Watch out for the feds' proposed cybersecurity 'fix'

A proposed antiterrorist law could create a government-sanctioned back door into your network

Here's a security nightmare that's probably kept you up at night: A departing employee builds a back door into the network and uses it to steal proprietary information or even shut it down for kicks or for revenge. That's bad enough, but suppose such a back door existed because the government made IT create it.

Sound far-fetched? It's not. The proposed Cybersecurity Act of 2009 would give the White House and the Department of Commerce the power to shut down Internet traffic, disconnect critical infrastructure systems, and have access to network infrastructure data when needed on national security grounds. What's more, the act would open the door (the front door, in this case) to unprecedented violations of electronic privacy and give the government the power to license security professionals -- and blacklist the unlicensed.

[ Security spending is no longer a sacred cow, but smart companies have figured out how to safely reduce the cost. ]

Here's a direct quote from the bill, which was introduced by two usually level-headed senators, Olympia Snowe (R-Maine) and Jay Rockefeller (D-W. Va.)."The Secretary of Commerce shall have access to all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access."

Yikes! Think about that. With a stroke of the pen, any guarantees of privacy under laws like the Electronic Communications Privacy Act, the Privacy Protection Act, and others would be suspended.

The back door Congress may put on your network
The enormous threat to privacy contained in that section is frightening and rather obvious. Jennifer Granick, the civil liberties director for the Electronic Frontier Foundation, looked closely at the 22-page bill and saw even more. She wrote, "Even worse, it isn't clear whether this provision would require systems to be designed to enable access, essentially a back door for the Secretary of Commerce that would also establish a primrose path for any bad guy to merrily skip down as well. If the drafters meant to create a clearinghouse for system vulnerability information along the lines of a US CERT mailing list, that could be useful, but that's not what the bill's current language does."

Just to be clear, the language Grannick refers to is the bit that I quoted above, particularly the word "access." Access to relevant data concerning networks -- how would you get that in a hurry? Hmm.

License required for IT security
Not only would the bill give the government enormous new powers over your network, it would also dictate who gets to work on security issues affecting the network: "Beginning three years after the date of enactment of this act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any federal agency or an information system or network designated by the president, or the president's designee, as a critical infrastructure information system or network, who is not licensed and certified under the program."

It's one thing for the government to decide whom it wants to hire, but it's quite another for it to make that decision for private industry. Lawyers are licensed by state bar associations, doctors by state medical associations; who's going to license IT security workers? Shouldn't the market determine who's competent and who isn't?

Save our traffic lights
There are many reasons to strangle this thing in the crib. One big one is the faulty and panicky reasoning that led to its creation. Shortly after introducing the bill, Sen. Rockefeller said, "We must protect our critical infrastructure at all costs -- from our water to our electricity, to banking, traffic lights and electronic health records."

Traffic lights? He's got to be kidding.

Meanwhile, the air is full of scary stories, like the one about Russian and Chinese hackers leaving code bombs hidden in the networks that run the electrical grid. I don't believe it. As Lee Gomes rightly noted over at Forbes.com, this is an almost irresistible story for the media. Spies, hackers, bad Chinese and Russians -- it has everything except sex, and that's probably there, too.

Frankly, our electrical grid is in a lot more danger from neglect and underinvestment than from wily foreign agents. As to water, we in California have much more to fear from an earthquake that ruptures the pipes bringing water to San Francisco or Los Angeles than from cyberterrorism.

Sure, there are real threats to the security of our infrastructure, including the Internet and all the networks that touch it. But instituting a panicky, top-down "fix" that would put a huge crimp in our civil liberties -- and threaten network security to boot -- would be a terrible mistake.

I welcome your comments, tips, and suggestions. Reach me at bill.snyder@sbcglobal.net.

Related:

Copyright © 2009 IDG Communications, Inc.

How to choose a low-code development platform