Compliance Management, Government Regulations

Why I’m leery of the Lieberman-Collins-Carper bill

Pardon me for being a little suspicious of the so-called Lieberman-Collins-Carper cybersecurity bill.

In late August, GovInfoSecurity.com reported that the Senate is considering attaching the legislation, known as the Protecting Cyberspace as a National Asset Act, as a rider to a sure-to-be-passed bill, such as the National Defense Authorization Act.

But this doesn't seem like the kind of legislation that should get the rush job.

According to OpenCongress.org, the proposed Lieberman-Collins-Carper measure:

Creates the Office of Cyberspace Policy and National Center for Cybersecurity and Communications to set standards and coordinate cybersecurity efforts within the government. Gives the NCCC broad powers over "critical infrastructure" in the case of a "national cyber emergency" (as declared by the President).

That last sentence is the stickler. Since the proposal was announced, much debate has centered around this so-called "kill switch" authority that would be granted the government. Some sides have argued that such a provision would deal a major blow to American democracy and could prove an example of unrestrained presidential power.

In August, Adam Cohen of Time opined:

It is not hard to see why everyone is so worried. Imagine a president misusing this particular power: If the people are rising up against an unpopular administration, the president could cool things down by shutting off a large swath of the internet. He could target certain geographical regions ("We've heard enough from New York and California for a while"). Or he could single out particular websites.

Others, such as the SANS Institute's Alan Paller, have argued that the bill is sorely needed, considering government and critical infrastructure systems are probed by enemy hackers with stunning regularity, not to mention the proposal does many more things than simply grant emergency internet shutdown power. Besides, he argues, that particular stipulation is nothing new at all.

As Cohen explains:

The president already has broad power under the Communications Act of 1934 to shut down wire communications, which includes the internet, if he determines that there is a "state or threat of war." When [co-sponsor Maine Republican Sen. Susan] Collins says that the bill would limit the president's power, she means it would impose more restrictions on when he could shut down parts of the internet than the 1934 act does.

True enough. But critics of the bill point out that it expands the president's power over the internet in a key respect: the 1934 law only applies when there is war or a threat of war, while the new law would allow the president to act even when there is not a war or a threat of war. "All I can say is it gives him power to act where he wouldn't necessarily have the power to act" under existing law, says Lee Tien, a lawyer with the Electronic Frontier Foundation.

I can see the merits of both sides of the argument.

But I do want to note the juxtaposition of this bill with whistleblower website WikiLeaks releasing 91,000 reports concerning the war in Afghanistan. Since that disclosure, the government has moved to investigate and possibly prosecute WikiLeaks' founder Julian Assange over the release.

Makes you think: What if the government decided to block traffic coming from WikiLeaks' servers in Sweden?

And it should also be noted that two of the sponsors of the bill are the same duo behind the proposed Whistleblower Protection Enhancement Act of 2009, which according to critics, repeals whistleblower rights for FBI agents.

In a March 10 letter to Lieberman and Collins, members of the National Whisteblowers Center wrote that the "current version of S. 372 will set whistleblower protections back 30 years for hundreds of thousands of federal employees. It will become almost impossible for employees in various "national security" related agencies to obtain protection against retaliation if they disclose contractor fraud, waste and misuse of federal monies, mismanagement and threats to the public health and safety."

(The bill hasn't had much movement this year).

***

It is hard to imagine that the Lieberman-Collins-Carper bill would turn the United States into a communist state. That would be a tough act to get away with in a nation that prides itself on internet freedom.

Secretary of State Hillary Clinton said so this summer.

But in my five-plus years covering this industry, I have never seen such a rush to push through cybersecurity legislation. Sure, the threat of foreign attackers is far worse than it was when I started, but this seems a little, well, sneaky.

All I ask is for transparency in government. Like you promised, President Obama.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.