Forum Moderators: LifeinAsia
Probably the most controversial language begins in Section 201, which permits the president to "direct the national response to the cyber threat" if necessary for "the national defense and security."
"The language has changed but it doesn't contain any real additional limits," EFF's Tien says. "It simply switches the more direct and obvious language they had originally to the more ambiguous (version)...The designation of what is a critical infrastructure system or network as far as I can tell has no specific process. There's no provision for any administrative process or review. That's where the problems seem to start. And then you have the amorphous powers that go along with it."
Translation: If your company is deemed "critical," a new set of regulations kick in involving who you can hire, what information you must disclose, and when the government would exercise control over your computers or network.
Article: Bill would give president emergency control of Internet [news.cnet.com]
---
The President—
(1) within 180 days after the date of enactment of this Act, shall develop and implement a comprehensive national cybersecurity strategy, which shall include—
(...)
(B) a plan that encompasses all aspects of national security, including the participation of the private sector, including critical infrastructure operators and managers;
(2) in the event of an immediate threat to strategic national interests involving compromised Federal Government or United States critical infrastructure information system or network:(A) may declare a cybersecurity emergency; and
(B) may, if the President finds it necessary for the national defense and security, and in coordination with relevant industry sectors, direct the national response to the cyber threat and the timely restoration of the affected critical infrastructure information system or network;
Excerpt of proposed bill [politechbot.com]
---
Just FYI: Even though your company/site isn't in the US, you will likely still be affected by this bill. There is a fair bit of core infrastructure that is located in the US (and would be subject to this law), and likely some of your major sources of traffic (ie all major search engines, and some major portals) may be located or hosted in the US, subjecting it to this law.
Mack.
[edited by: bakedjake at 12:21 am (utc) on Sep. 3, 2009]
[edit reason] see stickymail [/edit]
Translation: If your company is deemed "critical," a new set of regulations kick in involving who you can hire, what information you must disclose, and when the government would exercise control over your computers or network.
[edited by: bakedjake at 12:19 am (utc) on Sep. 3, 2009]
[edit reason] see stickymail [/edit]
Mack.
Let's try and stay on topic. Specifically, I am interested in what you may be doing to mitigate any risk to your business if this bill passes.
Thank you.
I don't anticipate our government will allow a slowdown in commerce due to a cyber attck to continue past whatever time it takes to secure.
HOWEVER, the big question for me is, when will the government step in? At what point will they consider it time to start pulling the plug? Do they wait until our systems are severely compromised, lightly attacked, or if systems are discovered to have spyware/trojans planted in them?
For example: SEC. 4. REAL-TIME CYBERSECURITY DASHBOARD.
It states that within 90 days of the bills passing a new dashboard to monitor all government sites should be devised and it should be finished within a year.
The problem: adding even one line of additional code provides more entry points and weaknesses. Likewise adding one more warning flag (if that's all the dashboard does) means one more potential false alarm to trigger which may lead to real consequences as a result of reactions to it. Such a control panel, with an untold number of people having access, would become a very juicy target in and of itself making it the very problem it would attempt to solve.
The bill simply doesn't offer any truly technical solutions imo. I see it as attempting to place more cameras on the front door instead of improving the locks on all doors.
I'd prefer to see more ounces of prevention included in it.
Further in the same paragraph of text is this
(a) CREATION AND SUPPORT OF CYBERSECURITY CENTERS- The Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards. Each Center shall be affiliated with a United States-based nonprofit institution or organization, or consortium thereof, that applies for and is awarded financial assistance under this section.
The secretary of commerce doesn't make military decisions about who leads the troops in real wars, I fail to see why they would be appointed that task against virtual attacks. It's my feeling that the bill isn't ready and has real issues. As written a lot of NEW controls and systems will be created with a distinct lack of military participation.
