Congressman Bennie G. Thompson
"From a security and good-government standpoint, the way to deliver better cybersecurity is to leverage, modify, and enhance existing structures and efforts, rather than make wholesale bureaucratic changes. This bill will make our nation more secure and better positions DHS -- the 'focal point for the security of cyberspace' -- to fulfill its critical homeland security mission," Thompson said in a statement.
The bill would create a new DHS Cybersecurity Compliance Division to carry out inspections of cybersecurity plans and activities for covered private sector networks. Private companies would enact risk-based plans if DHS determined they were covered critical infrastructure, but businesses would have the opportunity to challenge that designation as well.
In a manner similar to the CFATS chemical security law, operators of critical cyber infrastructure would submit security plans to DHS for review. In return, DHS would share relevant threat intelligence to information technology networks and protect corporate proprietary information.
Reps. Jane Harman (D-Calif.) and Yvette Clarke (D-NY), who chair cybersecurity subcommittees, co-sponsored the bill.
"Cyber attacks, whether originated by other countries or sub-national groups, are a grave and growing threat to our government and the private sector. This bill provides new tools to DHS to confront them effectively and make certain that civil liberties are protected," Harman said in a statement.
Added Clarke, "This bill will provide the DHS with the authority and resources needed to adequately protect our nation's cyberspace and infrastructure. I believe the security of our cyber infrastructure is connected to our national security. This bill will protect our country from a growing risk of 'hacks' and better allow the department to fulfill its duties of protecting our nation."
Thompson argued DHS has not had adequate authority to ensure national cybersecurity despite being designated the lead agency for doing so in 2003 under Homeland Security Presidential Directive 7.
The intent of the bill is somewhat similar to legislation in the Senate introduced by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine), and Tom Carper (D-Del.), the Protecting Cyberspace as a National Asset Act (S. 3480). The Senate bill, however, would boost congressional oversight of White House cybersecurity activities by requiring Senate confirmation of a cybersecurity coordinator. Thompson's bill does not deal with White House authorities.
Both bills would authorize DHS to inspect cybersecurity plans and activities at key private sector companies deemed important to the US economy.
Paul Joseph Watson
Tuesday, September 28, 2010
An amalgamated cybersecurity bill that lawmakers hope to pass before the end of the year includes new powers which would allow President Obama to shut down not only entire areas of the Internet, but also businesses and industries that fail to comply with government orders following the declaration of a national emergency – increasing fears that the legislation will be abused as a political tool.
The draft bill is a combination of two pieces of legislation originally crafted by Senators Lieberman and Rockefeller. One of the differences between the new bill and the original Lieberman version is that the Internet “kill switch” power has been limited to 90 days without congressional oversight, rather than the original period of four months contained in the Lieberman bill.
In other words, President Obama can issue an emergency declaration that lasts 30 days and he can renew it for a further 60 days before congress can step in to oversee the powers.
The new powers would give Obama a free hand to not only shut down entire areas of the Internet and block all Internet traffic from certain countries, but under the amalgamated bill he would also have the power to completely shut down industries that don’t follow government orders, according to a Reuters summary of the new bill.
“Industries, companies or portions of companies could be temporarily shut down, or be required to take other steps to address threats,” states the report, citing concerns about an “imminent threat to the U.S. electrical grid or other critical infrastructure such as the water supply or financial network.”
The only protection afforded to companies under the new laws is that they would have to be defined as “critical” in order to come under government regulation, but since the government itself would decide to what companies this label applies, it’s hardly a comforting layer of security.
“Even in the absence of an imminent threat, companies could face government scrutiny. Company employees working in cybersecurity would need appropriate skills. It also would require companies to report cyber threats to the government, and to have plans for responding to a cyber attack,” states the report.
As we have highlighted, the threat from cyber-terrorists to the U.S. power grid or water supply is minimal. The perpetrators of an attack on such infrastructure would have to have direct physical access to the systems that operate these plants to cause any damage. The recent Stuxnet malware attack, for example, was introduced and spread through a physical USB device, not via the public Internet.
Any perceived threat from the public Internet to these systems is therefore completely contrived and strips bare what many fear is the real agenda behind cybersecurity – to enable the government to regulate free speech on the Internet.