A revision to the Cybersecurity Act of 2009, the proposed Rockefeller-Snowe legislation in Congress, has drawn criticism because of concerns that it would give the president power to shut down the internet.
The proposed law, introduced in April by Sen. John (Jay) Rockefeller IV, D-W.Va., and Sen. Olympia Snowe, R-Maine, originally contained a controversial clause that said: “The president may declare a cybersecurity emergency and order the limitation or shutdown of internet traffic to and from any compromised federal government or critical infrastructure information system or network.”
The bill recently was revised, and the new language now reads: “The president may declare a cybersecurity emergency; and may, if the president finds it necessary for the national defense and security…direct the national response to the cyberthreat and the timely restoration of the affected critical infrastructure information system or network.”
Additionally, concerns are directed at the proposed power to determine whether an event is really an emergency and to assign any agency to deal with it.
Writing in a blog post, Michael Tanji, senior fellow at the Center for Threat Awareness, a Washington, D.C. think tank, said: “The way to deal with a cybersecurity emergency on a national level is not consolidation, but distribution. Centralized management provides the illusion of control, but it doesn't make things more secure; it just makes things more brittle.”
Others echoed those sentiments.
“The operating and safeguarding of enterprise networks should be left in the hands of network operators,” Ryan Radia, information policy analyst at the Competitive Enterprise Institute, a nonprofit libertarian advocacy group, told SCMagazineUS.com Monday. “The private sector can react to emergent threats and can compete to develop the best security technologies. The government does not have a particularly good record of protecting networks.”
Then there are people in the industry who doubt whether the government should have any final word on security.
“If you're not doing a particularly good job of securing the networks you own, then maybe you should focus on doing that before trying to impose more regulation on private networks,” Lee Tien, senior staff attorney at the Electronic Frontier Foundation, told SCMagazineUS.com Monday. “I think [the Rockefeller-Snowe bill] is much more of a political document than a thoroughly vetted policy prescription."
“And this is not a White House bill,” he added. “This is a congressional bill. The White House position is not yet clear, but I think it's fair to say that the White House has a more cautious approach than that outlined in this bill.”
The bill still is before the Senate Committee on Commerce, Science and Transportation, which seems to want to play down the controversy as a legislative work in progress.
In an email to SCMagazineUS.com Monday, Jena Longo, deputy communications director for the committee said: "To be very clear, the Rockefeller-Snowe bill will not empower a 'government shutdown or takeover of the internet' and any suggestion otherwise is misleading and false. The purpose of this language is to clarify how the president directs the public-private response to a crisis, secure our economy and safeguard our financial networks, protect the American people, their privacy and civil liberties, and coordinate the government's response."