Thursday, April 23, 2009

S. 773 – The “Cybersecurity Act of 2009” - UPDATED

Sorry Wayne, I should’ve hit this one sooner…

Senate Bill 773 – The “Cybersecurity Act of 2009" is one of those bills that starts off sounding dry, technical and innocuous enough – standardizing security guidelines for Federal computer networks – sounds okay, right?

Still, just to get started, the “Findings” section sets the stage for “why this is so vitally important that you should all just vote for it RIGHT NOW!”
(so much for abandoning the politics of fear, eh?)

(1) America’s failure to protect cyberspace is one of the most urgent national security problems facing the country.

(5) John Brennan, the Assistant to the President for Homeland Security and Counterterrorism wrote on March 2, 2009, that
‘our nation’s security and economic prosperity depend on the security, stability, and integrity of communications and information infrastructure that are largely privately-owned and globally-operated..

(6) Paul Kurtz, a Partner and chief operating officer of Good Harbor Consulting as well as a senior advisor to the Obama Transition Team for cybersecurity, recently stated that
the United States is unprepared to respond to a ‘cyber-Katrina’ and that ‘a massive cyber disruption could have a cascading, long-term impact without adequate co-ordination between government and the private sector.’.

(like the 'Katrina' reference?)

(7) The Cyber Strategic Inquiry 2008, sponsored by Business Executives for National Security and executed by Booz Allen Hamilton, recommended to ‘establish a single voice for cybersecurity within government’ concluding that the ‘unique nature of cybersecurity requires a new leadership paradigm.’

(8) Alan Paller, the Director of Research at the SANS Institute, testified before the Congress that ‘the fight against cybercrime resembles an arms race where each time the defenders build a new wall, the attackers create new tools to scale the wall.

(this is the part where Napolitano would make a statement about 10-ft-walls & 11-ft-ladders...)

(13) President Obama said in a speech at Purdue University on July 16, 2008, that ‘every American depends--directly or indirectly--on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it’s no secret that terrorists could use our computer networks to deal us a crippling blow. We know that cyber-espionage and common crime is already on the rise. And yet while countries like China have been quick to recognize this change, for the last eight years we have been dragging our feet.’ Moreover, President Obama stated that ‘we need to build the capacity to identify, isolate, and respond to any cyber-attack.’.

By the way, all of these recommendations for computer-central-planning were turned down by the previous administration – looks like they found a more sympathetic ear this time around.

So, it heads into a pretty standard top-down approach (as government is wont to do) :

The President shall establish or designate a Cybersecurity Advisory Panel.

The President
(2) may seek and give consideration to recommendations from the Congress, industry, the cybersecurity community, the defense community, State and local governments, and other appropriate organizations.

“Other appropriate organizations” - outside of those listed?

Hmm.. Okay - Moving down – we get into some of the How-this-will-work:


(a) CREATION AND SUPPORT OF CYBERSECURITY CENTERS- The Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards. Each Center shall be affiliated with a United States-based nonprofit institution or organization, or consortium thereof, that applies for and is awarded financial assistance under this section.

Hold on - “Each Center shall be affiliated with a United States-based nonprofit institution or organization, or consortium thereof, that applies for and is awarded financial assistance under this section.” ?

What kind of “non-profit” is going to volunteer to administer “the promotion and implementation” of government standards?

A "non-profit" that would want to push government mandates?

Anyone?...Anyone?... Bueller?

But wait, let’s step back a little further - “Cybersecurity Centers”… o-kay, but since security can be pushed-down through federal systems via their own electronic networks, why establish physical ‘centers’?

(b) PURPOSE- The purpose of the Centers is to enhance the cybersecurity of small and medium sized businesses in United States through--

Uh… wait – so suddenly it’s the business of the Federal Government to “enhance the cybersecurity of small and medium sized businesses in United States”?

Why am I uncomfortable with that?

And here’s another interesting, if seemingly-unrelated bit:

(d) ACCEPTANCE OF FUNDS FROM OTHER FEDERAL DEPARTMENTS AND AGENCIES- In addition to such sums as may be authorized and appropriated to the Secretary and President, or the President’s designee, to operate the Centers program, the Secretary and the President, or the President’s designee, also may accept funds from other Federal departments and agencies for the purpose of providing Federal funds to support Centers. Any Center which is supported with funds which originally came from other Federal departments and agencies shall be selected and operated according to the provisions of this section.

So the aforementioned “non-profit” stepping-up to administer “the promotion and implementation” of government standards…can double-dip from the Federal snack bowl?

It occurs to me that such a non-profit/center could then also apply for monies under HR1388

So - money given, with ‘Volunteer Commitment’ strings attached, to a non-profit tasked with pushing Federal cybersecurity standards into private business…

How’s that for a disturbing feedback-loop?

The next tremor comes almost half-way through the text of the Bill:


This starts out with some pretty standard development language – “metrics”, “controls”, “security” etc., etc.. nothing too out of the ordinary – until:

(4) SOFTWARE CONFIGURATION SPECIFICATION LANGUAGE- The Institute shall, establish standard computer-readable language for completely specifying the configuration of software on computer systems widely used in the Federal Government, by government contractors and grantees, and in private sector owned critical infrastructure information systems and networks.

(5) STANDARD SOFTWARE CONFIGURATION- The Institute shall establish standard configurations consisting of security settings for operating system software and software utilities widely used in the Federal Government, by government contractors and grantees, and in private sector owned critical infrastructure information systems and networks.

Hold on now – “and in private sector owned critical infrastructure information systems and networks” ?

Wait – I’m going to look for a definition of that term… doesn’t seem like the kind of thing you’d want left ‘subjective’ … hold on, I’ll be right back…

Right, I thought that sounded familiar - #9 under “Findings” stated:

‘our nation’s critical infrastructures are composed of public and private institutions in the sectors of agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking finance, chemicals and hazardous materials, and postal and shipping.

So – “Critical Infrastructures” include ‘public’ and ‘private’ and could be… anything.

Getting nervous now – let’s see if we can figure out how they determine what’s “Critical”


d) COMPLIANCE ENFORCEMENT- The Director shall--

(1) enforce compliance with the standards developed by the Institute under this section by software manufacturers, distributors, and vendors; and

(2) shall require each Federal agency, and each operator of an information system or network designated by the President as a critical infrastructure information system or network, periodically to demonstrate compliance with the standards established under this section.

Wait-wait-wait… “Designated By The President”?

As in: “The POTUS… Barack Obama… gets to decide which private businesses have to comply with these “Federal Security Standards”?

Can I get a “NO!” in here?!?

And I guess that once they let that cat-out-of-the-bag in writing they figured all bets were off anyway:

(b) MANDATORY LICENSING- Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program.

So FIRST they want to create mandatory security standards, not only for Government systems but also for privately-held systems (not ALL privately owned systems, of course – just for those that Barack Obama WANTS it to be mandatory)

THEN they want to dictate who can be employed in “cybersecurity services” by making it UNLAWFUL to do so unless you’re licensed under their certification?

Are you thinking that this can’t get worse at this point?

Come on, you know me better than that by now…


(a) DESIGNATION- The Department of Commerce shall serve as the clearinghouse of cybersecurity threat and vulnerability information to Federal Government and private sector owned critical infrastructure information systems and networks.

(b) FUNCTIONS- The Secretary of Commerce

(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access;

No kidding, folks - “All of Your Networks Are Belong to US” …if Barack Obama designates them so.

Hold on though – what would be the point of all the HARD WORK involved in creating this nightmare, if they weren’t at least going to be able to make some money off of it (think Freddie/Fannie)


Within 1 year after the date of enactment of this Act, the President, or the President’s designee, shall report to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Science and Technology on the feasibility of—

(1) creating a market for cybersecurity risk management, including the creation of a system of civil liability and insurance (including government reinsurance); and

(2) requiring cybersecurity to be a factor in all bond ratings.

A little something for both the ‘Civil Trial Law’ and ‘Insurance’ lobbies – tucked in there for good measure.

…Oh no …not done yet … they buried the best part at the very bottom.


The President

(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;

(6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security;

(8) may delegate original classification authority to the appropriate Federal official for the purposes of improving the Nation’s cybersecurity posture;

(10) shall withhold additional compensation, direct corrective action for Federal personnel, or terminate a Federal contract in violation of Federal rules, and shall report any such action to the Congress in an unclassified format within 48 hours after taking any such action;

Let's Review:

- Forcing Federal standards, guidelines and language onto any system the President “designates”.

- Making it “Unlawful” for anyone to provide ‘Cybersecurity Services’ – even for their own systems – without “Mandatory Licensing” granted by the government.

- Requiring the surrender of all data of ‘Designated’ systems without regard to any provision of law, regulation, rule, or policy restricting such access.

- Including some built-in graft potential for civil lawyers and the insurance lobby,

- Granting the President the power to declare a “cybersecurity emergency” and order the limitation or shutdown of Internet traffic to and from any network (or, obviously, connection of networks) designated ‘compromised.

- Granting the President the power to disconnect ‘Designated’ systems from internet-access, under the auspices of ‘National Security’

(which ones? Google? AT&T – how many would it really take to cripple communication between different parts of the country – and how would that affect the new “all digital” television broadcast?)

I knew this would happen – all of the Central-Planning, Power-Grabbing, We-Know-What-Is-Best-For-You, **OBEY ** legislative attempts at bringing EVERYTHING under their direct control.

The only thing that surprises me is the speed with which the grabs are coming.

- MuscleDaddy

UPDATE: Sorry I missed this one - S. 778 To establish, within the Executive Office of the President, the Office of the National Cybersecurity Advisor.

I'm not sure exactly why they would use a different Bill for this, but I'm now convinced it can't be good. - MD


  1. And most people won't see anything at all wrong until the government pops up in their bedroom. THEN it'll be a problem.

  2. MD, They've GOT to power-grab fast. They know that they're all going to get the boot in 2010, so they are simply doing everything they can to expedite the agenda. This should come as no shock whatsoever.

  3. I would ask how it's legal to just write in a clause in a bill like this that it's going to ignore existing "laws, regulations, rules, or policies" which are intended to prevent access to these networks, but obviously it doesn't matter to the power-hungry lunatics who wrote this bill whether it is legal or not.

  4. You missed one piece, but great analysis, MD.

    That is: this is in effect the militarization of the Internet. They don't SAY that, and they use the cover of the DOC to situate it, but don't be fooled. This is declaring the Internet, and anything connected to it, as a military theatre of action.

  5. Anon @ 2:41,

    Thank you for the kind note.

    I didn't really 'miss' that point - but it would have required an inference on my part, which I try to stay away from when picking apart legislation.

    (saving inference and wild-conjecture for everything else I write)What they actually say is damning enough.

    - MD

  6. Here's the thing that I love about it. So, they take over all cyber security and start mandating things so that everyone has the same security so that all of our 'vital systems' have the same level of protection.

    All that means is that if a hacker finds a vulnerability in one system then chances are that EVERY system will have it.

  7. MD - that part about the separate bill to establish the Cybersecurity Department? That seems to be SOP with these bills. That other one I sent you, HR875, does the same thing with the "Food Safety Administration" or something like that.

  8. Extraordinary piece of legislative disection! There are so many levels of this piece of legislative garbage I find objectionable. My fear is that too many of our Washington geniuses won't spend the time studying it...but simply pass the darn thing instead (TARP-style).

  9. “Other appropriate organizations” - outside of those listed?and

    United States-based nonprofit institution or organization, or consortium thereofCould it be as simple as colleges and/or universities?

    You know these guys think the world of academia types, so computer science professors and their students may get in on a slice of the pie.

    It may not imply conscripts from the streets (ACORN type).

  10. always,I suppose it could - though that still begs the question of "Universities pushing down cyber-security mandates onto private business?"Then there's the added bonus of Colleges & Universities quickly finding themselves in-thrall to 1388/GIVE - meaning that the your aforementioned conscription would be from a fairly captive and malleable pool (because I've never seen a University that could name a 'grant' it didn't like... except Hillsdale, of course).

    Also, I think that - given the ACORN involvement-in and subsequent payoffs-from the Obama administration to date - "assuming-the-best" (if you could even call it that) would involve ignoring what we've already seen.

    Trust People to Do What You've Seen Them Do.

    - MuscleDaddy

  11. So here we are--Google's top story today...what a boondoggle this is going to particular favorite clause, in addition to the president having carte blanche to shut down whatever he wants, is the exciting new INSURANCE market they are going to create...hmm...does the word "derivative" mean anything to you? We all loved how that turned out...Can't wait to see how that affects the economy over time...and isn't it great that now our worldwide hacker community will only have to hack one US system to be able to hack them all, since they will all have the same requirements/security infrastructure? Yee-hah...let's here it for the lame new world...


We reserve the right to delete comments, but the failure to delete any particular comment should not be interpreted as an endorsement thereof.

In general, we expect comments to be relevant to the story, or to a prior comment that is relevant; and we expect some minimal level of civility. Defining that line is inherently subjective, so try to stay clear of insulting remarks. If you respond to a comment that is later deleted, we may take your response with it. Deleting your comment isn't a personal knock on you, so don't take it as such.

We allow a variety of ways for commenters to identify themselves; those who choose not to do so should take extra care. Absent any prior context in which they may be understood, ironic comments may be misinterpreted. Once you've earned a reputation for contributing to a conversation, we are likely to be more tolerant in those gray areas, as we'll understand where you're coming from.