Hello, All.

===
From: http://news.cnet.com/8301-13578_3-10320096-38.html

Bill would give president emergency control of Internet
by Declan McCullagh

Internet companies and civil liberties groups were alarmed this spring when
a U.S. Senate bill proposed handing the White House the power to disconnect
private-sector computers from the Internet.

They're not much happier about a revised version that aides to Sen. Jay
Rockefeller, a West Virginia Democrat, have spent months drafting behind
closed doors. CNET News has obtained a copy of the 55-page draft of S.773
(excerpt), which still appears to permit the president to seize temporary
control of private-sector networks during a so-called cybersecurity
emergency.

The new version would allow the president to "declare a cybersecurity
emergency" relating to "non-governmental" computer networks
and do what's necessary to respond to the threat. Other sections of the
proposal include a federal certification program for "cybersecurity
professionals," and a requirement that certain computer systems and
networks in the private sector be managed by people who have been awarded
that license.

"I think the redraft, while improved, remains troubling due to its
vagueness," said Larry Clinton, president of the Internet Security
Alliance, which counts representatives of Verizon, Verisign, Nortel, and
Carnegie Mellon University on its board. "It is unclear what authority
Sen. Rockefeller thinks is necessary over the private sector. Unless this
is clarified, we cannot properly analyze, let alone support the bill."

Representatives of other large Internet and telecommunications companies
expressed concerns about the bill in a teleconference with Rockefeller's
aides this week, but were not immediately available for interviews on
Thursday.

A spokesman for Rockefeller also declined to comment on the record
Thursday, saying that many people were unavailable because of the summer
recess. A Senate source familiar with the bill compared the president's
power to take control of portions of the Internet to what President Bush
did when grounding all aircraft on Sept. 11, 2001. The source said that one
primary concern was the electrical grid, and what would happen if it were
attacked from a broadband connection.

When Rockefeller, the chairman of the Senate Commerce committee, and
Olympia Snowe (R-Maine) introduced the original bill in April, they claimed
it was vital to protect national cybersecurity. "We must protect our
critical infrastructure at all costs--from our water to our electricity, to
banking, traffic lights and electronic health records," Rockefeller
said.

The Rockefeller proposal plays out against a broader concern in Washington,
D.C., about the government's role in cybersecurity. In May, President Obama
acknowledged that the government is "not as prepared" as it
should be to respond to disruptions and announced that a new cybersecurity
coordinator position would be created inside the White House staff. Three
months later, that post remains empty, one top cybersecurity aide has quit,
and some wags have begun to wonder why a government that receives failing
marks on cybersecurity should be trusted to instruct the private sector
what to do.

Rockefeller's revised legislation seeks to reshuffle the way the federal
government addresses the topic. It requires a "cybersecurity workforce
plan" from every federal agency, a "dashboard" pilot
project, measurements of hiring effectiveness, and the implementation of a
"comprehensive national cybersecurity strategy" in six
months--even though its mandatory legal review will take a year to
complete.

The privacy implications of sweeping changes implemented before the legal
review is finished worry Lee Tien, a senior staff attorney with the
Electronic Frontier Foundation in San Francisco. "As soon as you're
saying that the federal government is going to be exercising this kind of
power over private networks, it's going to be a really big issue," he
says.

Probably the most controversial language begins in Section 201, which
permits the president to "direct the national response to the cyber
threat" if necessary for "the national defense and
security." The White House is supposed to engage in "periodic
mapping" of private networks deemed to be critical, and those
companies "shall share" requested information with the federal
government. ("Cyber" is defined as anything having to do with the
Internet, telecommunications, computers, or computer networks.)

"The language has changed but it doesn't contain any real additional
limits," EFF's Tien says. "It simply switches the more direct and
obvious language they had originally to the more ambiguous (version)...The
designation of what is a critical infrastructure system or network as far
as I can tell has no specific process. There's no provision for any
administrative process or review. That's where the problems seem to start.
And then you have the amorphous powers that go along with it."

Translation: If your company is deemed "critical," a new set of
regulations kick in involving who you can hire, what information you must
disclose, and when the government would exercise control over your
computers or network.

The Internet Security Alliance's Clinton adds that his group is
"supportive of increased federal involvement to enhance cyber
security, but we believe that the wrong approach, as embodied in this bill
as introduced, will be counterproductive both from an national economic and
national secuity perspective." 
===

Later,
Sean

// sean{at}nsbbs.info | http://nsbbs.info | ICQ: 19965647

--- FleetStreet 1.27.1