Published April 21, 2009
The days of an open, largely unregulated Internet may soon come to an end.
A bill making its way through Congress proposes to give the U.S. government authority over all networks considered part of the nation's critical infrastructure. Under the proposed Cybersecurity Act of 2009, the president would have the authority to shut down Internet traffic to protect national security.
The government also would have access to digital data from a vast array of industries including banking, telecommunications and energy. A second bill, meanwhile, would create a national cybersecurity adviser -- commonly referred to as the cybersecurity czar -- within the White House to coordinate strategy with a wide range of federal agencies involved.
The need for greater cybersecurity is obvious:
-- Canadian researchers recently discovered that computers in 103 countries, including those in facilities such as embassies and news media offices, were infected with software designed to steal network data.
-- A Seattle security analyst warned last month that the advancement of digital communication within the electrical grid, as promoted under President Obama's stimulus plan, would leave the nation's electrical supply dangerously vulnerable to hackers.
-- And on Tuesday the Wall Street Journal reported that computer spies had broken into the Pentagon's $300 billion Joint Strike Fighter project and had breached the Air Force's air-traffic-control system.
Nonetheless, the proposal to give the U.S. government the authority to regulate the Internet is sounding alarms among critics who say it's another case of big government getting bigger and more intrusive.
Silicon Valley executives are calling the bill vague and overly intrusive, and they are rebelling at the thought of increased and costly government regulations amid the global economic crisis.
Others are concerned about the potential erosion of civil liberties. "I'm scared of it," said Lee Tien, an attorney with the Electronic Frontier Foundation, a San Francisco-based group.
"It's really broad, and there are plenty of laws right now designed to prevent the government getting access to that kind of data. It's the same stuff we've been fighting on the warrantless wiretapping."
Sen. Jay Rockefeller, D-W. Va, who introduced the bill earlier this month with bipartisan support, is casting the legislation as critical to protecting everything from our water and electricity to banking, traffic lights and electronic health records.
"I know the threats we face." Rockefeller said in a prepared statement when the legislation was introduced. "Our enemies are real. They are sophisticated, they are determined and they will not rest."
The bill would allow the government to create a detailed set of standards for cybersecurity, as well as take over the process of certifying IT technicians. But many in the technology sector say the government is simply ill-equipped to get involved at the technical level, said Franck Journoud, a policy analyst with the Business Software Alliance.
"Simply put, who has the expertise?" he said. "It's the industry, not the government. We have a responsibility to increase and improve security. That responsibility cannot be captured in a government standard."
A spokeswoman from Rockefeller's office said neither he nor the two senators who co-sponsored the bill, Olympia Snowe, R-Maine, and Bill Nelson, D-Fla., will answer questions on cybersecurity until a later date.
Obama, meanwhile, is considering his own strategy on cybersecurity. On Friday, the White House completed a lengthy review of the nation's computer networks and their vulnerability to attack. An announcement is expected as early as this week.
"I kind of view [the Rockefeller bill] as an opening shot," said Tien. "The concept is cybersecurity. There's this 60-day review underway, and some people wanted to get in there and make their mark on the White House policy development."
IT leaders hope the president will consider their argument that their business is not only incredibly complex and static, but that it also spreads over the entire globe.
If the United States was to set its own standard for cybersecurity, they say, it would create a host of logistical challenges for technology companies, virtually all of which operate internationally.
"Any standards have to be set at an international level and be industry led," said Dale Curtis, a spokesman for the Business Software Alliance. "This industry moves so fast, and government just doesn't move that fast."
Many Silicon Valley executives remain hopeful that the White House's recommendations will be more industry-friendly, following what Journoud said was a good dialogue with former Bush administration official Melissa Hathaway, who is leading the White House review and is considered a likely candidate for cybersecurity czar.