Monday, June 1, 2009

Obama's Cyber Czar and the Rockefeller-Snowe Cybersecurity Act

One of the positive aspects and welcomed developments that can be gleaned from President Obama's recent "cyber security" proposals is the improvement it represents in comparison to the Rockefeller-Snowe Cybersecurity Act.

Click here to check out a a fairly in depth analysis I posted on this legislation a few weeks back.

For a shorter encapsulation of some of the more disconcerting aspects of the Rockefeller/Snowe bill here are a few choice clips from a recent statement by the Electronic Frontier Foundation - a leading opponent of the legislation:

The bill as it exists now risks giving the federal government unprecedented power over the Internet without necessarily improving security in the ways that matter most. It should be opposed or radically amended.

Essentially, the Act would federalize critical infrastructure security. Since many of our critical infrastructure systems (banks, telecommunications, energy) are in the hands of the private sector, the bill would create a major shift of power away from users and companies to the federal government.

This is a potentially dangerous approach that favors the dramatic over the sober response...the bill would give the Commerce Department absolute, non-emergency access to “all relevant data” without any privacy safeguards like standards or judicial review.

The broad scope of this provision could eviscerate statutory protections for private information, such as the Electronic Communications Privacy Act, the Privacy Protection Act, or financial privacy regulations. Even worse, it isn’t clear whether this provision would require systems to be designed to enable access, essentially a back door for the Secretary of Commerce that would also establish a primrose path for any bad guy to merrily skip down as well.

If the drafters meant to create a clearinghouse for system vulnerability information along the lines of a US/CERT mailing list, that could be useful, but that’s not what the bill’s current language does...Whether the bill is amended or rejected, the question remains what kind of actions would help cybersecurity, and what role the federal government has to play.

As security expert Bruce Schneier has pointed out, the true causes of government cyber-insecurity are rather mundane: GAO reports indicate that government problems include insufficient access controls, a lack of encryption where necessary, poor network management, failure to install patches, inadequate audit procedures, and incomplete or ineffective information security programs.

So the question now is, "How significant an improvement does President Obama's proposals represent, particular in terms of protecting Internet privacy?"

For this comparison, I want to take you back to EFF, and their recent article on this very topic.

Jennifer Granick, the Civil Liberties Director at EFF, writes:

National commitment to cybersecurity is welcome, but government control of the internet is not. This morning's White House-issued cybersecurity proposals seem to recognize this distinction and are therefore vastly preferable to the Rockefeller-Snowe Cybersecurity Act introduced into Congress last month.

...

Neither government nor private sector computers are nearly secure enough. But whether a network is secure depends on multiple factors including the value of the information traveling over that system, the evolution of the state of the art in computer programming and the commitment and resources of an attacker. Thus, "cybersecurity" is an ongoing process of research, investment and risk-management, not an attainable final state of impenetrability.

...

Another proposed provision of that bill would give the President unfettered authority to shut down Internet traffic in an emergency and disconnect critical infrastructure systems on national security grounds. This would create a major shift of power away from users and companies to the federal government, without any guidance on when or how the President could responsibly pull the kill switch on privately owned and operated networks.

Notably, the White House report specifically rejects the idea of government access to information regardless of existing law or the Constitution and talks about government leadership, but not government take-over of private networks. The Rockefeller-Snowe bill is an example of the kind of rhetoric that doesn't address the real problems of security and can actually make matters worse by weakening existing privacy safeguards. Our starting point for this discussion should be the White House proposal, which focuses on simpler, practical measures that could create real security by encouraging better computer hygiene for both public and private networks.

Click here to read the entire EFF article.

To add a bit more skepticism to some of what the President is proposing, I'd also point you to this editorial in the Reflector.com:

While there is much to appreciate in those proposals, the president's desire to tighten federal control over cyberspace could severely threaten online privacy. That would be an unacceptable result, and any effort to erode individual liberty in that fashion should be strongly condemned.

...

It is that second component that should raise eyebrows because it represents the tricky balance the president hopes to maintain with this plan. Attacks on American computer networks do represent a real national security threat. But giving government oversight to networks that transmit private information from individual communication to sensitive corporate secrets presents a serious threat to privacy.

America has seen this type of imposition before, in the USA Patriot Act passed in the wake of the 2001 terrorist attacks. That legislation gave federal agents access to library records and allowed domestic surveillance with only a promise that information would only be used to protect national security. That argument did not pass muster then, nor does it now.

Click here to read the rest of the article.

No comments: