The new version of a US Senate bill allows President Barack Obama to seize temporary control of private sector networks during a cybersecurity emergency. The bill allows the President to "declare a cybersecurity emergency" related to the "non-governmental" computer networks for dealing with cyber threat. The bill is introduced by senator Jay Rockefeller, a West Virginia Democrat, who has spent months preparing the draft.
"I think the redraft, while improved, remains troubling due to its vagueness. It is unclear what authority senator Rockefeller thinks is necessary over the private sector. Unless this is clarified, we cannot properly analyze, let alone support the bill." said Larry Clinton, President, Internet Security Alliance, which counts representatives of Verizon, Verisign, Nortel, and Carnegie Mellon University on its board.
Large internet and telecommunications company representatives have expressed concerns about the bill in a teleconference with Rockefeller's aides. As a source familiar to the bill informed that the primary concern was the electrical grid regarding the consequences of an attack from a broadband connection.
Rockefeller's proposal provides an ease to a broader concern in Washington about the government's role in cybersecurity. President Obama has already acknowledged that the government is "not as prepared" and announced that a new cybersecurity coordinator position would be created inside the White House staff.
After three months, the post remains empty, one top cybersecurity aide has quit, and people are wondering that a government which has failed on the point of cybersecurity, how can they be trusted when they instruct the private sector.
The revised legislation of Rockefeller's proposal seeks to reshuffle the way the federal government addresses the topic. It seeks a cybersecurity workforce plan from every federal agency, a dashboard pilot project, measurements of hiring effectiveness, and the implementation of a "comprehensive national cybersecurity strategy" in six months, even though its mandatory legal review will take one year to complete.
The issue lies in section 201, which permits the President to "direct the national response to the cyber threat" if necessary for "the national defense and security." The White House is supposed to do a "periodic mapping" of private networks deemed to be critical, and those companies "shall share" requested information with the federal government.
"The language has changed but it doesn't contain any real additional limits. It simply switches the more direct and obvious language they had originally to the more ambiguous versions. The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There's no provision for any administrative process or review. That's where the problems seem to start. And then you have the amorphous powers that go along with it," said Lee Tien, Staff Attorney, Electronic Frontier Foundation.
So if any company is stated under the term "critical," a new set of regulations start like involving who you can hire, what information you must disclose, and when the government would exercise control over your computers or network.
Agencies
No comments:
Post a Comment