If the U.S. comes under cyberattack, how much authority should the president have to shut down the Internet? That’s at the core of the debate over different versions of the cybersecurity legislation currently in circulation in Washington.
Senate Bill 733, cosponsored by Senators Jay Rockefeller, D-W.Va., and Olympia Snow, R-Maine, limits that authority. A previous version of the Act, introduced about a year ago, gave the president the power to flip the switch on all or some portions of the infrastructure of the Internet in the interests of homeland security.
The current bill will be better received than its two earlier iterations, predicted Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham. “It’s better than portraying President Obama as having a big Internet Off-Switch,” he told TechNewsWorld.
Still, concerns remain about whether or not corporations and government officials really can make shared decision-making work, Warner said.
A Thousand Points of Access
The federal government’s growing awareness of how hard it is to maintain cybersecurity is at the heart of the controversy over how to achieve it, noted Warner. What the feds have learned about securing their own systems has led them to consider how at-risk other systems continue to be.
“They’re working aggressively to limit points of access to government computers from the public Internet,” Warner explained. This way, authorities can “cut a few lines” to isolate government systems in the case of a cyberattack and effectively protect whole chunks of federal computing infrastructure.
When it comes to other types of infrastructure, though, like the electrical power grid, more complicated relationships intervene. “What [federal authorities] are pointing out is that we don’t have that capability on the commercial side, Warner observed.
Building the Matrix
For example, imagine what might happen if an electrical power company came under attack through its Internet-connected systems, Warner posited. That company likely has myriad points of interface with the public Internet, because it’s in the business of making contact with its customers and allowing access to individuals, companies and business partners.
“Should the government be able to step in and shut down that company’s Internet access because its computer system has been taken over?” asked Warner.
The new bill provides for key persons in the commercial sector to be given higher security clearances and to have the information they need to participate in making those decisions. However, as with all public-private partnerships, the devil will be in the details, explained Warner.
“We already have this problem of information sharing between federal law enforcement and state and local authorities,” he pointed out. How much more complicated will the situation become when the matrix of information sharing includes private citizens whose corporate responsibilities require them to ensure that customers can reach them? Even if a CEO or CIO were cleared to take part in the discussions, would that person necessarily know the ins and outs of a corporation’s complex Internet and intranet links to the outside world?
Enter the Cybersecurity Advisor
To help negotiate this rough terrain, a companion bill — Senate Bill 778 — provides for appointment of a “National Cybersecurity Advisor.” That official would have responsibility to grease the wheels of public-private collaboration. The advisor also would oversee funding for research in cybersecurity and building a larger staff of cybersecurity specialists.
It likely will be some time before the different versions of cybercrime legislation coalesce into a passable package, predicted Warner. The bill creating the National Cybersecurity Advisor post is pending in the Senate Committee on Homeland Security and Government Affairs. In addition, the U.S. House of Representatives in February passed a bill of its own: HR 4061, the Cybersecurity Enhancement Act of 2009.