|US Bill Proposes Wide Emergency Measures for Control of Internet|
|Probably the most controversial language begins in Section 201, which permits the president to "direct the national response to the cyber threat" if necessary for "the national defense and security." |
|"The language has changed but it doesn't contain any real additional limits," EFF's Tien says. "It simply switches the more direct and obvious language they had originally to the more ambiguous (version)...The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There's no provision for any administrative process or review. That's where the problems seem to start. And then you have the amorphous powers that go along with it." |
|Translation: If your company is deemed "critical," a new set of regulations kick in involving who you can hire, what information you must disclose, and when the government would exercise control over your computers or network. |
Article: Bill would give president emergency control of Internet [news.cnet.com]
|The President— |
(1) within 180 days after the date of enactment of this Act, shall develop and implement a comprehensive national cybersecurity strategy, which shall include—
(B) a plan that encompasses all aspects of national security, including the participation of the private sector, including critical infrastructure operators and managers;
|(2) in the event of an immediate threat to strategic national interests involving compromised Federal Government or United States critical infrastructure information system or network: |
(A) may declare a cybersecurity emergency; and
(B) may, if the President finds it necessary for the national defense and security, and in coordination with relevant industry sectors, direct the national response to the cyber threat and the timely restoration of the affected critical infrastructure information system or network;
Excerpt of proposed bill [politechbot.com]
Just FYI: Even though your company/site isn't in the US, you will likely still be affected by this bill. There is a fair bit of core infrastructure that is located in the US (and would be subject to this law), and likely some of your major sources of traffic (ie all major search engines, and some major portals) may be located or hosted in the US, subjecting it to this law.
The article makes for an interesting read. Quite often it mentions that the president will have the authority to order the various steps. It would be interesting to know who will be advising him, and what the various stages are based on the threat level.
[edited by: bakedjake at 12:21 am (utc) on Sep. 3, 2009]
[edit reason] see stickymail [/edit]
This reads to me more as a framework of steps and protocols to take in the event of a crisis. As far as I can tell there's no new powers being granted to the president. The president could already do pretty much anything he deems required in a crisis situation anyways.
Translation: If your company is deemed "critical," a new set of regulations kick in involving who you can hire, what information you must disclose, and when the government would exercise control over your computers or network.
I wonder what the litmus test to be deemed as critical infrastructure is, maybe AOL and Comcast are considered critical infrastructure?
[edited by: bakedjake at 12:19 am (utc) on Sep. 3, 2009]
[edit reason] see stickymail [/edit]
I think it is important to work out what effect the implication of the protocols would have on the rest of the world. It won't just be the US that could be effected. What does www stand for again. Could an action by the US administration have consiquences for other countries. Maybe its time for other countries to think ahead, and introduce counter measures to limit any harm.
This is not the Webmaster Politics forum, it's the Professional Webmaster Business Issues forum.
Let's try and stay on topic. Specifically, I am interested in what you may be doing to mitigate any risk to your business if this bill passes.
Nothing beyond regular backups. If our electrical grid is under attack by hostile forces, as well as Internet and telephony systems, I don't think there's much to mitigate if computers across the nation won't turn on, or access to the Internet is severely compromised.
I don't anticipate our government will allow a slowdown in commerce due to a cyber attck to continue past whatever time it takes to secure.
HOWEVER, the big question for me is, when will the government step in? At what point will they consider it time to start pulling the plug? Do they wait until our systems are severely compromised, lightly attacked, or if systems are discovered to have spyware/trojans planted in them?
Until this Bill becomes law, this is all speculation, and premature at that.
Here is the full bill from the Library of Congress. Its only 55 pages, so even a senator could read it.
I've read all 55 pages. Though idealistic it describes many unrealistic solutions.
For example: SEC. 4. REAL-TIME CYBERSECURITY DASHBOARD.
It states that within 90 days of the bills passing a new dashboard to monitor all government sites should be devised and it should be finished within a year.
The problem: adding even one line of additional code provides more entry points and weaknesses. Likewise adding one more warning flag (if that's all the dashboard does) means one more potential false alarm to trigger which may lead to real consequences as a result of reactions to it. Such a control panel, with an untold number of people having access, would become a very juicy target in and of itself making it the very problem it would attempt to solve.
The bill simply doesn't offer any truly technical solutions imo. I see it as attempting to place more cameras on the front door instead of improving the locks on all doors.
I'd prefer to see more ounces of prevention included in it.
Further in the same paragraph of text is this
|(a) CREATION AND SUPPORT OF CYBERSECURITY CENTERS- The Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards. Each Center shall be affiliated with a United States-based nonprofit institution or organization, or consortium thereof, that applies for and is awarded financial assistance under this section. |
The secretary of commerce doesn't make military decisions about who leads the troops in real wars, I fail to see why they would be appointed that task against virtual attacks. It's my feeling that the bill isn't ready and has real issues. As written a lot of NEW controls and systems will be created with a distinct lack of military participation.