Saturday, April 11, 2009

Cybersecurity Act of 2009: The Facts


The Big Red Button: Internet freedom locked!

So, first, get a copy of the bill from here. It was submitted by a Democrat and a Republican (apparently often siding with Democrats), John Rockefeller and Olympia Snowe.

These are those rare times when (more) people (than usual) pay attention to what is done in the heavens of the administration.
The band wagon effect is generally found at its apex in such events, as people are merely reacting on the information relayed by journos without trying to see if the interpretation is correct (but journalists don’t bother either, so who gives?).

However, it is that time again, when there is a good reason for people to be worried. Who wouldn’t raise an eyebrow in the venue of a bill encompassing themes and words such as “Internet”, “shutdown” and lines about “access to all relevant data concerning networks without regard to any provision of law, regulation, rule, or policy restricting such access”?

You clearly want to know what could possibly warrant such methods, and what the extent of the implied responsibility and power is.

So let’s move straight to the source of contention, the one which mentions the partial or total suspension of the Internet traffic:

SEC. 18. CYBERSECURITY RESPONSIBILITIES AND AUTHORITY.
The President—
(1) within 1 year after the date of enactment of this Act, shall develop and implement a comprehensive national cybersecurity strategy, which shall include—
(A) a long-term vision of the nation’s cybersecurity future; and
(B) a plan that encompasses all aspects of national security, including the participation of the private sector, including critical infrastructure operators and managers;
(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal government or United States critical infrastructure information system or network;

Naysayers have been prompt to dismiss the worries by saying that the President would not have the power to do so on his own, or that the measure only concerns the Federal system or network.
It’s patently false. Read the beginning of the section. The words “The President” are clearly mentioned, and the text is certainly not limiting itself to Federal systems and networks.

As any text law, context is most important.

(1.B) establishes the involvement “of the private sector, including critical infrastructure operators and managers;” in other words, all Internet providers and any other private company that fits the bill (including all the DRM pushing Majors which would just be too happy to see Internet close). How they’d be involved is not clear, but they’re most likely to provide information and advisory as to how applying the Act.
The reality is that the strategy in question precisely involves these groups as enforcers. As they’re nominated in that rather broad ensemble, they’ll have no way to dodge the procedure (if they ever planned to “resist”).
They’ll comply. They’ll assist the government in the application of the law. It is pretty much required, in fact. As the Internet is largely in the hands of the private sector, it would be stupid not to think so.

But don’t stop here. Let’s pick the sentence in its whole structure, from point (2):

The President may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal government or United States critical infrastructure information system or network.

As we quickly understand, what matters here is the subject of this procedure: (the) Federal government or United States critical infrastructure information system or network.

But what is that? Well, they have a section called DEFINITIONS, so let’s see.

SEC. 23. DEFINITIONS.

In this Act:

(3) FEDERAL GOVERNMENT AND UNITED STATES CRITICAL INFRASTRUCTURE INFORMATION SYSTEMS AND NETWORKS.
—The term ‘‘Federal government and United States critical infrastructure information systems and networks’’ includes—
(A) Federal Government information systems and networks; and
(B) State, local, and nongovernmental information systems and networks in the United States designated by the President as critical infrastructure information systems and networks.

Read carefully the subsection (3.B) to know what is targeted, beyond “Federal Government information systems and networks.”

The term ‘‘Federal government and United States critical infrastructure information systems and networks’’ includes (...) State, local, and nongovernmental information systems and networks in the United States designated by the President as critical infrastructure information systems and networks.

In case you had doubts, be assured that all ranges and angles are covered here, right down to the obscure “nongovernmental” network.
Notice, however, that to be targeted by the powers of the Act, the systems and networks must first be marked as critical.

OK. So how are these systems and networks deemed critical?
Easy: by presidential designation.

In other words, if the President says it’s critical, it is.

So basically, it puts into the President’s hands the ability to point at any structure on the US soil and decide it’s of critical importance within the minute.
There’s no real counter power to this, and as you can count on it, whatever this counter power would be, it would probably have little to no time to gauge the presidential claim. All of which in return gives the President the power to shutdown the said critical target until further notice.

Class eh?
Do these people realize the threat it could pose to people and, of course, to countless thousands of businesses entirely relying on Internet, but which aren’t featured on the Dow Jones board?

Once again, the absolute vagueness of certain references is not satisfying.
It’s, above all, a story of amalgams.

Let’s finish this part with a last look at the following text:

SEC. 2. FINDINGS.
The Congress finds the following:

(4) The Director of National Intelligence testified before the Congress on February 19, 2009 that ‘‘a growing array of state and non-state adversaries are increasingly targeting-for exploitation and potentially disruption or destruction-our information infrastructure, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries’’ and these trends are likely to continue.

The report includes the Internet as a whole into the “information infrastructure”.
Good. By definition, if we were to follow this shortcut, Internet could be labelled critical in its entirety.
So how would have Internet been defined if the bill passed?



Civil liberties as collateral damage?


So what about data monitoring? What kind of data are we talking about here?

SEC. 14. PUBLIC–PRIVATE CLEARINGHOUSE.
(a) DESIGNATION.—The Department of Commerce shall serve as the clearinghouse of cybersecurity threat and vulnerability information to Federal government and private sector owned critical infrastructure information systems and networks.
(b) FUNCTIONS.—The Secretary of Commerce—
(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access;

Here we are. This is nothing more than the principles of martial law applied to a nation-wide ensemble of electronic systems and networks. No law, no bickering.
It is understandable that in a day of national crisis, at the height of a grave conflict, knowing absolutely everything about the failures and weaknesses of the nation’s networks is of the utmost importance.

But I ask, what is “all relevant data” supposed to mean? In light of a constantly paranoid fear of terrorist attacks and multi-hacking of national infrastructures or whatever, it is absolutely clear that such data has great chances to include the way the networks are used, and by whom. Thus, the point would be to know who’s on the line and what people are doing at time T, in order to observe and know about the behavior of individuals or groups of individuals acting suspiciously and in unlawful ways (so would the government say). In light of a much criticized Patriot Act, such leeway in the submitted text law can only be a source of great concern.

Once again, we go to the DEFINITIONS section to find another reference to data. Please notice the applied meaning of “cyber”:

(2) CYBER.—The term ‘‘cyber’’ means—
(A) any process, program, or protocol relating to the use of the Internet or an intranet, automatic data processing or transmission, telecommunication via the Internet or intranet; and
(B) any matter relating to, or involving use of, computers or computer networks.

Basically: anything you can do with Internet (yes, that also means a serious threat to porn and WoW).
Of course, in a bill that features the security cyber term or prefix 181 times, along mentions of monitoring and shutdown, you really got to ask if these guys are thinking clearly.

Let’s also try to understand what the SoC is.

For such a task, I summon the mighty WIKIPEDIA!!!

The United States Secretary of Commerce is the head of the United States Department of Commerce concerned with business and industry; the Department states its mission to be "to foster, promote, and develop the foreign and domestic commerce." Until 1913 there was one Secretary of Commerce and Labor, uniting this department with the Department of Labor, which is now headed by a separate Secretary of Labor.

[...]

The current Secretary of Commerce is former Washington Governor Gary Locke, who was nominated for the post by President Barack Obama on February 25, 2009, and was confirmed by the United States Senate by unanimous consent on March 24, 2009.

Locke is President Obama's third choice for the post following New Mexico Governor Bill Richardson, who dropped out of consideration in early January 2009, and Republican Senator Judd Gregg from New Hampshire, who withdrew his nomination in February 2009.

The SoC(k puppet) is one person appointed by the President. Once again, a great and immediate menace can only be countered by a great and immediate power.
But you know the song. Power corrupts, and absolute power corrupts absolutely. One can only cross fingers that there’s someone around the SoC to sheath his resolve in the enforcement of this possible future law. But I’m not naive enough to believe that the vicinity of the SoC would be the counter power we’re looking for. The balance has to come from an organ that is directly speaking on behalf of the people.

I’m so beyond wondering why in the holy defense of rights and freedom, the officials rush to get in line to be the first and quickest to suggest illogical law texts, which will transvestite freedom into its anathema.



Evolution of the concept

It is also interesting to look at the basics of the bill, as they define the guidelines of the suggested law and the scope of its application, as a part of the strategy:

SEC. 3. CYBERSECURITY ADVISORY PANEL.
(a) IN GENERAL.—The President shall establish or designate a Cybersecurity Advisory Panel.
(b) QUALIFICATIONS.—The President—
(1) shall appoint as members of the panel representatives of industry, academic, non-profit organizations, interest groups and advocacy organizations, and State and local governments who are qualified to provide advice and information on cybersecurity research, development, demonstrations, education, technology transfer, commercial application, or societal and civil liberty concerns; and
(2) may seek and give consideration to recommendations from the Congress, industry, the cybersecurity community, the defense community, State and local governments, and other appropriate organizations.

Once again, it’s people put there by the President, above all not within the context of special circumstances (a major attack or whatever) but as a pre-emptive measure.

It just seems a wee bit too one sided to my tastes.
Besides, if you wonder what the strategy is about, let’s continue reading the second part of this section.

(c) DUTIES.—The panel shall advise the President on matters relating to the national cybersecurity program and strategy and shall assess—
(1) trends and developments in cybersecurity science research and development;
(2) progress made in implementing the strategy;
(3) the need to revise the strategy;
(4) the balance among the components of the national strategy, including funding for program components;
(5) whether the strategy, priorities, and goals are helping to maintain United States leadership and defense in cybersecurity;
(6) the management, coordination, implementation, and activities of the strategy; and
(7) whether societal and civil liberty concerns are adequately addressed.

In terms of civil liberties, part (7) is of interest. The panel shall give its 2c on the state of repercussions resulting from the application of the law.
But will the panel even bother? And if yes, could the President find enough time to pay the necessary due attention to these problems?
The most amusing aspect of it is how part (3) allows the rules to be totally changed once the text is voted. Part (7) could be unilaterally flushed down the drain for all we care. Who would know? There’s no real indication, in the bill, that the panel is subordinated to anyone but the President, har har.

Also, consider the existence and relevance of point (7) within the reality of the Patriot Act and its problems.

Besides, if the panel would argue against the President’s will, he’d have the power to scrap the whole band and reboot the thing anew.
In such conditions, could the panel be capable of guaranteeing the respect of civil liberties if the President were to lose his marbles and swap teams at will?
Answer: Niet.

And, in the looming sense of madness that drips between the lines of this bill, the other question is how far can this nonsense spread to other (allied) countries?
Would they be isolated?
The answer lies below:

SEC. 21. INTERNATIONAL NORMS AND CYBERSECURITY DETERRANCE MEASURES.
The President shall—
1) work with representatives of foreign governments—
(A) to develop norms, organizations, and other cooperative activities for international engagement to improve cybersecurity; and
(B) to encourage international cooperation in improving cybersecurity on a global basis; and
(2) provide an annual report to the Congress on the progress of international initiatives undertaken pursuant to subparagraph (A).

Same story goes for the others. Along the current alignment and increased cooperation and exchange of information in the war against terrorism, places such as Europe, Canada, Mexico and so on and so forth, are not going to be spared the issues of this law if something would go wrong in the good ol’ US of A.

I have seen people say that this bill is a much necessary tool in order to adequately respond to any wide scale electronic menace, aggressive and repeated hacking of civilian and financial networks, and other malign activities which includes, but should not be limited to, the goal of depleting bank accounts.
This would surely bring people down in the street, and the best way to find money would be to find a job, and there’s just one sector which sees no loss of steam in such dire times: the military arm. :)

Internet is the most important enlightening and social tool humanity has ever known since fire and language. Like these last two tools, Internet is a double edged sword, but those who have mastered it live above the others.
If the government wants to possess the ability to isolate all of its governmental agencies’ networked systems and core civilian infrastructures (energy, finance, etc.), so be it. It is its legitimate right.
But such power should be cautious in the way it treats the private sphere, both regarding civil and business liberties.

Truly, I really don’t get the point of such a disturbing lack of distinction between foreign terrorism and civil liberties.
I’d suggest Rockefeller and Snowe to get some sleep and rethink the whole thing, otherwise people will soon regret the Soviet Union.

Hyper_necro_edit_bump: Washingtonwatch.com had 91% of Internet readers voting against.

No comments: