Previously, I've pulled no punches in talking about the Rockefeller-Snowe Cybersecurity Act of 2009 (Senate Bill
773) and the Lieberman-Carper-Collins legislation titled Protecting Cyberspace as a National Asset Act of 2010 (Senate Bill 3480). These bills were introduced in the past two years, and the cybersecurity legislation excitement is continuing in 2011.
It's a universal law that the words freedom and regulation don't go hand in hand. The U.S. federal government's latest attempt at cybersecurity legislation -- the Cybersecurity and Internet Freedom Act of 2011 -- is no different. The name of the legislation alone is comical. I've read through it and can't seem to locate the "freedom" components. That's because that's not what the legislation is truly about.
The reality is, when politicians start making their laws sound positive and cheery a la the "American Recovery and Reinvestment Act," the "Social Security Act" and the "Fairness Doctrine," we have to understand that they're using semantics to manipulate perception. As we're seeing, it's no different with cybersecurity legislation.
The Cybersecurity and Internet Freedom Act of 2011 aims to "amend the Homeland Security Act of 2002 and other laws to enhance the security and resiliency of the cyber and communications infrastructure of the United States." The legislation tries to ease our fears by saying that it would be infeasible to shut down the Internet, that the actions of the government must not encroach on rights guaranteed by the First Amendment and that the U.S. president or other federal government employees shall not have the authority to shut down the Internet.
If you can get past the vague generalities and legalese throughout the legislation, you'll find it has some pretty lofty goals, such as:
- The establishment of an office and director of cyberspace policy to (among other things) develop a national strategy to increase the security and resiliency of cyberspace.
- The establishment of a federal information security task force and a national cybersecurity advisory council.
- Recruitment, training and education of government employees to help meet the needs of the "cybersecurity mission" of the federal government.
- Collaboration among federal agencies, including involvement from the United States Computer Emergency Readiness Team (US-CERT), as well as analysis of and improvements on security standards and guidelines from the private sector.
- Procedures for the declaration of "cyberemergencies."
- Annual certification of businesses that are considered part of the "covered critical infrastructure" and the civil penalties for noncompliance.
- Updates to the Federal Information Security Management Act information security requirements.
- The establishment of cybersecurity research and development.
Even with so many regulations, our representatives allegedly don't even read the bills they vote on, much less understand them. That's pretty scary.
The Cybersecurity and Internet Freedom Act of 2011 is the latest attempt at cybersecurity legislation. But beware the unintended consequences down the road.
Case in point: Senator Susan Collins (R-Maine) proclaimed, "We cannot afford to wait for a cyber 9/11 before our government finally realizes the importance of protecting our digital resources." I think the government and the people already realize the importance of information security, but the "cyber 9/11" term is not only insulting to those affected by the 9/11 terrorist attacks, but it's also a bit sensationalistic.
But that's politicians' goal: Striking emotional chords in the interest of the greater good. Such an approach helps politicians maintain their power and grow their careers, but I'm not convinced the government controlling another aspect of our business and personal lives is what we need. In an open market, the private sector tends to find solutions to problems. Once the government gets involved, things get more complicated and expensive -- and rarely any better.
There is a bit of irony in the fact that so many public-private partnerships have been attempted over the years. There's US-CERT, InfraGard, and the Department of Homeland Security's National Cybersecurity and Communications Integration Center. In addition, there are a number of information security standards, such as the National Institute of Standards and Technology's Special Publications.
Despite these efforts, cybercrime is as prevalent as ever, so here's the payoff from the existing governmental controls and tax dollars spent on cybersecurity? That doesn't really matter. In my view, the folks in Washington just want to pass cybercrime legislation and be done with it.
If we leave everything to government's discretion, then when does the control stop? Thinking long term, how will cybersecurity end up choking e-commerce? When is widespread Internet taxation going to hit us? What is it really going to cost businesses and, more so, individuals who will ultimately take the hit? At what inevitable point in time will doing business on the Internet as we know it cease to be worthwhile?
As with most new laws, if the Cybersecurity and Internet Freedom Act of 2011 is passed, there will no doubt be unintended consequences -- many of which we cannot even fathom today. It is compliance at its worst. Now is the time to step back and think about how your business would, as the legislation reads, "...immediately comply with any emergency measure or action." Such requirements could be headed your way soon, because it's happening in Washington, D.C. right now. As the saying goes, once the toothpaste is out of the tube, there's no going back.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audiobooks and blog