S773 - Cyber Security Act of 2009 – Bill would give President the power to shut down the Internet

There is a bill gradually moving through the Congress (S-773 Cybersecurity Act of 2009) that would dramatically increase the government’s control over every aspect of Internet. The bill introduced in the US Senate by Senators Rockefeller, Snowe and Nelson is currently in front of the Committee on Commerce, Science and Transportation.

The problem is that in the current form the bill’s vague language grants far reaching and broad based authority to the President or even his designee to exert a chokehold type control over the private sector in the name of cyber security. The President or even his designee could at their discretion designate any private business as a “critical infrastructure information system or network” (from banks to airlines to utilities to universities to the media) and then subject these private businesses to rigorous and strict government controls.

Critics argue that such controls would infringe upon civil liberties and constitutional freedoms. These controls would also have a chilling effect on private research and development. Internet would be stifled as it would lose the free and open source type intellectual creativity that has been the engine that made the current rate of technological progress possible.

Under the provisions of this bill, The Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards. The purpose of these Centers would be to enhance the cybersecurity of small and medium sized businesses in United States through the transfer of cybersecurity standards, processes, technology, and techniques developed at the National Institute of Standards and Technology to these Centers and, through them, to small- and medium-sized companies throughout the United States. In other words, these government controls would eventually extend all the way down to the small businesses.

The bill stipulates that the National Institute of Standards and Technology shall establish a research program to develop cybersecurity metrics, benchmarks and standards. The Institute shall establish standard computer-readable language for completely specifying the configuration of software on computer systems widely used in the Federal Government, by government contractors and grantees, and in private sector owned critical infrastructure information systems and networks.

The bill requires that the Institute shall establish standard configurations consisting of security settings for operating system software and software utilities widely used in the Federal Government, by government contractors and grantees, and in private sector owned critical infrastructure information systems and networks. (The government is going to DICTATE these standards to the private sector and then enforce compliance to these mandated standards).

Within 1 year after the date of enactment of this Act, the National Institute of Standards and Technology shall establish measurable and auditable cybersecurity standards for all Federal Government, government contractor, or grantee critical infrastructure information systems and networks. The Institute shall also enforce compliance with the standards developed by the Institute by software manufacturers, distributors, and vendors; and shall require each Federal agency, and each operator of an information system or network designated by the President as a critical infrastructure information system or network, periodically to demonstrate compliance with the standards.

Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President or the President’s designee as a critical infrastructure information system or network, who is not licensed and certified under the program.

If enacted, this Act would authorize the President to develop a cyber security plan that would encompass all aspects of national security, including the participation of the private sector, including critical infrastructure operators and managers.

It would give him the authority to declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any Federal Government or United States critical infrastructure information system or network. Because of the interconnectivity of Internet networks, such moves would effectively shut the global Internet down.

The President could even designate any agency to be responsible for coordinating the response and restoration of any Federal Government or United States critical infrastructure information system or network affected by a cybersecurity emergency declaration.

The problem is that the bill does not clearly define what would constitute such a cyber security emergency and thus leaves this determination solely at the discretion of the President or even his designee.

The President may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security. The President may delegate original classification authority to the appropriate Federal officials for the purposes of improving the Nation’s cybersecurity posture.

What is even more alarming is that the President or his designee, the Congress and other government agencies will closely monitor and control the education in American colleges and universities.

Within one year after the date of enactment of this Act, the Director of the National Institute of Standards and Technology shall submit to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science and Technology a report on the state of secure coding education in America’s colleges and universities for each school that received National Science Foundation funding in excess of $1,000,000 during fiscal year 2008. The report shall include details such as the number of students who earned undergraduate degrees in computer science or in each other program where graduates have a substantial probability of being engaged in software design or development after graduation, the percentage of those students who completed substantive secure coding education or improvement programs during their undergraduate experience to be in compliance with government controls, descriptions of the length and content of the education and improvement programs, and a measure of the effectiveness of those programs in enabling the students to master secure coding and design.

Pay attention to the deliberately wide-open language in this bill. In the name of cyber security, this is such a wide net about to be cast that would not leave any college student safe from government surveillance, scrutiny and control.

If we Americans allow this kind of power grab to go through unchecked in the name of national and cyber security, we might as well go ahead and more appropriately rename the Times Square as Tiananmen Square.