Watch out for the feds' proposed cybersecurity 'fix'
A proposed antiterrorist law could create a government-sanctioned back door into your network
Follow @BSnyderSFHere's a security nightmare that's probably kept you up at night: A departing employee builds a back door into the network and uses it to steal proprietary information or even shut it down for kicks or for revenge. That's bad enough, but suppose such a back door existed because the government made IT create it.
Sound far-fetched? It's not. The proposed Cybersecurity Act of 2009 would give the White House and the Department of Commerce the power to shut down Internet traffic, disconnect critical infrastructure systems, and have access to network infrastructure data when needed on national security grounds. What's more, the act would open the door (the front door, in this case) to unprecedented violations of electronic privacy and give the government the power to license security professionals -- and blacklist the unlicensed.
[ Security spending is no longer a sacred cow, but smart companies have figured out how to safely reduce the cost. ]
Here's a direct quote from the bill, which was introduced by two usually level-headed senators, Olympia Snowe (R-Maine) and Jay Rockefeller (D-W. Va.)."The Secretary of Commerce shall have access to all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access."
Yikes! Think about that. With a stroke of the pen, any guarantees of privacy under laws like the Electronic Communications Privacy Act, the Privacy Protection Act, and others would be suspended.
The back door Congress may put on your network
The enormous threat to privacy contained in that section is frightening and rather obvious. Jennifer Granick, the civil liberties director for the Electronic Frontier Foundation, looked closely at the 22-page bill and saw even more. She wrote, "Even worse, it isn't clear whether this provision would require systems to be designed to enable access, essentially a back door for the Secretary of Commerce that would also establish a primrose path for any bad guy to merrily skip down as well. If the drafters meant to create a clearinghouse for system vulnerability information along the lines of a US CERT mailing list, that could be useful, but that's not what the bill's current language does."
Just to be clear, the language Grannick refers to is the bit that I quoted above, particularly the word "access." Access to relevant data concerning networks -- how would you get that in a hurry? Hmm.
