The Cybersecurity Act of 2009, S. 773, introduced by Senators Rockefeller (D-WV) and Snowe (R-ME), has kicked off what promises to be an intense debate over the federal government’s cybersecurity policy. There’s broad consensus about the goal – better security for both governmental and private sector critical infrastructure information systems – but not much agreement about how to achieve it.
The Rockefeller/Snowe bill includes some especially troubling provisions. For starters, it would give the President the authority to limit or shut down Internet traffic to federal government and private critical infrastructure systems. It would give the Secretary of Commerce the power to override any law, regulation, or policy – including privacy laws and laws protecting trade secrets – to obtain access to information held by private parties that might be relevant to cybersecurity threats and vulnerabilities. Broadly read, the provision would authorize the Secretary of Commerce to override the Wiretap Act and the Electronic Communications Privacy Act to gain access to communications content. Finally, it includes provisions that would allow the government to dictate software design standards for the private sector.
CDT has prepared a detailed analysis of the Rockefeller-Snowe bill here.
Fortunately, the Rockefeller/Snowe bill isn’t the only game in town.
Senator Carper’s (D-DE) U.S. Information and Communications Enhancement (ICE) Act (S. 921) takes an entirely different, and much more appropriate, approach. It focuses primarily on strengthening the security of governmental information systems by amending the Federal Information Security Management Act. In contrast, many provisions of the Rockefeller-Snowe bill would apply the same measures and authorities without distinction to both private and public systems.
(more…)