The Cyber Security Act of 2009

In a class on Monday, we had a discussion concerning cyber security. We speculated that the government planted the news story about China placing malware in the electric grid as a precursor to an announcement about a large cybersecurity overhaul likely to surface over the next few weeks. When I got home I did some digging and discovered that three days ago Sen. Rockefeller from WV finally introduced the Cyber Security Act that's been floating around into Congress.

So here are some articles to read up on this!

This article discusses how the new act will grant the US government the authority to "shut the internet down" during emergencies. This article is a blog post so it is biased about the criticisms of the act, but it is an interesting article none-the-less in highlighting weaknesses about the Act and provides a 4 page synopsis of the act. Personally, I believe that this is something the government should be considering. In a large-scale cyber attack, the only recourse for slowing the spread of vicious malware is to cut off the source.

The Best Source to read more about this issue is to visit the Congress Page about this bill. OpenCongress provides information about S.773, provides links to blogs that discuss the bill, and other relevant news articles like Steven Bellovin's critique.

Overall, I am not qualified to adequately critique all aspects of this bill; however I will say I am pleased that at least some kind of notice on this issue is finally entering Congress. But not THIS BILL. I approve of the government taking a more active awareness of potential cyber attacks, and I don't mean small attacks where hackers change words or homepages on government websites. I am speaking of large-scale Denial-of-Service attacks, dangerous malware, and the risk of individuals and other nations (who likely do not have the best interests of the U.S. in mind) to hack or get access to critical infrastructure. The potential for a repeat of the Estonian Cyberwar of 2007 in the United States is not a thing of Science Fiction.

There are substantial consequences if S.773 passes as is. For one, the bill calls for the shift of protection responsibility of Critical Infrastructure to move away from the private sector to the public sector. Currently, most of the responsibility falls under the private sector. Providing adequate protection is extremely expensive and there is very little incentive for the Private sector to pay these substantial fees at the moment. Currently, it is universally agreed upon that US critical infrastructure is NOT READY to face any kind of cyber attack, be it an insider job, or data leakage. But in truth, can the public sector do much better, when most of the expertise is already in the Private sector? S.773 says the solution is to move oversight from DHS to the White House. Is this the best solution? Perhaps NSA would be better suited for this kind of work? In truth, DHS has its own set of problems to sort out and they may not currently be capable of handling this responsibility considering how many components it has. But according to our current framework, Cyber security does fall under DHS responsibilities! Perhaps the true solution would be to restructure how cyber security is handled within DHS?

What do you think?