Wouldn't The Last Thing We Want During A 'Cybersecurity Emergency' Be For The Gov't To Take Over Private Networks?

from the given-their-technical-knowledge... dept

A bunch of folks are sending in this News.com story about a draft of the latest cybersecurity bill, that still includes bizarre and totally unnecessary language that would allow the President to declare a cybersecurity emergency and then be able to take control over private computer networks. First, the idea of the whole "cybersecurity emergency" that would require such a thing still remains a science fiction idea. Yes, there can be cybersecurity attacks and they can cause all sorts of problems, but these are problems that generally are not life-threatening or that can't be handled reasonably.

But the bigger issue is why the government should be taking control over private networks. This is the same gov't that doesn't let people in the State Department use Firefox and which thinks that RealPlayer is the state of the art in online video streaming. Even if there were a "cybersecurity emergency," I would think the last people I'd want to take charge would be the federal government.

31 Comments | Leave a Comment..

Does The US Government Really Need 'Wider Latitude' To Monitor Private Networks?

from the e-Maginote-Line dept

Harvard Law Professor, and former Bush White House lawyer, Jack Goldsmith has an opinion piece today in the NYT about cyber-security. In it, he makes a number of obvious (though admittedly often overlooked) points about the need for better education and information sharing, but then asserts that those, untried, methods will not be enough. Instead, he argues, "The government must be given wider latitude than in the past to monitor private networks and respond to the most serious computer threats." For a lawyer who saw first-hand (and even wrote a book about) the excesses of the Bush administration, this is a reckless claim. The repeatedly documented violations of civil liberties by the NSA and other government agencies (not to mention their private sector compatriots) through widespread network surveillance did not serve to protect and defend US critical infrastructure. In fact, by adding legitimacy to network monitoring, scholars like Goldsmith and respected countries like the USA make it easier for less savorable regimes to justify their digital surveillance and crackdowns. While China's "Green Dam" censorship software was justified on child-safety grounds, the next iteration of liberty limiting code could very well be to stop "cyber-terrorism" or some other amorphous, ill-defined concept.

A far more level-headed approach to cyber-security is taken by Evgeny Morozov in his recent essay in the Boston Review, which points out that "[m]uch of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts." While Goldsmith is certainly not promoting increased government intervention out of self-interest, it is not good enough to pay lip-service to privacy and network openness. Decision-makers need to recognize that certain policies and rhetoric will inevitably have dangerous, unproductive unintended consequences.

Kevin Donovan is an expert at the Insight Community. To get insight and analysis from Kevin Donovan and other experts on challenges your company faces, click here.

22 Comments | Leave a Comment..

Congress Ponders Cybersecurity Power Grab

from the no-cybersecurity-licenses-please dept

There was a lot of attention paid last week to a new "cybersecurity" bill that would drastically expand the government's power over the Internet. The two provisions that have probably attracted the most attention are the parts that would allow the president to "declare a cybersecurity emergency" and then seize control of "any compromised Federal government or United States critical infrastructure information system or network." Perhaps even more troubling, the EFF notes a section that states that the government "shall have access to all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access." Read literally, this language would seem to give the government the power to override the privacy protections in such laws as the Electronic Communications Privacy Act and the Foreign Intelligence Surveillance Act. Thankfully, Congress can't override the Fourth Amendment by statute, but this language poses a real threat to Fourth Amendment rights.

One clause that I haven't seen get the attention it deserves is the provision that would require a federal license, based on criteria determined by the Secretary of Commerce, to provide cybersecurity services to any federal agency or any "information system or network" the president chooses to designate as "critical infrastructure." It's hard to overstate how bad an idea this is. Cybersecurity is a complex and fast-moving field. There's no reason to think the Department of Commerce has any special expertise in certifying security professionals. Indeed, security experts tend to be a contrarian bunch, and it seems likely that some of the best cybersecurity professionals will refuse to participate. Therefore, it's a monumentally bad idea to ban the government from soliciting security advice from people who haven't jumped through the requisite government hoops. Even worse, the proposal leaves the definition of "critical infrastructure" to the president's discretion, potentially allowing him to designate virtually any privately-owned network or server as "critical infrastructure," thereby limiting the freedom of private firms to choose cybersecurity providers.

When thinking about cyber-security, it's important to keep in mind that an open network like the Internet is never going to be perfectly secure. Providers of genuinely critical infrastructure like power grids and financial networks should avoid connecting it to the Internet at all. Moreover, the most significant security threats on the Internet, including botnets and viruses, are already illegal under federal law. If Congress is going to pass cybersecurity legislation this session (and it probably shouldn't) it should focus on providing federal law enforcement officials with the resources to enforce the cyber-security laws we already have (and getting the government's own house in order), not give the government sweeping and totally unnecessary new powers that are likely to be abused.

Timothy Lee is an expert at the Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

14 Comments | Leave a Comment..

Is FEMA The Best Group To Model A Cybersecurity Agency After?

from the proactivity dept

There's been a lot of talk about the cybersecurity policy actions the Obama administration will undertake, with few clear ideas on exactly what such a policy should entail, or what powers the much-discussed cybersecurity "czar" should have. One of the supposed leading candidates for the czarship says that what the country really needs is "a FEMA for the internet" that can coordinate responses to electronic attacks and problems. The wisdom of invoking the idea of another FEMA doesn't seem too wise, given the agency's rather tarnished reputation following its ham-fisted response to Hurricane Katrina and other disasters, but leaving that aside, there may be deeper issues. FEMA's role is largely preparedness for and reaction to natural disasters; shouldn't a cybersecurity agency be focused more on prevention than reaction? The idea of something like FEMA makes sense in the context of natural disasters and emergencies, since they are largely unpreventable and inevitable. But isn't cybersecurity an area in which prevention of disasters and attacks is arguably more important?

Carlo Longino is an expert at the Insight Community. To get insight and analysis from Carlo Longino and other experts on challenges your company faces, click here.

18 Comments | Leave a Comment..

If There's A National Cybersecurity Policy, What Should It Cover?

from the if-anything... dept

A bunch of folks have been sending in the various news stories about a new report recommending to the incoming presidential administration a set up a national cybersecurity policy, which is the sort of broad pronouncement that many people would instinctively agree with. However, it's not really clear what this covers. The report covers both government and private companies' computer networks, as if the issues and challenges facing each should be covered under a single plan. There's also talk of some new kind of warrant called "data warrants" rather than search warrants. Obviously, protecting internet infrastructure from foreign attacks is a good thing, but there's a lot here that seems like a grab for power -- and the ability to more closely gather and monitor data.

The fact that government networks and security of government computers is a mess is one issue, but it shouldn't be mixed in with private companies protecting their own data. The two issues should be tackled separately. If the government needs to fix its own computer network and security policies, that seems like a reasonable job for the national CIO that Obama has indicated is a part of his plan, rather than a separate cybersecurity policy.

6 Comments | Leave a Comment..