Government and Cyber-Security

News came out this week of a deeply troubling new bill from Sens. Jay Rockerfeller (D – WV) and Olympia Snowe (R – ME):

The Cybersecurity Act of 2009 introduced in the Senate would allow the president to shut down private Internet networks. The legislation also calls for the government to have the authority to demand security data from private networks without regard to any provision of law, regulation, rule or policy restricting such access.

According to the bill’s language, the president would have broad authority to designate various private networks as a “critical infrastructure system or network” and, with no other review, “may declare a cyber-security emergency and order the limitation or shutdown of Internet traffic to and from” the designated the private-sector system or network.

The 51-page bill does not define what private sector networks would be considered critical to the nation’s security, but the Center for Democracy and Technology fears it could include communications networks in addition to the more traditional security concerns over the financial and transportation networks and the electrical grid.

Maybe it’s not so bad. I mean, this could only be used in regards to our “critical security infrastructure” in a “state of emergency”, right? Yes, but (from Legal Insurrection):

The standards in the Act as to what constitutes an emergency, and what the President can do with the information, are unacceptably vague.

This is as bad as it looks. Once a president, whether it be Obama or a successor, wants to invoke these powers, a suitable emergency will be found. Any bets on what the first one will be? Obama is already using Chicago mob-like tactics to keep control over the banking system.

Actually, it’s worse. Not only does the bill grant the president dictatorial powers over the cyber-infrastructure of this nation, it weakens the security of that infrastructure:

The bill would also impose mandates for designated private networks and systems, including standardized security software, testing, licensing and certification of cyber-security professionals.

“Requiring firms to get government approval for new software would hamper innovation and would have a negative effect on security,” Nojeim said. “If everyone builds to the same standard and the bad guys know those standards it makes it easier for the bad guys.”

Maybe they won’t have to create an emergency. If they make the entire critical infrastructure open to the same exploit, a real one will come along in due time.

Also, notice our old friends licensing and certification. These practices are inherently slow and stifle innovation. To get a government-issued cyber-security license, one would have to toe the government line on what good security practices are. Cyber-security, though, is an ever-changing field, with the good guys and the bad guys locked in an eternal game of cat and mouse. Threats evolve in hours and days, while licensing can take weeks and months.

What happens in this new world of licensed and regulated security professionals when a self-taught hacker or college kid is playing around with some software and finds and exploit? Will it still be taken seriously, or will it be ignored because the discoverer doesn’t have the necessary license?

Finally, and perhaps worst of all, this bill assumes that the government is never a security threat. The US Government has already shown itself to be a threat to the security of private individuals with its insatiable need to snoop. Anyone remember warrantless wiretaps? Telco immunity for snooping on behalf of Washington? The PATRIOT Act? Carnivore?

For those who think that those were all abuses of past administrations, and that we now have a better man in power, think again. Obama and crew are currently negotiating the highly abusive Anti-Counterfeiting Trade Agreement. ACTA, as it’s called, obligates the US Government to conduct searches for pirated music and movies with no warrants or probable cause and criminalize the infringement of copyright.

By crafting this agreement, the Obama Administration is granting to the Presidency the power to snoop on any citizens’ computer at any time simply to prevent people from copying music and movies. While this might seem almost farcical, it opens up the argument that if the “crime” of piracy of digital files requires such sweeping interventions, then so must more serious threats to national security.

It gets worse, though, because we have another slippery slope of government that will intersect this. At a point in the future, using the justification of cyber-security, the US Government will mandate that all citizens run government-approved security software. The Rockerfeller-Snowe Cyber-Security bill is the first step towards this, requiring approved security software on “critical infrastructure”. Soon enough, though, some congressman will realize that the attacks on our critical infrastructure are coming from virus-infected PCs and that the government must do something about this. Then, it will be a crime to run a machine that is not secured in a government-approved fashion.

At that point, the government will be securing itself while compromising the security of each of its citizens. The private lives of each person who installs the government-approved solution will be open to the inspection of looky-loos and busybodies in the bowels of the leviathan. Those who choose not to, or worse, choose to secure their systems against the government, will face reprisal and even arrest for endangering the cyber-security of the nation.

Cyber-criminals are smart, decentralized, innovative, and agile. Our cyber-security must continually match or exceed this. Our cyber-security, as a nation, a society, and as individuals, is too important to entrust to the government.