Congress is doing it again: they’re proposing overbroad regulations that could have dire consequences for our Internet ecology. The Cyber Intelligence Sharing and Protection Act of 2011 (H.R. 3523), introduced by Rep. Mike Rogers and Rep. Dutch Ruppersberger, allows companies or the government1 free rein to bypass existing laws in order to monitor communications, filter content, or potentially even shut down access to online services for “cybersecurity purposes.” Companies are encouraged to share data with the government and with one another, and the government can share data in return. The idea is to facilitate detection of and defense against a serious cyber threat, but the definitions in the bill go well beyond that. The language is so broad it could be used as a blunt instrument to attack websites like The Pirate Bay or WikiLeaks. Join EFF in calling on Congress to stop the Rogers’ cybersecurity bill.
The Wall Street Journal, by way of Siobhan Gorman, reports that "Civilian air-traffic computer networks have been penetrated multiple times in recent years, including an attack that partially shut down air-traffic data systems in Alaska, according to a government report."
The concerns are reiterated on the website of congressman Tom Petri.
But the notion that the FAA could allow (direct or indirect) internet access to flight control systems is dubious. What could be the reasons behind this publication? Let's examine some hypotheses.
- Genuine concern - Some security breaches to non-critical systems are blown out of proportion, but are made public in genuine concern for FAA IT security as it relates to national security
- Fearmongering - Fan the flames of the security hype, easing the adoption of new+laws, allowing the government draconian control over internet infrastructure
The Electronic Frontier Foundation describes the situation as follows:
There's a new bill working its way through Congress that is cause for some alarm: the Cybersecurity Act of 2009, introduced by Senators Jay Rockefeller (D-WV) and Olympia Snowe (R-ME). The bill as it exists now risks giving the federal government unprecedented power over the Internet without necessarily improving security in the ways that matter most. It should be opposed or radically amended.
Essentially, the Act would federalize critical infrastructure security. Since many of our critical infrastructure systems (banks, telecommunications, energy) are in the hands of the private sector, the bill would create a major shift of power away from users and companies to the federal government. This is a potentially dangerous approach that favors the dramatic over the sober response.
SAN FRANCISCO—Five years after formation of the Homeland Security Department, cybersecurity is becoming a major focus of the department, Secretary Michael Chertoff said Tuesday at the RSA Security conference.
The department has never completely ignored the area, he said in his remarks during the opening sessions of one of the nation’s largest gathering of security professionals. He cited the National Cyber Security Division and US-CERT, the nation’s primary early warning system for cyberthreats. CERT is good, but not sufficient, he said.
“The time has come to take a quantum leap forward” from CERT’s reactive capabilities, he said.
That leap, Chertoff said, is embodied in the president’s joint national security and homeland security directive creating a National Cyber Security Initiative.
“It is almost like a Manhattan Project to defend cyber networks,” he said, referring to the World War II crash project to develop an atomic weapon.