Some guy yelled at me about this today. People seem to yell a great many political things at me lately. Frankly, it’s all quite tiring. Anyhow, this doofus went of on an unsolicited rant about how President Obama was going to “shut off the internet at will.”
Man, I thought, I gotta know how he can do that. So, I googled (is that a verb now?) “Obama shut down internet,” and I was led to the documents for the Cybersecurity Act of 2009. The actual bills are S. 773 and 778. The first draft is here [pdf].
I skimmed through it and found that it echoed almost everything I’d heard about last year’s CSIS report. Basically, the report acknowledged a few things that should have already been glaringly obvious:
- That our government’s computer infrastructure is vulnerable to attack and disruption,
- That you can trust Congress, who are experts on these things, to throw tons of money at it if you like, and
- It won’t do much good.
So, in the interest of doing something, Congress came up with S. 773. It’s a really professional-looking, well-organized proposal that’s basically full of hot air. And it’s expensive hot air, too.
Still, I didn’t see anything sinister until I neared the end. There’s some boilerplate about funding, qualifications and clearance for Federal I.T. contractors, and a program of “challenges” to incite students into becoming code monkeys for The Man.
Then you get to Section 18:
(2) [the President] may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;
(…)
(6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security;
Yeah, now my undies get bunched up. Who decides what defines “critical infrastructure?” Does that stop with government systems, or can civilian networks be shut down “in the interest of national security?” What if it turns out that a worm is being propogated by a computer at your ISP? Can they shut it down? According to the bill, they don’t even need to provide proof that a network is compromised. Nice.
Oh, and civil liberties? Well they are mentioned is in Section 17, which is somewhat less than reassuring:
Within 1 year after the date of enactment of this Act, the President, or the President’s designee, shall review, and report to Congress, on the feasibility of an identity management and authentication program, with the appropriate civil liberties and privacy protections, for government and critical infrastructure information systems and networks.
The issue also comes up in Section 11, under “challenges in cybersecurity”:
(4) How to guarantee the privacy of an individual’s identity, information, or lawful transactions when stored in distributed systems or transmitted over networks.
(…)
(6) How to determine the origin of a message transmitted over the Internet.
“Sure,” you might think, “that’s only for information on government servers.” Guess again. There’s a great deal of overlap between government and civilian networks, partially owed to the internet’s ancestry as ARPANET.
The government has had a great deal of distrust for the possibilities of anonymous, untraceable and encrypted communication since the Clinton administration. In fact, PGP encryption was quite the issue in the infancy of the internet, so much so that some saw the debate as a 2nd Amendment issue.
I know I do.
I don’t sit up at night salivating at the possibility of Revolution. I don’t think we’re anywhere near that point yet, and I certainly hope my children and grandchildren never see it. Still, we’re entitled to the tools to keep tyranny at bay, and part of that includes a means of communication immune to interception and surveillance. There are also very real 4th Amendment issues at play here.
We do need to evaluate the security of our government networks. If you were paying attention, you’d remember the attacks on Estonia in 2007. Such threats are growing in number and severity on a regular basis, and I’d hate to see large parts of our infrastructure thrown into disarray by someone calling himself D0p3h4T666.
But there are ways to do this right. The bill isn’t all hogwash and Orwell, and it can be molded into something useful. Trim out some of the extraneous budget and make sure these provisions are strictly limited to a narrowly-defined class of purely governmental networks, and we could have a useful bill.