U.S. Senators introduce far-reaching legislation to protect against cyber attack

June 4, 2010 - By Justin E. Gehrke

According to a Wired report published yesterday, U.S. Senators Joe Lieberman and Susan Collins have co-sponsored a bill that would empower Department of Homeland Security to assume control over the United States’ “critical infrastructure” in the event of an “imminent cyber threat.”

Over the last decade, U.S. dependence upon its cyber-infrastructure has continued to increase. Critical services and operations are increasingly structured around government networks, which are often interconnected via the magic of Al Gore’s internet. This means that any internet outage, local or nationwide in scope, has the potential to decrease the ability of the government to operate. The question is, though, just how much control Homeland Security officials would wield and when and how they would be authorized to use it.

The intent of the bill is to ensure the U.S. government has the ability to maintain the internet alive and useable. One of the possibilities mentioned includes the establishment of internet-based surveillance to assist the business sector. The proposed bill actually takes this idea a step further and would allow President Obama, or whomever succeeds him, to essentially declare a state of cyber emergency. At that time, the National Center for Cybersecurity and Communications, an arm of Homeland Security, would implement emergency measures aimed at preserving critical operations and the communications on which they rely.

One of the issues that arises is just how much control government can exercise over corporate networks. While it is feasible to mandate the development and implementation guidance for government agencies, forcing companies to do the same is a far more difficult task. Adding mandatory, precautionary controls and response measures would require many companies to expand their current IT staff and ensure it includes employees who are specially trained to deal with computer and network security issues.

The definition of what exactly constitutes an emergency would also have to be clearly identified. According to the Wired report, a presidential declaration would require “…knowledge both of a massive network flaw – and information that someone was about to leverage that hole to do massive harm.” This can be compared to law enforcement rules, such as opportunity, means, and intent, all of which have to be present for a crime to occur.

An important point to consider is that the proposed bill contains nothing more, in the way of preventive and reactionary measures, than those that both business and home users should be doing already. These are all part of the programs that computer and network security professionals should develop, update, and test, prior to an emergency occurring. They may have technical names like Continuity of Operations Plans (COOP), Disaster Recover Plans (DRP), and Incident Handling Plans, but they include basic preventive measures like installing and updating antivirus, intrusion prevention, and firewall software and appliances, as well as ensuring installed operating system and software security patches are installed, as soon as they are released by the vendor.

The Lieberman/Collins legislation certainly isn’t the first of its kind. Previously introduced bills have failed to pass, based on the complexity of identifying just how far the government’s reach can extend, when it comes to control of an internet that doesn’t have one single, irrefutable owner. It is certain, though, that some type of contingency plan that will be accepted and, more importantly, embraced by the private sector must be developed. Otherwise, the drama that played out in 2007’s Live Free or Die Hard may become more real than anyone would really like to see.

Source: Lieberman Bill Gives Feds ‘Emergency’ Powers to Secure Civilian Nets