Backers of the Cybersecurity Act of 2009 have vowed the bill will save us all from the ills of the Internet. But when you comb through the fine print, the bill is more about government control than anything else.
This, unfortunately, is something that’s not getting the attention it deserves. In fact, many people in corporate America assume that all the talk we’re hearing about “cybersecurity” involves government systems. That is not the case.
The Cybersecurity Act’s broad brush affects practically everything and everyone on the Internet, from giving the president control of the infrastructure to telling information security practitioners what they need to know to do their work. In my opinion, this bill is good for government and bad for business.
Digging deeper into the Cybersecurity Act, you begin to see the White House will be calling the shots in deciding which private networks are critical and which ones are not. But how can the White House -- or any other agency -- decide which networks are more critical? Are networks owned by Internet service providers, banks and universities more critical than those owned by retail, manufacturing or Internet colocation facilities? The possibilities, the power and control are limitless.
In the history of the United States, I can’t think of any power the government has been willing to give up once it assumes control. In fact, most entities that come under the government’s domain are destined to be controlled until they become ineffective and immobile.
Here’s an example. Senator Jay Rockefeller said, "We must protect our critical infrastructure at all costs...” The sad and troubling reality is government representatives are willing to spend our unlimited tax dollars on something we already have laws for, and that the private marketplace can easily manage.
I understand the need to lock down the federal government’s infrastructure, but isn’t that what the Federal Information Security Management Act is for? The feds have proven already they can’t manage their own information security or even put a stop to spam. Why should the provisions proposed in the Cybersecurity Act be any different?
Like many other pieces of information security and privacy legislation -- the Health Insurance Portability and Accountability and Gramm-Leach-Bliley acts come to mind -- the Cybersecurity Act is so broad and vague it’s laughable. It leaves way too much room for interpretation, the very thing that now haunts businesses with regards to compliance and security.
But it will be no laughing matter if this bill gives the government unlimited powers to access and control business networks throughout the private marketplace. Say goodbye to the Internet as we’ve known it.
I’m all for the government supporting our military, law enforcement, highways and other basic necessities. But cybersecurity? Not so much. Don’t get me wrong, I understand the need for public-private partnerships where they make sense. I‘m just not convinced the broad brush of the Cybersecurity Act of 2009 is the approach we need to take.
This is something worth watching closely because it affects each and every one of us and the businesses that employ us. I suspect nothing will happen until after the lame-duck session this fall but stay vigilant -- this game is not over yet.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Complianceand the newly updated Hacking For Dummies, 3rd edition. In addition, he’s the creator of the Security On Wheelsinformation security audiobooks and blog.