Sorry Wayne, I should’ve hit this one sooner… (1) America’s failure to protect cyberspace is one of the most urgent national security problems facing the country.
Senate Bill 773 – The “Cybersecurity Act of 2009" is one of those bills that starts off sounding dry, technical and innocuous enough – standardizing security guidelines for Federal computer networks – sounds okay, right?
Still, just to get started, the “Findings” section sets the stage for “why this is so vitally important that you should all just vote for it RIGHT NOW!”
(so much for abandoning the politics of fear, eh?)
(5) John Brennan, the Assistant to the President for Homeland Security and Counterterrorism wrote on March 2, 2009, that ‘our nation’s security and economic prosperity depend on the security, stability, and integrity of communications and information infrastructure that are largely privately-owned and globally-operated.’.
(6) Paul Kurtz, a Partner and chief operating officer of Good Harbor Consulting as well as a senior advisor to the Obama Transition Team for cybersecurity, recently stated that the United States is unprepared to respond to a ‘cyber-Katrina’ and that ‘a massive cyber disruption could have a cascading, long-term impact without adequate co-ordination between government and the private sector.’.
(like the 'Katrina' reference?)
(7) The Cyber Strategic Inquiry 2008, sponsored by Business Executives for National Security and executed by Booz Allen Hamilton, recommended to ‘establish a single voice for cybersecurity within government’ concluding that the ‘unique nature of cybersecurity requires a new leadership paradigm.’
(8) Alan Paller, the Director of Research at the SANS Institute, testified before the Congress that ‘the fight against cybercrime resembles an arms race where each time the defenders build a new wall, the attackers create new tools to scale the wall.
(this is the part where Napolitano would make a statement about 10-ft-walls & 11-ft-ladders...)
(13) President Obama said in a speech at Purdue University on July 16, 2008, that ‘every American depends--directly or indirectly--on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it’s no secret that terrorists could use our computer networks to deal us a crippling blow. We know that cyber-espionage and common crime is already on the rise. And yet while countries like China have been quick to recognize this change, for the last eight years we have been dragging our feet.’ Moreover, President Obama stated that ‘we need to build the capacity to identify, isolate, and respond to any cyber-attack.’.
By the way, all of these recommendations for computer-central-planning were turned down by the previous administration – looks like they found a more sympathetic ear this time around.
So, it heads into a pretty standard top-down approach (as government is wont to do) :
The President shall establish or designate a Cybersecurity Advisory Panel.
(2) may seek and give consideration to recommendations from the Congress, industry, the cybersecurity community, the defense community, State and local governments, and other appropriate organizations.
“Other appropriate organizations” - outside of those listed?
Hmm.. Okay - Moving down – we get into some of the How-this-will-work:
SEC. 5. STATE AND REGIONAL CYBERSECURITY ENHANCEMENT PROGRAM.
(a) CREATION AND SUPPORT OF CYBERSECURITY CENTERS- The Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards. Each Center shall be affiliated with a United States-based nonprofit institution or organization, or consortium thereof, that applies for and is awarded financial assistance under this section.
Hold on - “Each Center shall be affiliated with a United States-based nonprofit institution or organization, or consortium thereof, that applies for and is awarded financial assistance under this section.” ?
What kind of “non-profit” is going to volunteer to administer “the promotion and implementation” of government standards?
A "non-profit" that would want to push government mandates?
But wait, let’s step back a little further - “Cybersecurity Centers”… o-kay, but since security can be pushed-down through federal systems via their own electronic networks, why establish physical ‘centers’?
(b) PURPOSE- The purpose of the Centers is to enhance the cybersecurity of small and medium sized businesses in United States through--
Uh… wait – so suddenly it’s the business of the Federal Government to “enhance the cybersecurity of small and medium sized businesses in United States”?
Why am I uncomfortable with that?
And here’s another interesting, if seemingly-unrelated bit:
(d) ACCEPTANCE OF FUNDS FROM OTHER FEDERAL DEPARTMENTS AND AGENCIES- In addition to such sums as may be authorized and appropriated to the Secretary and President, or the President’s designee, to operate the Centers program, the Secretary and the President, or the President’s designee, also may accept funds from other Federal departments and agencies for the purpose of providing Federal funds to support Centers. Any Center which is supported with funds which originally came from other Federal departments and agencies shall be selected and operated according to the provisions of this section.
So the aforementioned “non-profit” stepping-up to administer “the promotion and implementation” of government standards…can double-dip from the Federal snack bowl?
It occurs to me that such a non-profit/center could then also apply for monies under HR1388…
So - money given, with ‘Volunteer Commitment’ strings attached, to a non-profit tasked with pushing Federal cybersecurity standards into private business…
How’s that for a disturbing feedback-loop?
The next tremor comes almost half-way through the text of the Bill:
SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE.
This starts out with some pretty standard development language – “metrics”, “controls”, “security” etc., etc.. nothing too out of the ordinary – until:
(4) SOFTWARE CONFIGURATION SPECIFICATION LANGUAGE- The Institute shall, establish standard computer-readable language for completely specifying the configuration of software on computer systems widely used in the Federal Government, by government contractors and grantees, and in private sector owned critical infrastructure information systems and networks.Um…
(5) STANDARD SOFTWARE CONFIGURATION- The Institute shall establish standard configurations consisting of security settings for operating system software and software utilities widely used in the Federal Government, by government contractors and grantees, and in private sector owned critical infrastructure information systems and networks.
Hold on now – “and in private sector owned critical infrastructure information systems and networks” ?
Wait – I’m going to look for a definition of that term… doesn’t seem like the kind of thing you’d want left ‘subjective’ … hold on, I’ll be right back…
Right, I thought that sounded familiar - #9 under “Findings” stated:
‘our nation’s critical infrastructures are composed of public and private institutions in the sectors of agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking finance, chemicals and hazardous materials, and postal and shipping.
So – “Critical Infrastructures” include ‘public’ and ‘private’ and could be… anything.
Getting nervous now – let’s see if we can figure out how they determine what’s “Critical”…
d) COMPLIANCE ENFORCEMENT- The Director shall--
(1) enforce compliance with the standards developed by the Institute under this section by software manufacturers, distributors, and vendors; and
(2) shall require each Federal agency, and each operator of an information system or network designated by the President as a critical infrastructure information system or network, periodically to demonstrate compliance with the standards established under this section.
Wait-wait-wait… “Designated By The President”?
As in: “The POTUS… Barack Obama… gets to decide which private businesses have to comply with these “Federal Security Standards”?
Can I get a “NO!” in here?!?
And I guess that once they let that cat-out-of-the-bag in writing they figured all bets were off anyway:
(b) MANDATORY LICENSING- Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.
So FIRST they want to create mandatory security standards, not only for Government systems but also for privately-held systems (not ALL privately owned systems, of course – just for those that Barack Obama WANTS it to be mandatory)
THEN they want to dictate who can be employed in “cybersecurity services” by making it UNLAWFUL to do so unless you’re licensed under their certification?
Are you thinking that this can’t get worse at this point?
Come on, you know me better than that by now…
SEC. 14. PUBLIC-PRIVATE CLEARINGHOUSE.
(a) DESIGNATION- The Department of Commerce shall serve as the clearinghouse of cybersecurity threat and vulnerability information to Federal Government and private sector owned critical infrastructure information systems and networks.
(b) FUNCTIONS- The Secretary of Commerce—
(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access;
No kidding, folks - “All of Your Networks Are Belong to US” …if Barack Obama designates them so.
Hold on though – what would be the point of all the HARD WORK involved in creating this nightmare, if they weren’t at least going to be able to make some money off of it (think Freddie/Fannie)
SEC. 15. CYBERSECURITY RISK MANAGEMENT REPORT.
Within 1 year after the date of enactment of this Act, the President, or the President’s designee, shall report to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science and Technology on the feasibility of—
(1) creating a market for cybersecurity risk management, including the creation of a system of civil liability and insurance (including government reinsurance); and
(2) requiring cybersecurity to be a factor in all bond ratings.
A little something for both the ‘Civil Trial Law’ and ‘Insurance’ lobbies – tucked in there for good measure.
…Oh no …not done yet … they buried the best part at the very bottom.
SEC. 18. CYBERSECURITY RESPONSIBILITIES AND AUTHORITY.
(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;
(6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security;
(8) may delegate original classification authority to the appropriate Federal official for the purposes of improving the Nation’s cybersecurity posture;
(10) shall withhold additional compensation, direct corrective action for Federal personnel, or terminate a Federal contract in violation of Federal rules, and shall report any such action to the Congress in an unclassified format within 48 hours after taking any such action;
- Forcing Federal standards, guidelines and language onto any system the President “designates”.
- Making it “Unlawful” for anyone to provide ‘Cybersecurity Services’ – even for their own systems – without “Mandatory Licensing” granted by the government.
- Requiring the surrender of all data of ‘Designated’ systems without regard to any provision of law, regulation, rule, or policy restricting such access.
- Including some built-in graft potential for civil lawyers and the insurance lobby,
- Granting the President the power to declare a “cybersecurity emergency” and order the limitation or shutdown of Internet traffic to and from any network (or, obviously, connection of networks) designated ‘compromised.
- Granting the President the power to disconnect ‘Designated’ systems from internet-access, under the auspices of ‘National Security’
(which ones? Google? AT&T – how many would it really take to cripple communication between different parts of the country – and how would that affect the new “all digital” television broadcast?)
I knew this would happen – all of the Central-Planning, Power-Grabbing, We-Know-What-Is-Best-For-You, **OBEY ** legislative attempts at bringing EVERYTHING under their direct control.
The only thing that surprises me is the speed with which the grabs are coming.
UPDATE: Sorry I missed this one - S. 778 To establish, within the Executive Office of the President, the Office of the National Cybersecurity Advisor.
I'm not sure exactly why they would use a different Bill for this, but I'm now convinced it can't be good. - MD
(1) America’s failure to protect cyberspace is one of the most urgent national security problems facing the country.