When Senate Majority Leader Harry Reid introduced a cybersecurity bill designed, essentially, to implement the White House's framework for protecting the nation's critical infrastructure, John McCain was quick to throw himself in front of the train, saying the bill would "stymie job creation" by imposing new costs on private industry. He told a meeting of the Homeland Security Committee:
If the legislation before us today were enacted into law, unelected bureaucrats at the DHS could promulgate prescriptive regulations on American businesses, which own roughly 90% of critical cyber infrastructure.
Meanwhile, the private sector enterprises potentially affected by the bill long ago set up a chorus of lamentation -- via the US Chamber of Commerce -- about burdensome regulations. Unsurprisingly, the companies which own key parts of the critical infrastructure would prefer incentives to new rules.
Yesterday, we were able to see what McCain's alternative looks like. The "Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act" resolves into a neat acronym -- SECURE IT -- but otherwise is little more than an attempt to preserve the profoundly insecure status quo.
Introduced by McCain and seven fellow Senators, the bill seeks to improve cybersecurity without regulating existing systems. It's an application, in other words, of the principle that "more government is seldom a solution to any problem," as co-sponsor Saxy Chambliss put it.
Maybe the McCain proposal represents an alternative, and even streamlined route to the same goals? Let's take a look. The Cybersecurity Act of 2012 -- Harry Reid's preferred measure, which enjoys bipartisan support -- would make the Department of Homeland Security responsible for designating the elements of the infrastructure which need to meet a defined set of security standards.
The private sector would determine how best to meet the standards, but compliance would be verified, either by a third-party or through self-certification. Hardly draconian.
The SECURE IT Act takes the DHS out of the picture completely, and doesn't replace it with any other regulatory body. Rather, it emphasizes "partnership" and voluntary information sharing between the private sector and government. It does require federal contractors providing cybersecurity services to government to report threats to such services, conferring legal protections in return.
It does increase penalties for some cybercrimes, but proudly imposes no new regulations on industry.
There really are people who are prepared to say that cybersecurity can be left in private hands. Tom Ridge, former head of the DHS, is one of them. He told the Homeland Security Committee:
The private sector routinely thwarts cyber attacks against its networks because it is fast and nimble in its response and recovery efforts. A new regulatory regime would box in our critical infrastructures, hampering the freedom, agility, and innovation needed to deflect or defeat adversaries who are often quite amply resourced.
It's not that Ridge is crazy. It's just that he's now employed by the US Chamber of Commerce.
Of course the private sector thwarts cyberattacks. Doubtless it thwarts them every day and every hour. But it's equally evident that cybercrime is often spectacularly successful. Bringing down the Sony PlayStation network for weeks on end is one thing. Crashing the power grid for half that time would be a disaster. The NSA believes hackers could do it.
This might push a few buttons, but if there's genuine concern about government intruding on private enterprise, then you know what? Nationalise those parts of the grid which are really critical. I mean, we don't have private armed forces, and the grid seems to me to be as critical to national security.
I'm sufficiently persuaded that something needs to be. After all, that the NSA found is necessary to say it was concerned about Anonymous attacking the grid is quite worrying. But it doesn't follow, of course, that just anything needs to be done.
But I don't think it's draconian to hold the authentically key parts of the grid to security standards which can be set and reviewed at federal level.
Yes, don't get me wrong; I've little doubt that your observation is correct, Kim. It's just a matter of which bill -- if either -- should be passed.
FWiW, because no company *wants* to be hacked or have its systems or data compromised, and because IT professionals probably understand these issues better than many legislators (as the SOPA hearings showed us), I'm not convinced that a bill like McCain's that imposes less direct regulation but nonetheless facilitates business working together is necessarily bad.
At the same time, utiltiies and similar entities must be secure.
Perhaps, one might hope, an effective yet not overly intrusive compromise will be reached.
Joe, I admit I didn't wade through the bills for this piece, but relied on reporting. I can see that there might be some concerns about the first bill, but McCain's alternative strikes me as an entirely lobby-driven attempt to run the first bill into the ground. Annoyingly cynical.
I took a peek at the actual bill (just a peek; it's a long one, it is); to be fair, it seems that it nonetheless may be a bit overly broad (particularly in terms of what may be designated as "critical infrastructure").
I am also concerned about this bill being implemented in conjunction with a national Internet ID card and the potential for abuse; indeed, the bill provides that the DHS will collaborate with NIST and the Department of Commerce -- agencies that have oversight over NSTIC (the Internet security card program).
In any case, I only read some of the bill, and have not read McCain's competing SECURE IT at all, so I might not really know what I'm talking about here.
Ironic that the US Chamber of Commerce is involved in trying to squelch the security bill in light of the fact they were hacked not long ago by perhaps China.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
The Memorial Day weekend begins with Geek Pride Day on Saturday. Kick off your holiday with nine news tidbits that are perfect for sharing at backyard BBQs and poolside get-togethers.
At the IBM Smarter Commerce Global Summit here in Nashville, I'm hearing many stories about how businesses have adapted their IT strategies in response to this rapidly changing, pressurized, data-driven commercial world.
Neal Stephenson is best known as the author of science fiction novels such as SnowCrash and Anathem. But he does other things as well. Among them: He's assembled a team of scientists and engineers to figure out how to build a 20-kilometer-tall tower to use as a platform for launching rockets into space.
While interstellar travel presents huge challenges, it's "almost inevitable," according to a speaker at the Starship Century symposium here in San Diego.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
Cyber Warfare may be the next frontier for tactical hacking. It has already reared its head in Estonia, Russia, and Georgia, and some say it has been used by North Korea, China, and other world powers. The implications and the potential are both fascinating and scary.
EU operators are considering joining up to create a pan-European network to reduce competitive overbuild and cost. This might lower costs and focus operators on higher-level, more interesting services.
Congress is considering a bill to extend a moratorium on Internet regulation changes for two years. But with issues like service quality, cloud performance, and privacy looming, we risk contaminating the Internet with fraud.
The risk of the ITU taking over the Internet is overblown. First, it's almost certain its goals are simply to create orderly interconnect and settlement. Second, how good a job has ICANN done anyway? If we don't like international control we should clean up our own processes in both governance and interconnect!
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
