CNET's Declan McCullagh is reporting on a Senate bill that would give the president powers to seize control of the national Internet infrastructure in the event of an undefined national emergency. The bill reportedly is extremely vague in its definitions, which has civil liberties groups concerned that the government could invoke these powers on the slightest pretext.
The bill, S. 773, sponsored by Jay Rockefeller (D, WV), would give the president broad powers to seize or otherwise direct the use of Internet infrastructure, software and private data as part of general "cybersecurity emergency powers," according to McCullagh, who obtained the latest draft. It would also create a federal certification program for information security professionals (although the private sector has several excellent ones) and require private sector companies to hire only IT professionals who passed government muster.
All this is being done in the name of improving U.S. cybersecurity, an area that the Feds have been notoriously inept at (How many laptops lost this week?). Instead of looking to their own house first, Congress and the White House are asking American individuals and businesses to cede control of all private IT assets and data to them in the event of any loosely-defined emergency. This should be opposed for the power grab it is.
Here's more from McCullagh's story:
Rockefeller's revised legislation seeks to reshuffle the way the federal government addresses the topic. It requires a "cybersecurity workforce plan" from every federal agency, a "dashboard" pilot project, measurements of hiring effectiveness, and the implementation of a "comprehensive national cybersecurity strategy" in six months--even though its mandatory legal review will take a year to complete.
The privacy implications of sweeping changes implemented before the legal review is finished worry Lee Tien, a senior staff attorney with the Electronic Frontier Foundation in San Francisco. "As soon as you're saying that the federal government is going to be exercising this kind of power over private networks, it's going to be a really big issue," he says.
Probably the most controversial language begins in Section 201, which permits the president to "direct the national response to the cyber threat" if necessary for "the national defense and security." The White House is supposed to engage in "periodic mapping" of private networks deemed to be critical, and those companies "shall share" requested information with the federal government. ("Cyber" is defined as anything having to do with the Internet, telecommunications, computers, or computer networks.)
"The language has changed but it doesn't contain any real additional limits," EFF's Tien says. "It simply switches the more direct and obvious language they had originally to the more ambiguous (version)...The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There's no provision for any administrative process or review. That's where the problems seem to start. And then you have the amorphous powers that go along with it."
Translation: If your company is deemed "critical," a new set of regulations kick in involving who you can hire, what information you must disclose, and when the government would exercise control over your computers or network.