Sen. John “Jay” Rockefeller, D-W.V.
A pair of bills introduced in the U.S. Senate would grant the White House sweeping new powers to access private online data, regulate the cybersecurity industry and even shut down Internet traffic during a declared “cyber emergency.”
Senate bills No. 773 and 778, introduced by Sen. Jay Rockefeller, D-W.V., are both part of what’s being called the Cybersecurity Act of 2009, which would create a new Office of the National Cybersecurity Adviser, reportable directly to the president and charged with defending the country from cyber attack.
A working draft of the legislation obtained by an Internet privacy group also spells out plans to grant the Secretary of Commerce access to all privately owned information networks deemed to be critical to the nation’s infrastructure “without regard to any provision of law, regulation, rule or policy restricting such access.”
Privacy advocates and Internet experts have been quick to sound the alarm over the act’s broadly drawn government powers.
“The cybersecurity threat is real,” says Leslie Harris, president of the Center for Democracy and Technology, which obtained the draft of S.773, “but such a drastic federal intervention in private communications technology and networks could harm both security and privacy.”
“The whole thing smells bad to me,” writes Larry Seltzer in eWeek, an Internet and print news source on technology issues. “I don’t like the chances of the government improving this situation by taking it over generally, and I definitely don’t like the idea of politicizing this authority by putting it in the direct control of the president.”
According to a Senate document explaining the bill, the legislation “addresses our country’s unacceptable vulnerability to massive cyber crime, global cyber espionage and cyber attacks that could cripple our critical infrastructure.”
In a statement explaining the bill’s introduction, Sen. Rockefeller said, “We must protect our critical infrastructure at all costs – from our water to our electricity, to banking, traffic lights and electronic health records – the list goes on.”
Sen. Olympia Snowe, R-Maine, who is co-sponsoring the bill, added, “If we fail to take swift action, we, regrettably, risk a cyber-Katrina.”
Critics, however, have pointed to three actions Rockefeller and Snowe propose that may violate both privacy concerns and even constitutional bounds:
First, the White House, through the national cybersecurity adviser, shall have the authority to disconnect “critical infrastructure” networks from the Internet – including private citizens’ banks and health records, if Rockefeller’s examples are accurate – if they are found to be at risk of cyber attack. The working copy of the bill, however, does not define what constitutes a cybersecurity emergency, and apparently leaves the question to the discretion of the president.
Second, the bill establishes the Department of Commerce as “the clearinghouse of cybersecurity threat and vulnerability information,” including the monitoring of private information networks deemed a part of the “critical infrastructure.”
Third, the legislation proposes implementation of a professional licensing program for certifying who can serve as a cybersecurity professional.
And while the critics concede the need for increased security, they object to what is perceived as a dangerous and intrusive expansion of government power.
“There are some problems that we face which need the weight of government behind them,” writes Seltzer in eWeek. “This is not the same as creating a new federal bureaucracy setting rules over what computer security has to be and who can do it.”
“It’s an incredibly broad authority,” CDT senior counsel Greg Nojeim told the Mother Jones news website, troubled that existing privacy laws “could fall to this authority.”
Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, told Mother Jones the bill is “contrary to what the Constitution promises us.”
According to Granick, granting the Department of Commerce oversight of the “critical” networks, such as banking records, would grant the government access to potentially incriminating information obtained without cause or warrant, a violation of the Constitution’s prohibition against unlawful search and seizure.
“What are the critical infrastructure networks? The examples provided are ‘banking, utilities, air/rail/auto traffic control, telecommunications.’ Let’s think about this,” writes Seltzer. “I’m especially curious as to how you take the telecommunications networks off of the Internet when they are, in large part, what the Internet is comprised of. And if my bank were taken offline, I would think about going into my branch and asking for all of my deposits in cash.”
S. 778, which would establish the Office of the National Security Adviser, and S. 773, which provides for developing a cadre of governmental cybersecurity specialists and procedures, have both been read twice and referred to committee in the Senate.
If you would like to sound off on this issue, participate in today’s WND Poll.