On April 1, 2009, while the rest of the cybersecurity world was largely focused on the Conficker worm, Senators John (Jay) Rockefeller and Olympia Snowe introduced the Cybersecurity Act of 2009. Since the hype over Conficker has died down now, I've had a chance to review the text of this somewhat controversial bill and add my two cents to the discussion. There are 23 sections to the bill, a few of which have raised some alarm in the infosec community.
The two most often-seen complaints in the blogosphere are:
- The bill gives the President of the United States the power to "turn off the Internet" in an emergency.
- The bill requires mandatory licenses for practicing infosec professionals.
Complaint number one seems like FUD to an extent; the bill as worded reads "The President may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network."
Some have taken "critical infrastructure" to mean communications networks, i.e. the Internet backbone providers. Unfortunately, the bill defines critical infrastructure as whatever the President says is critical infrastructure. So the criticism of the ambiguity here is valid.
But this idea that the White House could shut down the Internet shows a largely U.S.-centric bias when it comes to thinking about what the Internet actually is. Further, such a move during an emergency would likely have worse unforeseen consequences than whatever attack might have prompted it. And it's unlikely that such an order would be given without consulting technical experts as to the alternatives for mitigating a large-scale attack. I happen to know several Internet infrastructure experts, and I can't think of any that would say "Hey, let's just shut off the Internet! That will solve everything!"
Complaint number two has more validity in my book licensing of security professionals is just plain unnecessary and just creates more bureaucracy. The security industry already has numerous certification programs, all of which already fill the perceived need to have standards in knowledge and practice. If one argues whether a certification proves anything at all, those same arguments could be applied to government licenses as well.
And who gets licensed? According to the bill, this applies to a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President's designee, as an infrastructure information system or network. I happen to work for a company that provides such services. Do I have to be licensed? Does everyone who works at the company have to be licensed? Where is the delineation?
Despite these and other shortcomings, there are several programs in this Cybercrime bill that I approve of, such as the creation of the Cybersecurity Advisory Panel and the Federal Cyber Scholarship-for-Service program. However, some other provisions seem to be potential boondoggles, such as the state and regional cybersecurity enhancement program. Throwing money at the problem, at a regional level as opposed to a national level, is not the answer when the majority of skilled security professionals are located in a handful of metropolitan areas.
However, the primary problem with this bill (and any bill put forth by a single government) is that it does nothing to address the larger problem of cybercrime, malware, and the massive outflow of stolen cash from U.S. and European banks to organized crime networks. This is the biggest threat we face on the Internet today, and it won't be solved by any single piece of legislation (although I wouldn't mind seeing a Senate bill mandating BCP 38).
The bottom line until networks everywhere are held responsible for the abuse coming from their systems, the problem won't get any better. Note to the Obama administration if the US government really wants to accomplish something, begin work on a global treaty against Internet and computing abuse, and put an end to the safe havens that cyber-criminals currently enjoy in some countries.