Cybersecurity Act of 2009: What You Should Know

Submitted by shelly (not verified) on September 2, 2009 - 3:28pm

Steven Allen Adams interviewed me for an article in the Examiner - read it here. It includes reaction from Rockefeller's office. A good read ;)

Read the draft of the revised Cybersecurity Act bill (S 773) here

Here's an exerpt of my interview in the Examiner:

Shelly Roche is the CTO of BreakTheMatrix, the founder of Plenticulture, a frequent contributor to Freedom Watch with Judge Andrew Napolitano on FoxNews.com, and writes for her own blog at ByteStyle. In an email, Roche said that S.773 puts private companies at great risk.

“It is true that they couldn't actually shut down the internet in its entirety - all they can do is block traffic to/from certain networks. But the issue here is that they shouldn't have the authority to shut down ANY private internet traffic,” said Roche. “Private companies have every incentive to keep their network security tight. If they don't, they'll go out of business. Government interference will only reduce security and add unwarranted burdens to businesses during a recession.”

Tice said that anyone saying the bill gives the president power to pull the plug on private internet access is wrong.

“To be very clear, the Rockefeller-Snowe bill will not empower a government shut down or takeover of the internet and any suggestion otherwise is misleading and false,” stated Tice. “The purpose of this language is to clarify how the President directs the public-private response to a crisis, secure our economy and safeguard our financial networks, protect the American people, their privacy and civil liberties, and coordinate the government’s response.”

Roche's concerns center around the unclear language in the bill. Currently the government has no plans in regards to cybersecurity, and the position of cybersecurity coordinator is empty.

“From an IT perspective, the more decentralized the control is, the more difficult it is to hack,” explains Roche. “If common practices are forced on private companies via a federal certification program, hackers will have a road map that, once deconstructed, could unlock every compliant network. Since there are no specifics provided in the bill regarding these certifications, it's difficult to comment on the likely outcome, but passing ambiguously-worded legislation only opens the door for misinterpretation, rushed "solutions" that would decrease security, or abuse in the future.”

The certification program called for in the Cybersecurity Act is also a problem for Roche, who believes that the free market should be able to determine who is and who is not qualified to handle cybersecurity issues.

“Some of the brightest minds and best innovations within the tech industry have come from people without college degrees or certifications,” states Roche. “Will the next generation of such individuals be forced out of the cybersecurity industry if they don't fit the government's definition of who is qualified to manage a secure network? Security in the private sector is arguably far more advanced and robust than in the government sector. Why would we force private networks to adhere to what would likely be one-size-fits-all standards that would be cumbersome, inappropriate and ineffective?”

More of our freedoms are under attack, this time through s. 773 - The Cybersecurity Act of 2009,

First introduced by Senators Rockefeller and Snowe in April 2009, this bill aims to improve security for critical technology systems within government AND private sectors.

In actuality, all this bill would do is vastly expand government's control by granting the President the authority to "declare a cybersecurity emergency" relating to "nongovernmental" networks and "direct the national response to the cyber threat." (Section 201)

This bill fits an alarming trend of legislation that vastly expands the role and power of government, while doing absolutely nothing to address the root cause of the problem.

As security expert Bruce Schneier points out, the true causes of government cyber-insecurity include insufficient access controls, a lack of encryption where necessary, poor network management, failure to install patches, inadequate audit procedures, and incomplete or ineffective information security programs.

The Cybersecurity Act does nothing to address these BASIC 'computer hygeine' issues, and instead, poses a serious threat to our personal freedom & privacy.

The revised version also creates a Federal certification program for cybersecurity professionals. This certification would be mandatory for certain systems and networks within the private sector.

So, essentially, we're giving the people with the worst technology track record full authority and control over our critical technical assets. Government consistently gets failing grades when it comes to cybersecurity, yet this bill would look to them to define standards and certify who's qualified to manage private technology networks!?

Another example of the "logic" behind this bill:
The executive branch would be given 180 days to "implement" a "comprehensive national cybersecurity strategy" and 90 days to develop a plan to implement a "dashboard pilot project," even though its mandatory legal review wouldn't be complete for a year.

So, er, why bother mandating a review if it's not going to be used to create the comprehensive plan? And is it really *comprehensive* if there's no review?

* * * * *

You know the drill - do your own research, then call and email your reps urging them to oppose this bill and start standing up for our freedom. It's up to us to protect our rapidly-eroding freedoms, so please share this video with your friends and help spread the word.

Learn more about the original bill here (not much of this has changed):