Congress Ponders Cybersecurity Power Grab
from the no-cybersecurity-licenses-please dept
There was a lot of attention paid last week to a new “cybersecurity” bill that would drastically expand the government’s power over the Internet. The two provisions that have probably attracted the most attention are the parts that would allow the president to “declare a cybersecurity emergency” and then seize control of “any compromised Federal government or United States critical infrastructure information system or network.” Perhaps even more troubling, the EFF notes a section that states that the government “shall have access to all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access.” Read literally, this language would seem to give the government the power to override the privacy protections in such laws as the Electronic Communications Privacy Act and the Foreign Intelligence Surveillance Act. Thankfully, Congress can’t override the Fourth Amendment by statute, but this language poses a real threat to Fourth Amendment rights.
One clause that I haven’t seen get the attention it deserves is the provision that would require a federal license, based on criteria determined by the Secretary of Commerce, to provide cybersecurity services to any federal agency or any “information system or network” the president chooses to designate as “critical infrastructure.” It’s hard to overstate how bad an idea this is. Cybersecurity is a complex and fast-moving field. There’s no reason to think the Department of Commerce has any special expertise in certifying security professionals. Indeed, security experts tend to be a contrarian bunch, and it seems likely that some of the best cybersecurity professionals will refuse to participate. Therefore, it’s a monumentally bad idea to ban the government from soliciting security advice from people who haven’t jumped through the requisite government hoops. Even worse, the proposal leaves the definition of “critical infrastructure” to the president’s discretion, potentially allowing him to designate virtually any privately-owned network or server as “critical infrastructure,” thereby limiting the freedom of private firms to choose cybersecurity providers.
When thinking about cyber-security, it’s important to keep in mind that an open network like the Internet is never going to be perfectly secure. Providers of genuinely critical infrastructure like power grids and financial networks should avoid connecting it to the Internet at all. Moreover, the most significant security threats on the Internet, including botnets and viruses, are already illegal under federal law. If Congress is going to pass cybersecurity legislation this session (and it probably shouldn’t) it should focus on providing federal law enforcement officials with the resources to enforce the cyber-security laws we already have (and getting the government’s own house in order), not give the government sweeping and totally unnecessary new powers that are likely to be abused.
Filed Under: certification, congress, critical infrastructure, cybersecurity, fourth amendment
Comments on “Congress Ponders Cybersecurity Power Grab”
Regulating the Regulators
Um… Can I now reference a comment I made on a previous article. We should strongly consider forcing politicians to be certified by some kind of test before letting them legislate on any tech related things. If we did that, then no one would be dumb enough to propose such stupid new laws.
Things like computers and computer security evolve way too fast for the government to actually attempt to force people to be “Government Certified Security Consultants”. When you say “There’s no reason to think the Department of Commerce has any special expertise in certifying security professionals.” This is true on so many levels. In fact the government employed “tech know-it-alls” are usually the least knowledgeable. If they were any good, they’d likely be in the private sector making 10 times as much at their job.
Re: Regulating the Regulators
And who gets to write the certification test? More opportunity for political influence and under-the-table corruption to unduly influence the system.
The much better idea is to get the government the hell out of the way. And the only way to do that is to stop electing big-government politicians into office. But the electorate is too ignorant, focused on getting theirs, and tied up in partisan groupthink to do that.
Re: Re: Regulating the Regulators
Getting government out of the way was kinda my point. If a group of undergraduates from any CS or IS department wrote 20 questions. Let’s say the average college student could get a 80% (I’d like to think most college students are a bit tech savvy but the point is to give a general idea of the difficulty of the questions). I’d be willing to bet the average score for the same test given to our congress would be less than 50%.
I’m aware that this could never ACTUALLY happen but it’s just the idea. I’m basically saying that we need an official way to get every politician that comes up with an idea like this to say STFU.
Well..
see ya’ later, glimmer of net neutrality. We’ll miss you.
Didn’t they watch this season of 24? The CPI device will kill us all!
certifications for cybersecurity
(Shameless self-promotion)
I railed against this security certification requirement in a recent podcast interview @ Risky Business last week.
http://risky.biz/netcasts/risky-business/risky-business-103-certified-or-certifiable
I’ve also written much about the wisdom (er lack of it) about certifications in general. But yet we see this lunacy continuing….
You're not all that illiterate, are you?
…seize control of “any compromised Federal government or United States critical infrastructure information system or network.”
So, the government has the right to pull the plug on their own networks if compromised? Sounds fair to me. There’s even a link to an article talking about how the Internet should never be considered capable of supporting critical infrastructure. So what’s with the OMG THER GOEZ NET NOOOTRALITEE, POLEEZ STAET comments?
So what if botnets and viruses are illegal? Never stopped them before. A lot of private networks don’t connect to the Internet.. but that still hasn’t kept the malware off completely. Remember worms on ATMs? Yep.
As for a license, why not? Many professionals and tradespersons have to be licensed, especially when they contract government work. I’m sorry, but I’ve seen too many self-professed IT experts make a real mess of things by convincing people they knew what they were doing. Some kind of regulation might be in order.
On that note, what kind of “expert” is the author, other than a marketer for this so called “Insight Community”.. if you have to link spam your company twice in the same byline, give it up.
Re:
As a security professional, I have to say that a lot of the folks who take the CISSP and other cert exams tend to think that they’re much better equipped than they are. The biggest of several problems with this method of certification is that it overemphasizes theoretical knowledge and underemphasizes both experience and practical skill. The key qualification of both myself and a number of other security professionals isn’t book learning, but the fact that we’ve been delving into computers and computer security since we were old enough to read.
@ Coyote:
The ability to seize control of “any compromised Federal government or United States critical infrastructure information system or network” is, in my experience, the probable intended interpretation of the bill’s language. While I have no problem with the government removing its own systems, this bill makes it likely that, even if it is not the intended purpose, it will eventually be used in this way to override the objections of a private individual or company without recourse. The wording even allows them to infect a company with a targeted virus, then use that as an excuse to seize their entire network.
Finally, the Techdirt Insight Community isn’t Timothy Lee’s company – it is Mike Masnick’s. If you think he’s overdoing the advertising on Techdirt, you should tell him.
Re: You're not all that illiterate, are you?
You missed the bit where the president or his designate gets to decide what constitutes “critical infrastructure.”
In other words – no checks and/or balances. The president can pull the plug on anything he pleases just by saying it’s really important.
If you’re okay with that too, that probably means you trust Obama to make the right decisions on that. But Obama won’t be in office forever. Would you be just as trusting of Sarah Palin (to name just one possible candidate from the other side).
Re: You're not all that illiterate, are you?
Lol. I’ve come to the conclusion that people who beg for regulations are pussies with a capital P. You guys are the worst kinds of pussies too. Politicians are known to be sleazy and crooks but you put them in charge of regulations?? Is it too much responsibility for you to solve these problems through contractual arrangements and not through depending on government regulation?
AC: take your meds.
Anon Coward – good points, except for “infect a company with a targeted virus, then use that as an excuse to seize their entire network”
If the government wanted to sieze a private company, they’d do something a lot more solid, like manufacture SEC allegations or other criminal indictments.
They could. But they don’t.
Paranoia != security. In fact, paranoia typically weakens security.
when I see a byline like “xxxxx is an expert at the Insight Community. To get insight and analysis from xxxxx and other experts on challenges your company faces, click here.”…I don’t care who’s the pimp and who’s the hooker. Especially when I go there and it seems to be a Spamarketing and data mining operation.
Insecurity
Just another example of the idiots in the US attempting to expand their control over the people who make their paychecks happen. The government has too much power already and they need to be put in their place.
For fuck sake, not to long ago was the story of DHS (dept homeland insecurity) who got their computers hacked to the tune of $12K US TAXPAYER DOLLARS of free phone calls to countries like jordan and afghanistan. Why because the fucking retfucktards who administered it never changed the default passwords.
The day the Gov takes over my pc’s connection is the day I call my ISP and cancel my acct. PERIOD. Fuck Them & their laws!
Who said?
What makes you think that the Gov. wouldn’t usurp 4th amendment rights? Take a look at the current FISA and Patriot act, what happened to equal protection under the law? That was the 13, 14,15th amendments, now the ACLU is suing to overturn telco immunity. Exactly when has a little thing like the law ever stopped a politician from depriving the peons of their rights?
you have no 4th amendment rights
look at what the did to a 13 year old girl
“The Supreme Court seemed worried Tuesday about tying the hands of school officials looking for drugs and weapons on campus as they wrestled with the appropriateness of a strip-search of a 13-year-old girl accused of having prescription-strength ibuprofen.”