which permits the president to “direct the national response to the cyber threat” if necessary for “the national defense and security.” The White House is supposed to engage in “periodic mapping” of private networks deemed to be critical, and those companies “shall share” requested information with the federal government. (“Cyber” is defined as anything having to do with the Internet, telecommunications, computers, or computer networks.)
“The language has changed but it doesn’t contain any real additional limits,” EFF’s Tien says. “It simply switches the more direct and obvious language they had originally to the more ambiguous (version)…The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There’s no provision for any administrative process or review. That’s where the problems seem to start. And then you have the amorphous powers that go along with it.”
Indeed, giving the President sweeping powers to shut-down, isolate or otherwise restrict our communications ifnrastructure has a very Orwellian feel to it. Based upon a perceived threat, the President could instruct private networks to go offline, restricting the flow of information and limiting the ability of people to communicate. The vagueness of the language used seems to indicate just about any threat could be used as an excuse to take control and isolate networks, shutting down financial transations, television, radio, internet and EDI all in the name of national security. Can one man really be trusted with such incredible power? Especially over private infrastructure?
Even with the shut-down of the airlines in 2001, the roads and trains were still available for movement. With communications networks shut down, nothing moves. Airlines, the Post Office and freight services use the internet and EDI to transmit bills of lading and manifests. Industrial firms, who have long-since outsourced their communications systems to telecommunications firms, could find themselves unable to retrieve data about their inventory from Enterprise Resource Planning (ERP) systems. Law enforcement could find itself communicating not in its rapid, 21st Century methodology, but rather in the traditional 1970s radio-only format.
The biggest problem with centralizing the response, however, is that the enemy is not centralized. Unlike, say, espionage or military actions, where threats originate with the roughly 200 nations on this planet and a small number of criminal or terrorist networks, cyber security has a wide range of potential threats, from terrorism and nations to criminals seeking consumer information to script-kiddies in their parent’s basement just wanting to have “fun.” Centralizing cyber security would be akin to putting the FBI in charge of local law enforcement, from the Vice Squad to the Homicide unit to Code Enforcement. Centralizing the nation’s law enforcement structure in this manner does not make sense, and niether does centralizing our computer network’s security infrastructure.
Centralization is the Soviet System: Everything is dictated and directed by the State, innovation and individual initiative discouraged. The centralized military structure the Soviets built, trained and propogated in Iraq was easily picked apart and destroyed by our decentralized but coordinated military structure in 1991 and again in 2003. Taking down the central control system resulted in paralysis and our decentralized, initiative-driven military pinned the Iraqis down and obliterated them. As General Colin Powell said in 1991, “First, we’re going to cut it off, and then we’re going to kill it.”
Rather than Centralizing, our elected officials should be focused on coordinating the expert professionals already involved in cyber security. There is already a private industry group, the Information Technology Association of America, dedicated to this purpose. Other private industry groups also exist. These organizations help security professionals coordinate and learn from each other. Their importance should not be ignored.
S. 733 is both vague and fundamentally flawed. Does the government need to be able to respond to cyber threats? Certainly. Should it take direct control over the private communications networks?
Not on your life.