The Rockefeller-Snowe bill emerges from an environment of blind hysteria around cyber-security problems that has developed in recent months. Section 2 contains 150 lines of silly hyperventilating that exaggerate the threats – but more importantly, misconceives the nature of Internet-based threats and the best way to respond to them. The bill succumbs to the tendency to take a national, hierarchical and centralized approach to problems that are best met through the organic evolution of decentralized, flexible, adaptive and transnational, private sector-based cooperative solutions that leverage the peer production capabilities of the Internet.
Still, it is not as bad as it could have been. The bill does not directly turn over cybersecurity responsibilities to the NSA, nor does it completely centralize authority in a single government agency. Instead, it creates a Cyber-Czar in the Whitehouse and a multistakeholder “Cyber-security Advisory” panel appointed by the President.
Note that even Louis Freeh, former FBI head, has warned that the problem of cybersecurity “is too large and too complicated to relegate it into a typical bureaucratic or statutory pigeonhole.”
That being said, creating a centralized Czar, and empowering the President with emergency powers does little to address problems such as botnets and viruses, which rely on the dispersion and decentralisation of ICTs. That battle will really be fought in the marketplace by firms offering security products and services and by ICT professionals in Internet service providers and at the organizational and agency level.
I don't know whether this bill will get anywhere. While it is off-target, one must also understand that Washington is primarily about posturing. What matters to your typical congressperson is looking like you are doing something – and doling out cash to patrons – not making the Internet safer per se. In that regard, the bill has a lot going for it.
Here is a section-by-section review of the most outstanding parts of the proposed law. The bill:
* Creates an Office of the National Cybersecurity Advisor within the Executive Office who reports directly to the President. This is modelled after the US Trade Representative. Borders on the kind of centralization Freeh warned against, but at least it is not the NSA. (Section 1)
* Creates a Cyber-security Advisory panel appointed by the President. It will contain representatives of industry, academics, non-profit organizations, interest groups and advocacy organizations, and State and local governments. It issues reports and develops and seeks recommendations on cybersecurity strategy. (Section 3)
* Empowers the President to declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal government or United States critical infrastructure information system or network (Section 18)
* In true Washington style, encourages and funds duplicative and unneeded bureaucracies in order to provide the appearance of bold action on a problem. Ignoring the existence of an extensive network of self-governing security professionals and CERTS around the world, the bill funds the formation of State and regional “Cybersecurity Centers,” a massive boondoggle for alert politicians, academics, political capitalists and anyone else who wishes to jump on the “cybersecurity” bandwagon. We saw this happen with other forms of “security” during the post-9/11 period and the formation of DHS. One Washington insider I know accurately labeled the post- 9/11 Beltway security industry a “kleptocracy” comparable to that of Russia. (Section 5)
* Authorizes the National Institute of Standards and Technology (NIST) to establish measurable and auditable cybersecurity standards for the Federal government, government contractors, or grantees involved in critical infrastructure information systems and networks. This would include a research program to develop cybersecurity metrics and benchmarks that can assess the economic impact of cybersecurity. This is one of the less-objectionable parts of the bill. It is an example of the kind of modest and targeted activity which might actually be useful. (Section 6)
* Establishes a mandatory licensing regime for “cybersecurity professionals.” So this new area of knowledge will become cartelized – which means more expensive, less open and less innovative. It is unclear what diagnosis led to this remedy. (Section 7)
* Entrenches the Commerce Department's IANA contract in the quagmire of “national security” discourse. The IANA contract grants a monopoly over the administration of a globally shared resource, the domain name system, to ICANN. NTIA cannot renew or modify the IANA contract until a Cybersecurity Advisory Panel appointed by the U.S. President reviews and approves whatever it does. The Panel must consider the commercial (i.e., to U.S. companies) and national (i.e., U.S.-only) security implications of any change. (Section 8) Note that this is a step back from the claim that the bill would “make sure that ICANN does not succumb to foreign pressure” in Senator Rockefeller's press release.
* Mandates the Commerce Department to “develop a strategy to implement a secure domain name addressing system” in three years. Huh? Commerce is already doing that, see the NTIA DNSSEC proceeding. (Section 9) And global acceptance of DNSSEC will depend not just on the U.S. but on other countries as well – a fact that authors of this bill obviously don't grasp.
* Throws more money at the National Science Foundation to do more “computer and information science and engineering research” – when in fact both the causes and solutions to the security problems are mostly institutional, organizational, economic and political rather than technical in nature, and there is already a major spending program on computer science and engineering research in this area – the Cybersecurity Research and Development Act, passed in 2002.
* Throws more money at universities for security-related scholarships. Hey, we'll take more student scholarships, but we've been benefiting from a similar program for the past six years. More posturing.